shinyhunters
Ransomware group profile
115Victims
United StatesSource country
90Impact score
Also Known As
UNC6040
Scattered Lapsus$ Hunters (SLH)
ShinyCorp
Description
ShinyHunters is a financially motivated cybercriminal group that specializes in large-scale data breaches and extortion. They primarily operate using a 'pay or leak' model, threatening to expose sensitive information unless ransoms are paid. Initially targeting a variety of industries, the group has evolved to focus on SaaS platforms and cloud environments.
Key insights
- •Employs sophisticated vishing techniques to gain initial access.
- •Targets Software-as-a-Service (SaaS) platforms and cloud environments.
- •Utilizes OAuth token exploitation and misconfigured applications for data exfiltration.
- •Operates under a 'pay or leak' model to extort victims.
- •Associated with other cybercriminal entities like Scattered Spider and Lapsus$.
Threat Level & Status Breakdown
For shinyhunters · Based on incidents in selected period
5.6threat level
Aggressiveness10/ 10
Lethality1.9/ 10
Criticality4.9/ 10
Status Breakdown
Data Leaked37.4%43
Claimed47.0%54
First seenJun 2025
Last seenJun 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 18, 2026
Recent activity
Monthly attack count for shinyhunters in the selected period
115Total attacks
21peak in Apr
10.5avg / month
↑ 11 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for shinyhunters
- 88bd49b1bd9c2bde78bc4e394c993035e0fde3ea
- 384e8f3d300205546fb8c9b9224011b3b3cb71adc994180ff55e1e6416f65715
- 3ffaad7e9e51b07906da9d61ad39404f
- db446f0e1d18b43805bfefe1af934ae4b0879e376904635cc7e14eae2d7fc682
- 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6
- e45b18c93d187aac5c4486f57483bc87580e15def82a312bfb377ff16eb96b22
- 51d39aa39478beeac94f2d12f682ecce
- 56dfe55b016c08f09dd5a2ab58504b377a3cd66ffba236a5a0539f6e2e39aa71
- ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
- 821da79d727351dd67ce5df7950e9a3de6647a3cf474bb3a093f67507fed92a6
- 770c1dc157226638f8ad1ac9669f4883
- 42a08d1063980328bf1a1c5652c21a79e8b06d6abcac1881a0e8afa391b86c81
- c40c94d787f6a35ac1cb4c5f031cf5777b77c79dc3929181badea33aaf177aa7
- 5cdfb23517d671d3b2c0535b23d80dbc8b053288e881b4f5eb2f1221f1e7a7fc
- 1f5ae3b51b2dbf9419f4b7d51725a49023abc81c
- ba01212cab818c10e49100909a254a5435cef8b8303fa6fa06a233d53ce9851e
- 17158cd6490a2b3c672d087f3d69107643d6a6f7c67345461b10ae18f27e28d1
- df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
- 22f6e2b777f86fe5445a5823b988c5618ed05317
- 8284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2
- 1406e538fc441e89ce3d1747017f97a5
- 8f31f69f88a75d5faab4f94cfc2ec8a649fe1a24
- d0d17a50422e3d4a0a50fed0878a47d6
- d6af1c9f5ce407e53ec73c8e7187ed804fb4f80cf8dbd6722fc69e15e135db2e
- 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40
- 1f31ad8a9733e56f285f565db6c1b30a41ae46393f2d5ed63a3c62b2227a2b43
- e84270afa3030b48dc9e0c53a35c65aa
- 98f9101bdd25da3a54da1891ae57f3dc
- 048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c
- ac0e045b6f3683315ef420971f382e167385e39023d118d023fa6989e35fadf6
- 16164c83ce4786ab85aa3fc9566a317519e866ff6cad3fbd647f3e955b8a8255
- 717da2804144e9759c4e6409f18b7b4b
- aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
- d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f
- f0410358a0d9dbd0dff3113d9c744ca7
- d67a475f72ca65fd1ac5fd3be2f1cce2db78ba074f54dc4c4738d374d0eb19c7
- c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f
- 29baab2551064fa30fb18955ccc8f332bd68ddd4
- 7d44697306143f3bfceba4f347d45ed1f9853087
- b8c046a7c3a28653662140bb2eaad32d
- d4ac4d684aca924c9d532c245c016c2a
- 27f9183b9694b9ea1e71283dd084570f5e57bac1a3b64988f7667a76617a8a7a
- 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
- 0dfe23ab86cb5c1bfaf019521f3163aa5315a9ca3bb67d7d34eb51472c412b22
- 9887bc4eed59173d94f5340ef7c09e8ea68cd824
- 52fda5c1b9704544f32ee98d9060e689
- 4db090498a57b85411417160747ffd8d4875f98b3ca2b83736a68900b7304d2b
- 3a6e2c775c9c1060c54a9a94e80d923a
- dd1c72823f933952619cbb86aaeaea43057a259e9a0c9e3b11c82225ec3faaa1
- c844d02c91d5e6dc293de80085ad2f69b5c44bc46ec9fdaa4e3efbda062c871c
- 80e3a04fa68be799b3c91737e1918f8394b250603a231a251524244e4d7f77d9
- d20a3c928761fe00ac522eeb474612b5804cd9108453ea8591106d5d4428428e
- 43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87
- 90aebc9849b659515fd70dde6db717ad457ab2a90522a410d1fd531ca8640624
- 1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f
- 8dc32643ad886472aca642d293d752e76516d5ca
- cf2da87d52a6b08a3b9502b1f6082b8b76ba4d32
- 82b37a92589dfd4d67ca87eb9e52ac8e682e8e60d2211f59074cd5ccc693013b
- 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059
- 4544e11195c4ccea90a0482a6ab2d38cc0e5f253
- 0cd3df20559504130571e116dda8cb18
- d6432b42f7a52976277bb00b29e761b9
- 0b812c1b1ae8299fcaf9ac192587eeed76f5abe4
- 1b153070934033deace7f04e77a72abe4e7e259271f885e25d81dc6337a9313d
- f174c19902523dcf005fa044b6598403a5e5c0a5982398d1bc0dcc5ec1cd351b
- 59ee007fd17280470724eb8a11ab12a98e85fd2383af3065f5f09a7e1a73f88c
- 84d3cba5b7cdcd1a231d1a1d860337bdae0dae84
- e67e7b8e0fb6baff4f25bb05dd5a5e21
- d58e3617d759d46248718ac4dfb46535d73febffd17fad1fd8ab47ce08da2fb4
- ae76461aaaeb03b2906a0721e569effb
- 81f874e57dac9804e05834f47d5f1a5189f9c5e0
- 766c356d6a4b00078a0293460c5967764fcd788da8c1cd1df708695f3a15b777
- eada05f4bfd4876c57c24cd4b41f7a40ea97274c
- 736a6b312fe80efea9bc2e482629be06
- 39ac4805442361b6e731e8907d1bacb5ab782f09
- 1ccf8baf11427fae273ffed587b41c857fa2d8f3d3c6c0ddaa1fe4835f665eba
- ebcf977806f68af3147e0b78b55f6aed
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for shinyhunters
CVE-2026-35273
CVE-2025-61884
CVE-2025-61882
CVE-2025-55234
CVE-2025-54918
CVE-2025-50107
CVE-2025-50105
CVE-2025-50090
CVE-2025-50071
CVE-2025-50062
CVE-2025-30746
CVE-2025-30745
CVE-2025-30744
CVE-2025-30743
CVE-2025-30739
CVE-2024-50623
CVE-2023-34362
CVE-2021-44228
CVE-2021-35587
Collection
T1213
Data from Information Repositories
Defense Evasion
T1550.001
Application Access Token
Victims(115)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| icsecurity.com | icsecurity.com | US United States | Technology | Data Leaked | 1 day ago | |
| Amazon owned OneMedical.com | — | US United States | Healthcare | Data Leaked | 1 day ago | |
| NAIC.org | naic.org | US United States | Professional Services | Data Leaked | 1 day ago | |
| Service Notice: Scheduled Maintenance and Infrastructure Upgrades | — | — | — | Data Leaked | 3 days ago | |
| icc.edu | icc.edu | US United States | Education | Data Leaked | 4 days ago | |
| moody.edu | moody.edu | US United States | Education | Data Leaked | 4 days ago | |
| glendale.edu | glendale.edu | US United States | Education | Data Leaked | 4 days ago | |
| hccs.edu | hccs.edu | US United States | Education | Data Leaked | 4 days ago | |
| kodak.com | kodak.com | US United States | Manufacturing | Data Leaked | 4 days ago | |
| Deep Well Services | — | US United States | Energy & Utilities | Data Leaked | 4 days ago | |
| Sysco Corporation | — | US United States | Other | Data Leaked | 4 days ago | |
| coe.int | coe.int | FR France | Government & Defense | Data Leaked | 6 days ago | |
| Madison Square Garden Sports Corp. | — | US United States | Hospitality | Data Leaked | 8 days ago | |
| JCPenney & several other subsdiaries under Catalyst Brands & Authentic Brands Group | — | US United States | Retail & E-Commerce | Data Leaked | 8 days ago | |
| American Tower Corporation | — | US United States | Technology | Data Leaked | 8 days ago | |
| Zayo.com & Allstream.com | — | US United States | Technology | Data Leaked | 8 days ago | |
| Nexstar.tv | nexstar.tv | US United States | Technology | Data Leaked | 8 days ago | |
| Ralph Lauren Corporation | ralphlauren.com | US United States | Retail & E-Commerce | Data Leaked | 8 days ago | |
| Notice | — | — | — | Unknown | 9 days ago | |
| nottingham.ac.uk | nottingham.ac.uk | GB United Kingdom | Education | Unknown | 10 days ago |
Page 1 of 6
Affected countries(35)
Countries where this group has been reported to target or leak victims.
🇦🇹Austria🇦🇺Australia🇧🇪Belgium🇧🇷Brazil🇨🇦Canada🇨🇭Switzerland🇨🇱Chile🇨🇳China🇨🇴Colombia🇨🇷Costa Rica🇩🇪Germany🇩🇰Denmark🇪🇸Spain🇫🇷France🇬🇧United Kingdom🇮🇩Indonesia🇮🇪Ireland🇮🇳India🇮🇹Italy🇯🇵Japan🇲🇦Morocco🇲🇽Mexico🇲🇾Malaysia🇳🇬Nigeria🇳🇱Netherlands🇳🇿New ZealandRussian Federation🇸🇪Sweden🇸🇬Singapore🇸🇳Senegal🇺🇸United States🇺🇾Uruguay🇺🇿Uzbekistan🇻🇳Vietnam🇿🇦South Africa