ShinyHunters
ShinyHunters is a data-extortion threat group associated in some reporting with “ShinyHunters ransomware,” although the provided content repeatedly states it operates as a pure data-extortion actor and has never encrypted victim files. Its activity centers on large-scale data theft, leak-based extortion, and exposure or sale of stolen datasets, with a reported shift in 2024 toward directly extorting victims rather than primarily selling or publishing stolen data. Reported targeting includes healthcare-adjacent organizations such as medical technology companies, broader enterprise victims, and centralized data environments including Salesforce and cloud storage platforms. The group has been described as using social engineering against Business Process Outsourcing personnel while posing as IT support to obtain legitimate access to Salesforce environments, and as exploiting exposed credentials, weak configurations, or vulnerabilities in widely used services. In one Unit 42 incident involving the Bling Libra group behind ShinyHunters, attackers used exposed AWS IAM credentials with AmazonS3FullAccess to enumerate S3 buckets via AWS CLI, S3 Browser, and WinSCP, then deleted buckets and attempted to create new buckets named with variants of an extortion contact address. The content notes that ShinyHunters activity has been linked to mass data exfiltration, delayed extortion demands months after intrusion, and public leak pressure when victims refuse payment. Mentioned incidents and claims in the content include a Medtronic breach involving unauthorized access to corporate systems and potential large-scale data exfiltration, a breach claimed against Odido involving data on 6.2 million customers that was reportedly published after non-payment, and a claimed Wynn Resorts case. Reported indicators and artifacts include S3 Browser and WinSCP user-agent strings in CloudTrail, bucket names containing variants of “contact-shinycorp-tutanota-com-#”, and the extortion contact email “shinycorp@tutonota[.]com” as listed in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ShinyHunters operates in a few different avenues (sometimes direct extortion, sometimes extortion-as-a-service with other actors)... These attacks leverage social engineering tactics against the target organization’s Business Process Outsourcing (BPO) personnel with a specific focus on accessing Salesforce environments.
"ShinyHunters has operated this model exclusively. They have never encrypted a single victim’s file."
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Data-extortion operation focused on mass data exfiltration and leak-based extortion rather than encryption.
Data-extortion actor described as focusing on data theft and publication threats (no encryption), leveraging stolen credentials/API keys and cloud misconfigurations; also contributes capabilities to the SLSH collective.
ShinyHunters is a threat group that has shifted to data exfiltration and extortion, exploiting vulnerabilities or weak configurations in widely used cloud and enterprise services. Their campaigns focus on acquiring large volumes of data for extortion, often without encrypting victim systems.
A data-extortion threat cluster that uses social engineering against BPO personnel, often posing as IT support to gain legitimate access to Salesforce environments; attacks emphasize data theft rather than operational disruption and may involve long delays before extortion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.