ShinyHunters
ShinyHunters is a financially motivated data-theft and extortion threat actor active since at least 2019 and publicly emerging in January 2020. The content describes it as an English-speaking adolescent cybercrime collective and as part of, or associated with, the broader criminal ecosystem known as The Com. Known aliases and related tracking names in the provided content include bling_libra, shinyhunter, shiny_hunters, UNC6040, and UNC6240. Public reporting cited in the content also notes analytical overlap with labels such as Scattered Spider and LAPSUS$, and references related branding including ShinySp1d3r, but the content does not establish these as direct aliases. The group is characterized in the content as an extortion actor that primarily steals data from cloud, SaaS, software, and third-party integrator environments and then pressures victims to pay to prevent public release. The content explicitly states that ShinyHunters typically uses data extortion and does not currently deploy ransomware as part of its intrusions. It operates leak sites, sets payment deadlines, and publicly leaks data when negotiations fail. The content also states that ShinyHunters has operated through multiple avenues, including direct extortion and extortion-as-a-service with other actors. Tactics and tradecraft directly mentioned in the content include social engineering, especially voice phishing and fake help-desk interactions, credential theft, MFA bypass, compromise of SaaS platforms such as Salesforce, Okta, and Microsoft 365, abuse of enterprise cloud applications, and use of stolen credentials or tokens obtained through third-party and supply-chain compromises. The content also links recent activity to attacks aligned with Mandiant cluster UNC6040. In the Canvas/Instructure intrusion, the content states the actor exploited vulnerabilities in the Free-for-Teacher environment, including cross-site scripting issues that enabled authenticated administrator session hijacking, data theft, and later defacement of login portals with extortion messages. Targets mentioned in the content span telecommunications, healthcare, education, travel, gaming, and enterprise SaaS ecosystems. Specifically referenced victims or claimed victims include Ticketmaster, AT&T, Salesforce customers, schools and universities using Canvas, DentaQuest, Telus Digital, Instructure/Canvas, Carnival, Edmunds, Charter Communications, Rockstar Games, Wealthsimple, and organizations affected through the Salesloft Drift supply-chain breach. The content also references recent victims including the European Commission, Odido, Figure, Canada Goose, 7-Eleven, and SoundCloud. The content repeatedly describes ShinyHunters as a well-known extortion group that steals large datasets, threatens publication unless paid in cryptocurrency, and leaks data when demands are not met.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
Where they target
Geographies tied to known operations.
- 🇨🇦 Canada
Tradecraft
32 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
9 malware families attributed to this actor across reporting.
4 additional families tracked in Mallory.
Associated vulnerabilities
4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.
BleepingComputer reported that threat actors leveraged credentials stolen through the Trivy supply chain compromise (CVE-2026-33634) to breach Cisco's internal development environment... The CISA KEV remediation deadline for CVE-2026-33634 is today, April 8, 2026... Beyond patching Trivy to v0.69.2+, trivy-action to v0.35.0, or setup-trivy to v0.2.6, organizations must also complete credential rotation.
It has since been determined that hackers likely exploited known EBS vulnerabilities patched in July, likely along with a zero-day flaw tracked as CVE-2025-61882. The hacker groups ShinyHunters and Scattered Spider ... have published a proof-of-concept (PoC) exploit that appears to target CVE-2025-61882 ... according to Oracle, CVE-2025-61882 allows unauthenticated remote code execution. CrowdStrike has found evidence that exploitation of CVE-2025-61882 started on August 9.
CISA on Monday added CVE-2025-61884 to its Known Exploited Vulnerabilities (KEV) catalog, confirming its exploitation.
According to data obtained from a public Telegram channel operated by the ShinyHunters team, the threat actor persona ‘Yukari’ exploited an Oracle Access Manager vulnerability (CVE-2021-35587).
Observables
42 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting data theft and extortion operations, including claiming theft of 234 GB of DentaQuest data and leaking it publicly after negotiations failed.
Extortion-driven data theft activity targeting DentaQuest, with the group claiming to have stolen over 234 GB of data and publicly leaking it after failing to reach an agreement with the victim.
Used the same social-engineering playbook to steal sensitive data from major commercial organizations and educational institutions.
Financially motivated data-theft and extortion collective active since 2019. In this incident, it breached Instructure, exfiltrated 3.65 TB of data affecting up to 9,000 institutions, posted extortion messages across university login portals, defaced Canvas login portals at roughly 330 institutions, and shifted to direct school-by-school extortion. The group is described as targeting cloud platforms, software environments, and third-party integrators, and notably does not currently deploy ransomware as part of its intrusions.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.