{ "id": "394feae6-c4ad-4c6f-bd6d-1686c52ea2b4", "created_at": "2026-04-06T00:08:16.708495Z", "updated_at": "2026-04-10T03:34:59.546644Z", "deleted_at": null, "sha1_hash": "a93c5844eaebf8b22f08459690aa41febbba389f", "title": "Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 444390, "plain_text": "Tracking the Expansion of ShinyHunters-Branded SaaS Data\r\nTheft\r\nBy Mandiant\r\nPublished: 2026-01-30 · Archived: 2026-04-05 13:19:20 UTC\r\nIntroduction \r\nMandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs)\r\nconsistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage\r\nsophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to\r\ncorporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA)\r\ncodes. Once inside, the threat actors target cloud-based software-as-a-service (SaaS) applications to exfiltrate\r\nsensitive data and internal communications for use in subsequent extortion demands.\r\nGoogle Threat Intelligence Group (GTIG) is currently tracking this activity under multiple threat clusters\r\n(UNC6661, UNC6671, and UNC6240) to enable a more granular understanding of evolving partnerships and\r\naccount for potential impersonation activity. While this methodology of targeting identity providers and SaaS\r\nplatforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion,\r\nthe breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for\r\nextortion. Further, they appear to be escalating their extortion tactics with recent incidents including harassment of\r\nvictim personnel, among other tactics.\r\nThis activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, it continues\r\nto highlight the effectiveness of social engineering and underscores the importance of organizations moving\r\ntowards phishing-resistant MFA where possible. Methods such as FIDO2 security keys or passkeys are resistant to\r\nsocial engineering in ways that push-based or SMS authentication are not.\r\nMandiant has also published a comprehensive guide with proactive hardening and detection recommendations,\r\nand Google published a detailed walkthrough for operationalizing these findings within Google Security\r\nOperations.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 1 of 12\n\nFigure 1: Attack path diagram\r\nUNC6661 Vishing and Credential Theft Activity\r\nIn incidents spanning early to mid-January 2026, UNC6661 pretended to be IT staff and called employees at\r\ntargeted victim organizations claiming that the company was updating MFA settings. The threat actor directed the\r\nemployees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then\r\nregistered their own device for MFA. The credential harvesting domains attributed to UNC6661 commonly, but\r\nnot exclusively, use the format \u003ccompanyname\u003esso.com or \u003ccompanyname\u003einternal.com and have often been\r\nregistered with NICENIC.\r\nIn at least some cases, the threat actor gained access to accounts belonging to Okta customers. Okta published a\r\nreport about phishing kits targeting identity providers and cryptocurrency platforms, as well as follow-on vishing\r\nattacks. While they associate this activity with multiple threat clusters, at least some of the activity appears to\r\noverlap with the ShinyHunters-branded operations tracked by GTIG.\r\nAfter gaining initial access, UNC6661 moved laterally through victim customer environments to exfiltrate data\r\nfrom various SaaS platforms (log examples in Figures 2 through 5). While the targeting of specific organizations\r\nand user identities is deliberate, analysis suggests that the subsequent access to these platforms is likely\r\nopportunistic, determined by the specific permissions and applications accessible via the individual compromised\r\nSSO session. These compromises did not result from security vulnerabilities in the vendors' products or\r\ninfrastructure.\r\nIn some cases, they have appeared to target specific types of information. For example, the threat actors have\r\nconducted searches in cloud applications for documents containing specific text including \"poc,\" \"confidential,\"\r\n\"internal,\" \"proposal,\" \"salesforce,\" and \"vpn\" or targeted personally identifiable information (PII) stored in\r\nSalesforce. Additionally, UNC6661 may have targeted Slack data at some victims' environments, based on a claim\r\nmade in a ShinyHunters-branded data leak site (DLS) entry.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 2 of 12\n\n{\r\n \"AppAccessContext\": {\r\n \"AADSessionId\": \"[REDACTED_GUID]\",\r\n \"AuthTime\": \"1601-01-01T00:00:00\",\r\n \"ClientAppId\": \"[REDACTED_APP_ID]\",\r\n \"ClientAppName\": \"Microsoft Office\",\r\n \"CorrelationId\": \"[REDACTED_GUID]\",\r\n \"TokenIssuedAtTime\": \"1601-01-01T00:02:56\",\r\n \"UniqueTokenId\": \"[REDACTED_ID]\"\r\n },\r\n \"CreationTime\": \"2026-01-10T13:17:11\",\r\n \"Id\": \"[REDACTED_GUID]\",\r\n \"Operation\": \"FileDownloaded\",\r\n \"OrganizationId\": \"[REDACTED_GUID]\",\r\n \"RecordType\": 6,\r\n \"UserKey\": \"[REDACTED_USER_KEY]\",\r\n \"UserType\": 0,\r\n \"Version\": 1,\r\n \"Workload\": \"SharePoint\",\r\n \"ClientIP\": \"[REDACTED_IP]\",\r\n \"UserId\": \"[REDACTED_EMAIL]\",\r\n \"ApplicationId\": \"[REDACTED_APP_ID]\",\r\n \"AuthenticationType\": \"OAuth\",\r\n \"BrowserName\": \"Mozilla\",\r\n \"BrowserVersion\": \"5.0\",\r\n \"CorrelationId\": \"[REDACTED_GUID]\",\r\n \"EventSource\": \"SharePoint\",\r\n \"GeoLocation\": \"NAM\",\r\n \"IsManagedDevice\": false,\r\n \"ItemType\": \"File\",\r\n \"ListId\": \"[REDACTED_GUID]\",\r\n \"ListItemUniqueId\": \"[REDACTED_GUID]\",\r\n \"Platform\": \"WinDesktop\",\r\n \"Site\": \"[REDACTED_GUID]\",\r\n \"UserAgent\": \"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.20348.4294\",\r\n \"WebId\": \"[REDACTED_GUID]\",\r\n \"DeviceDisplayName\": \"[REDACTED_IPV6]\",\r\n \"EventSignature\": \"[REDACTED_SIGNATURE]\",\r\n \"FileSizeBytes\": 31912,\r\n \"HighPriorityMediaProcessing\": false,\r\n \"ListBaseType\": 1,\r\n \"ListServerTemplate\": 101,\r\n \"SensitivityLabelId\": \"[REDACTED_GUID]\",\r\n \"SiteSensitivityLabelId\": \"\",\r\n \"SensitivityLabelOwnerEmail\": \"[REDACTED_EMAIL]\",\r\n \"SourceRelativeUrl\": \"[REDACTED_RELATIVE_URL]\",\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 3 of 12\n\n\"SourceFileName\": \"[REDACTED_FILENAME]\",\r\n \"SourceFileExtension\": \"xlsx\",\r\n \"ApplicationDisplayName\": \"Microsoft Office\",\r\n \"SiteUrl\": \"[REDACTED_URL]\",\r\n \"ObjectId\": \"[REDACTED_URL]/[REDACTED_FILENAME]\"\r\n}\r\nFigure 2: SharePoint/M365 log example\r\n\"Login\",\"20260120163111.430\",\"SLB:[REDACTED]\",\"[REDACTED]\",\"[REDACTED]\",\"192\",\"25\",\"/index.jsp\",\"\",\"1jVcuDh1VId\r\nFigure 3: Salesforce log example\r\n{\r\n \"Timestamp\": \"2026-01-21T12:5:2-03:00\",\r\n \"Timestamp UTC\": \"[REDACTED]\",\r\n \"Event Name\": \"User downloads documents from an envelope\",\r\n \"Event Id\": \"[REDACTED_EVENT_ID]\",\r\n \"User\": \"[REDACTED]@example.com\",\r\n \"User Id\": \"[REDACTED_USER_ID]\",\r\n \"Account\": \"[REDACTED_ORG_NAME]\",\r\n \"Account Id\": \"[REDACTED_ACCOUNT_ID]\",\r\n \"Integrator Key\": \"[REDACTED_KEY]\",\r\n \"IP Address\": \"73.135.228[.]98\",\r\n \"Latitude\": \"[REDACTED]\",\r\n \"Longitude\": \"[REDACTED]\",\r\n \"Country/Region\": \"United States\",\r\n \"State\": \"Maryland\",\r\n \"City\": \"[REDACTED]\",\r\n \"Browser\": \"Chrome 143\",\r\n \"Device\": \"Apple Mac\",\r\n \"Operating System\": \"Mac OS X 10\",\r\n \"Source\": \"Web\",\r\n \"DownloadType\": \"Archived\",\r\n \"EnvelopeId\": \"[REDACTED_ENVELOPE_ID]\"\r\n}\r\nFigure 4: Docusign log example\r\nIn at least one incident where the threat actor gained access to an Okta customer account, UNC6661 enabled the\r\nToogleBox Recall add-on for the victim's Google Workspace account, a tool designed to search for and\r\npermanently delete emails. They then deleted a \"Security method enrolled\" email from Okta, almost certainly to\r\nprevent the employee from identifying that their account was associated with a new MFA device.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 4 of 12\n\n{\r\n \"Date\": \"2026-01-11T06:3:00Z\",\r\n \"App ID\": \"[REDACTED_ID].apps.googleusercontent.com\",\r\n \"App name\": \"ToogleBox Recall\",\r\n \"OAuth event\": \"Authorize\",\r\n \"Description\": \"User authorized access to ToogleBox Recall for specific Gmail and Apps Script scopes.\",\r\n \"User\": \"user@[REDACTED_DOMAIN].com\",\r\n \"Scope\": \"https://www.googleapis.com/auth/gmail.addons.current.message.readonly, https://www.googleapis.com/au\r\n \"API name\": \"\",\r\n \"Method\": \"\",\r\n \"Number of response bytes\": \"0\",\r\n \"IP address\": \"149.50.97.144\",\r\n \"Product\": \"Gmail, Apps Script Runtime, Apps Script Api, Identity, Unspecified\",\r\n \"Client type\": \"Web\",\r\n \"Network info\": \"{\\n \\\"Network info\\\": {\\n \\\"IP ASN\\\": \\\"201814\\\",\\n \\\"Subdivision code\\\": \\\"\\\",\\n \\\r\n}\r\nFigure 5: ToogleBox Recall auth log entry example\r\nIn at least one case, after conducting the initial data theft, UNC6661 used their newly obtained access to\r\ncompromised email accounts to send additional phishing emails to contacts at cryptocurrency-focused companies.\r\nThe threat actor then deleted the outbound emails, likely in an attempt to obfuscate their malicious activity.\r\nGTIG attributes the subsequent extortion activity following UNC6661 intrusions to UNC6240, based on several\r\noverlaps, including the use of a common Tox account for negotiations, ShinyHunters-branded extortion emails,\r\nand Limewire to host samples of stolen data. In mid-January 2026 extortion emails, UNC6240 outlined what data\r\nthey allegedly stole, specifying a payment amount and destination BTC address, and threatening consequences if\r\nthe ransom was not paid within 72 hours, which is consistent with prior extortion emails (Figure 6). They also\r\nprovided proof of data theft via samples hosted on Limewire. GTIG also observed extortion text messages sent to\r\nemployees and received reports of victim websites being targeted with distributed denial-of-service (DDoS)\r\nattacks.\r\nNotably, in late January 2026 a new ShinyHunters-branded DLS named \"SHINYHUNTERS\" emerged listing\r\nseveral alleged victims who may have been compromised in these most recent extortion operations. The DLS also\r\nlists contact information (shinycorp@tutanota[.]com, shinygroup@onionmail[.]com) that have previously been\r\nassociated with UNC6240.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 5 of 12\n\nFigure 6: Ransom note extract\r\nSimilar Activity Conducted by UNC6671\r\nAlso beginning in early January 2026, UNC6671 conducted vishing operations masquerading as IT staff and\r\ndirecting victims to enter their credentials and MFA authentication codes on a victim-branded credential\r\nharvesting site. The credential harvesting domains used the same structure as UNC6661, but were more often\r\nregistered using Tucows. In at least some cases, the threat actors have gained access to Okta customer accounts.\r\nMandiant has also observed evidence that UNC6671 leveraged PowerShell to download sensitive data from\r\nSharePoint and OneDrive. While many of these TTPs are consistent with UNC6661, an extortion email stemming\r\nfrom UNC6671 activity was unbranded and used a different Tox ID for further contact. The threat actors\r\nemployed aggressive extortion tactics following UNC6671 intrusions, including harassment of victim personnel.\r\nThe extortion tactics and difference in domain registrars suggests that separate individuals may be involved with\r\nthese sets of activity.\r\nRemediation and Hardening\r\nMandiant has published a comprehensive guide with proactive hardening and detection recommendations.\r\nOutlook and Implications\r\nThis recent activity is similar to prior operations associated with UNC6240, which have frequently used vishing\r\nfor initial access and have targeted Salesforce data. It does, however, represent an expansion in the number and\r\ntype of targeted cloud platforms, suggesting that the associated threat actors are modifying their operations to\r\ngather more sensitive data for extortion operations. Further, the use of a compromised account to send phishing\r\nemails to cryptocurrency-related entities suggests that associated threat actors may be building relationships with\r\npotential victims to expand their access or engage in other follow-on operations. Notably, this portion of the\r\nactivity appears operationally distinct, given that it appears to target individuals instead of organizations.\r\nIndicators of Compromise (IOCs)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 6 of 12\n\nTo assist the wider community in hunting and identifying activity outlined in this blog post, we have included\r\nindicators of compromise (IOCs) in a free GTI Collection for registered users.\r\nPhishing Domain Lure Patterns \r\nThreat actors associated with these clusters frequently register domains designed to impersonate legitimate\r\ncorporate portals. At time of publication all identified phishing domains have been added to Chrome Safe\r\nBrowsing. These domains typically follow specific naming conventions using a variation of the organization\r\nname:\r\nPattern Examples (Defanged)\r\nCorporate SSO\r\n\u003ccompanyname\u003esso[.]com, my\u003ccompanyname\u003esso[.]com, my-\r\n\u003ccompanyname\u003esso[.]com\r\nInternal Portals\r\n\u003ccompanyname\u003einternal[.]com, www.\u003ccompanyname\u003einternal[.]com,\r\nmy\u003ccompanyname\u003einternal[.]com\r\nSupport/Helpdesk\r\n\u003ccompanyname\u003esupport[.]com, ticket-\u003ccompanyname\u003e[.]support, support-\r\n\u003ccompanyname\u003e[.]com\r\nIdentity Providers\r\n\u003ccompanyname\u003eokta[.]com, \u003ccompanyname\u003eazure[.]com,\r\non\u003ccompanyname\u003ezendesk[.]com\r\nAccess Portal\r\n\u003ccompanyname\u003eaccess[.]com, www.\u003ccompanyname\u003eaccess[.]com,\r\nmy\u003ccompanyname\u003eacess[.]com\r\nNetwork Indicators\r\nMany of the network indicators identified in this campaign are associated with commercial VPN services or\r\nresidential proxy networks, including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks. Mandiant\r\nrecommends that organizations exercise caution when using these indicators for broad blocking and prioritize\r\nthem for hunting and correlation within their environments.\r\nIOC ASN Association\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 7 of 12\n\n24.242.93[.]122 11427 UNC6661\r\n23.234.100[.]107 11878 UNC6661\r\n23.234.100[.]235 11878 UNC6661\r\n73.135.228[.]98 33657 UNC6661\r\n157.131.172[.]74 46375 UNC6661\r\n149.50.97[.]144 201814 UNC6661\r\n67.21.178[.]234 400595 UNC6661\r\n142.127.171[.]133 577 UNC6671\r\n76.64.54[.]159 577 UNC6671\r\n76.70.74[.]63 577 UNC6671\r\n206.170.208[.]23 7018 UNC6671\r\n68.73.213[.]196 7018 UNC6671\r\n37.15.73[.]132 12479 UNC6671\r\n104.32.172[.]247 20001 UNC6671\r\n85.238.66[.]242 20845 UNC6671\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 8 of 12\n\n199.127.61[.]200 23470 UNC6671\r\n209.222.98[.]200 23470 UNC6671\r\n38.190.138[.]239 27924 UNC6671\r\n198.52.166[.]197 395965 UNC6671\r\nGoogle Security Operations\r\nGoogle Security Operations customers have access to these broad category rules and more under the Okta, Cloud\r\nHacktool, and O365 rule packs. A walkthrough for operationalizing these findings within the Google Security\r\nOperations is available in Part Three of this series. The activity discussed in the blog post is detected in Google\r\nSecurity Operations under the rule names:\r\nOkta Admin Console Access Failure\r\nOkta Super or Organization Admin Access Granted\r\nOkta Suspicious Actions from Anonymized IP\r\nOkta User Assigned Administrator Role\r\nO365 SharePoint Bulk File Access or Download via PowerShell\r\nO365 SharePoint High Volume File Access Events\r\nO365 SharePoint High Volume File Download Events\r\nO365 Sharepoint Query for Proprietary or Privileged Information\r\nO365 Deletion of MFA Modification Notification Email\r\nWorkspace ToogleBox Recall OAuth Application Authorized\r\n $e.metadata.product_name = \"Okta\"\r\n $e.metadata.product_event_type = /\\.(add|update_|(policy.rule|zone)\\.update|create|register|(de)?activate|gr\r\n (\r\n $e.security_result.detection_fields[\"anonymized IP\"] = \"true\" or\r\n $e.extracted.fields[\"debugContext.debugData.tunnels\"] = /\\\"anonymous\\\":true/\r\n )\r\n $e.security_result.action = “ALLOW”\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 9 of 12\n\nFigure 7: Hunting query for suspicious Okta actions conducted from anonymized IPs\r\n$e.metadata.vendor_name = \"Google Workspace\"\r\n $e.metadata.event_type = \"USER_RESOURCE_ACCESS\"\r\n $e.metadata.product_event_type = \"authorize\"\r\n $e.target.resource.name = /ToogleBox Recall/ nocase\r\nFigure 8: Hunting query for Google Workspace authorization events for ToogleBox Recall\r\n$e.principal.ip_geo_artifact.network.organization_name = /mullvad.vpn|oxylabs|9proxy|netnut|infatica|nsocks/ no\r\n $e.extracted.fields[\"debugContext.debugData.tunnels\"] = /mullvad.vpn|oxylabs|9proxy|netnut|infatica|nsocks/ n\r\nFigure 9: Hunting query for suspicious VPN / proxy services observed in this campaign\r\n$e.network.http.user_agent = /Geny\\s?Mobile/ nocase\r\n $event.security_result.action != \"BLOCK\"\r\nFigure 10: Hunting query for suspicious user-agent string observed in this campaign\r\n $e.metadata.log_type = \"OFFICE_365\"\r\n ($e.metadata.product_event_type = \"FileDownloaded\" or $e.metadata.product_event_type = \"FileAccessed\")\r\n (\r\n $e.target.application = \"SharePoint\" or\r\n $e.principal.application = \"SharePoint\"\r\n )\r\n $e.network.http.user_agent = /PowerShell/ nocase\r\nFigure 11: Hunting query for programmatic file access or downloads from SharePoint where the User-Agent\r\nidentifies as PowerShell\r\nevents:\r\n $e.metadata.log_type = \"OFFICE_365\"\r\n $e.metadata.product_event_type = \"FileAccessed\"\r\n (\r\n $e.target.application = \"SharePoint\" or\r\n $e.principal.application = \"SharePoint\"\r\n )\r\n $e.target.file.full_path = /\\.(doc[mx]?|xls[bmx]?|ppt[amx]?|pdf)$/ nocase\r\n $file_extension_extract = re.capture($e.target.file.full_path, `\\.([^\\.]+)$`)\r\n $event.security_result.action != \"BLOCK\"\r\n $session_id = $e.network.session_id\r\n match:\r\n $session_id over 5m\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 10 of 12\n\noutcome:\r\n $target_url_count = count_distinct(strings.coalesce($e.target.file.full_path))\r\n $extension_count = count_distinct($file_extension_extract)\r\ncondition:\r\n $e and $target_url_count \u003e= 50 and $extension_count \u003e= 3\r\nFigure 12: Hunting query for high volume document file access from SharePoint\r\nevents:\r\n $e.metadata.log_type = \"OFFICE_365\"\r\n $e.metadata.product_event_type = \"FileDownloaded\"\r\n (\r\n $e.target.application = \"SharePoint\" or\r\n $e.principal.application = \"SharePoint\"\r\n )\r\n $e.target.file.full_path = /\\.(doc[mx]?|xls[bmx]?|ppt[amx]?|pdf)$/ nocase\r\n $file_extension_extract = re.capture($e.target.file.full_path, `\\.([^\\.]+)$`)\r\n $event.security_result.action != \"BLOCK\"\r\n $session_id = $e.network.session_id\r\n match:\r\n $session_id over 5m\r\noutcome:\r\n $target_url_count = count_distinct(strings.coalesce($e.target.file.full_path))\r\n $extension_count = count_distinct($file_extension_extract)\r\ncondition:\r\n $e and $target_url_count \u003e= 50 and $extension_count \u003e= 3\r\nFigure 13: Hunting query for high volume document file downloads from SharePoint\r\n$e.metadata.log_type = \"OFFICE_365\"\r\n $e.metadata.product_event_type = \"SearchQueryPerformed\"\r\n $e.additional.fields[\"search_query_text\"] = /\\bpoc\\b|proposal|confidential|internal|salesforce|vpn/ nocase\r\nFigure 14: Hunting query for SharePoint queries for strings of interest\r\n$e.metadata.log_type = \"OFFICE_365\"\r\n $e.target.application = \"Exchange\"\r\n $e.metadata.product_event_type = /^(SoftDelete|HardDelete|MoveToDeletedItems)$/ nocase\r\n $e.network.email.subject = /new\\s+(mfa|multi-|factor|method|device|security)|\\b2fa\\b|\\b2-Step\\b|(factor|metho\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 11 of 12\n\n// filtering specifically for new device registration strings\r\n $e.network.email.subject = /enroll|registered|added|change|verify|updated|activated|configured|setup/ nocase\r\n \r\n // tuning out new device logon events\r\n $e.network.email.subject != /(sign|log)(-|\\s)?(in|on)/ nocase\r\nFigure 15: Hunting query for O365 Exchange deletion of MFA modification notification email\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/\r\nPage 12 of 12\n\nhttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/ \n24.242.93[.]122 11427 UNC6661\n23.234.100[.]107 11878 UNC6661\n23.234.100[.]235 11878 UNC6661\n73.135.228[.]98 33657 UNC6661\n157.131.172[.]74 46375 UNC6661\n149.50.97[.]144 201814 UNC6661\n67.21.178[.]234 400595 UNC6661\n142.127.171[.]133 577 UNC6671\n76.64.54[.]159 577 UNC6671\n76.70.74[.]63 577 UNC6671\n206.170.208[.]23 7018 UNC6671\n68.73.213[.]196 7018 UNC6671\n37.15.73[.]132 12479 UNC6671\n104.32.172[.]247 20001 UNC6671\n85.238.66[.]242 20845 UNC6671\n Page 8 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/" ], "report_names": [ "expansion-shinyhunters-saas-data-theft" ], "threat_actors": [ { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d43d13e0-d3f9-431e-8c59-dae34c9553fd", "created_at": "2026-02-07T02:00:03.666768Z", "updated_at": "2026-04-10T02:00:03.962608Z", "deleted_at": null, "main_name": "UNC6671", "aliases": [], "source_name": "MISPGALAXY:UNC6671", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434096, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a93c5844eaebf8b22f08459690aa41febbba389f.pdf", "text": "https://archive.orkl.eu/a93c5844eaebf8b22f08459690aa41febbba389f.txt", "img": "https://archive.orkl.eu/a93c5844eaebf8b22f08459690aa41febbba389f.jpg" } }