ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications

MITRE Techniques

• [T1566.002 ] Phishing: Spearphishing Link – Used to impersonate Okta SSO and Salesforce login flows; “cloned the authentication flow and user interface of a legitimate Okta subdomain (trial-6857053.okta[.]com)”.
• [T1078 ] Valid Accounts – Threat actors obtained and abused high-privilege SSO and API credentials (Okta, Salesforce, BrowserStack) to access enterprise systems; “obtained BrowserStack API keys… indicating access to testing credentials.”
• [T1190 ] Exploit Public-Facing Application – Exploited Oracle Access Manager (CVE-2021-35587) to gain initial access and query production databases; “exploited an Oracle Access Manager vulnerability (CVE-2021-35587)”.
• [T1133 ] External Remote Services – Use of RMM tools (ConnectWise ScreenConnect, AnyDesk) and VoIP platforms for remote access and social engineering; “installing an RMM tool like Anydesk or gather sensitive information”.
• [T1204.001 ] User Execution: Malicious Link – Phishing pages redirect victims to OAuth/connect flows (Salesforce Data Loader) to authorize actor-controlled apps; “redirect victims to” /setup/connect” over voice call.”
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Used post-exploitation to run SQL*Plus and queries against Oracle databases; “used SQL*Plus to run queries and exfiltrate customer data.”
• [T1068 ] Exploitation for Privilege Escalation – Abuse of weak hard-coded credentials on application servers to escalate access to production databases; “abused a weak, hard-coded credential stored on the application server.”
• [T1583.006 ] Acquire Infrastructure: Web Services – Use and registration of phishing domains and hosting (e.g., BLESS-INVITE[.]COM) to support campaigns; “the domain was created on 5 April 2025… aligning with likely operationalization of the infrastructure.”
• [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Pivot analysis identified multiple hosted phishing IPs and centralized server configurations across campaigns; “identical HTTP response headers across hosts… indicating centralized configuration”.
• [T1110 ] Brute Force – Initial access operations included brute force attacks against edge devices like VPNs and firewalls as directed by affiliates; “directed initial access operations involving brute force attacks against edge network devices”.
• [T1518 ] Software Discovery – Targeting of development/test environments and discovery of BrowserStack integrations to map CI/CD exposure; “BrowserStack integrations with project management tools and cloud applications”.
• [T1526 ] Cloud Service Discovery – Identification and targeting of cloud-hosted resources and SSO-integrated apps (Okta, Salesforce, Microsoft 365) for lateral movement; “Okta is an identity and access management (IAM) platform… a high-value target”.
• [T1210 ] Exploitation of Remote Services – Abuse of third-party remote services and call-center/P1 bots to perform vishing and credential capture; “P1 services abusing Google Voice to perform vishing attacks”.
• [T1213 ] Data from Information Repositories – Bulk exfiltration of Salesforce datasets (CRM, logs, transcripts) from compromised dashboards; example dataset sizes listed for an airline.
• [T1119 ] Automated Collection – Use of automated workflows and AI voice agents (Bland AI) to dynamically harvest credentials and authorization codes during calls; “Bland AI to power AI-driven social engineering agents that dynamically adjust…”.
• [T1074.002 ] Data Staged: Remote Data Staging – Use of LimeWire and other sharing services to stage and leak stolen datasets during extortion negotiations; “used the LimeWire file-sharing service to leak samples of stolen data”.
• [T1071.001 ] Application Layer Protocol: Web Protocols – Phishing infrastructure and exfiltration leveraged web protocols and hosted services for interaction and staging; “phishing server… Apache/2.4.58 (Win64) with OpenSSL/3.1.3”.
• [T1102 ] Web Service – Use of Telegram channels, qTox, and other web-based platforms to coordinate, advertise, and sell stolen data; “ShinyCorp used Telegram and qTox to communicate with potential buyers”.
• [T1090 ] Proxy – Use of VoIP providers and anonymizing hosting/registrars (Njalla, privacy WHOIS) to conceal infrastructure and relay calls; “registered through Tucows with privacy protection services provided by Njalla”.
• [T1567.002 ] Exfiltration to Cloud Storage – Use of cloud storage and file-sharing services (LimeWire, cloud buckets) to publish or stage stolen data for extortion.
• [T1041 ] Exfiltration Over C2 Channel – Use of actor-controlled channels and infrastructure to transfer stolen datasets and credentials to collaborators.
• [T1486 ] Data Encrypted for Impact – Development of ‘shinysp1d3r’ RaaS with VMware ESXi encryption capabilities to enable future ransomware impact operations.
• [T1565 ] Data Manipulation – Threat actors used compromised Salesforce Omni-Channel to call customers and manipulate communications for further vishing and extortion.
• [T1136.003 ] Create Account: Cloud Account – Recruitment and creation of fraudulent/actor-controlled cloud app accounts to gain persistence and access via OAuth or connected apps.
• [T1578.005 ] Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations – Abuse of stolen API keys and cloud access to alter project settings and CI/CD configurations to support supply chain attacks.
• [T1111 ] Multi-Factor Authentication Interception – Vishing and social engineering to capture connection codes and MFA tokens during voice calls to authorize malicious apps; “deceived into entering connection codes that authorized actor-controlled applications”.
• [T1528 ] Steal Application Access Token – Phishing and OAuth abuse to obtain tokens and authorized app access (Salesforce Data Loader), enabling data exfiltration and lateral movement.
• [T1539 ] Steal Web Session Cookie – Phishing of SSO login flows to capture session data and bypass normal authentication controls.
• [T1555.006 ] Credentials from Password Stores: Cloud Secrets Management Stores – Theft of API keys and secrets from development/test environments and leaked posts showing BrowserStack keys and other API credentials.
• [T1003.003 ] OS Credential Dumping: NTDS – References to credential harvesting and high privilege account targeting imply use of credential dumping techniques post-compromise.
• [T1195 ] Supply Chain Compromise – Targeting of CI/CD and developer toolchains to push malicious code or updates and compromise downstream customers via a single supply chain foothold.