Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Scattered LAPSUS$ Hunters (SLH) represents a federated cybercriminal brand that operates large-scale data-theft and extortion campaigns targeting enterprise cloud environments. The ShinyHunters cybercriminal group leverages the combined reputational capital of Scattered Spider, ShinyHunters, and LAPSUS$ to execute sophisticated social engineering attacks against businesses, organizations, and government systems worldwide. First identified on August 9, 2025, this threat actor has compromised organizations across multiple industries through cloud-first attack strategies.
The ShinyHunters cybercriminal operation primarily targets cloud-based platforms including Okta, Microsoft Entra, Azure AD, Salesforce, Microsoft 365, SharePoint, OneDrive, Google Workspace, and numerous other SaaS applications. ShinyHunters attacks span 17 targeted regions globally, including the United States, United Kingdom, France, Australia, and numerous European and Asian countries. The ShinyHunters threat actor focuses on industries such as financial services, telecommunications, healthcare, technology, government, and education sectors.
ShinyHunters cybercriminals employ sophisticated social engineering techniques rather than direct exploitation methods. The ShinyHunters group uses voice phishing (vishing) to impersonate internal IT staff, directing employees to malicious login pages or persuading them to approve unauthorized access. Once ShinyHunters operators gain initial access, they deploy infostealer malware including LummaC2, StealC, RedLine, Meduza, Rhadamanthys, and Vidar to harvest credentials, personal records, and sensitive financial information.
The ShinyHunters cybercriminal brand has attracted numerous copycats and impersonators, with unaffiliated actors falsely claiming ShinyHunters membership on Telegram channels and data-leak sites. This brand hijacking in cybercrime complicates attribution efforts and demonstrates the value of the ShinyHunters reputation within cybercriminal ecosystems. ShinyHunters operations now include an Extortion-as-a-Service offering and teased development of the “Sh1nySp1d3r” ransomware program targeting VMware ESXi environments.
ShinyHunters operates as a financially motivated cybercriminal group that prioritizes social engineering over technical exploitation. The ShinyHunters threat actor employs sophisticated voice phishing campaigns where operators impersonate internal IT staff to manipulate employees into compromising security controls. ShinyHunters attackers direct victims to fake login pages designed to capture credentials and multi-factor authentication codes. ShinyHunters cybercriminals also persuade employees to approve malicious access requests that bypass standard security protocols.
Once ShinyHunters operators capture login credentials and one-time MFA codes, they immediately register their own devices to establish persistent access while suppressing security alerts. This device registration technique allows ShinyHunters to maintain long-term access to compromised environments. ShinyHunters has deployed multiple infostealer malware families including LummaC2, StealC, RedLine, Meduza, Rhadamanthys, and Vidar to extract sensitive data including credentials, personal records, and financial information from compromised systems.
ShinyHunters cybercriminals have demonstrated advanced technical capabilities by exploiting critical vulnerabilities in enterprise applications. The ShinyHunters group claims access to exploits for CVE-2025-31324, an unrestricted file upload vulnerability in SAP NetWeaver that allows arbitrary code execution. ShinyHunters operators also exploit CVE-2025-61882, an unspecified vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14 that enables unauthorized access to sensitive business systems.
Earlier ShinyHunters activity linked to the “Yukari” persona involved exploiting CVE-2021-35587, a vulnerability in Oracle Access Manager affecting versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. ShinyHunters used this Oracle vulnerability to extract data from Oracle 12c database systems. ShinyHunters attackers also manipulate legitimate OAuth workflows, such as authorizing modified Salesforce Connected Apps to gain API-based access to cloud services without triggering conventional security alerts.
Once ShinyHunters gains initial access, their lateral movement depends on exploiting interconnected cloud services. A single compromised identity system provides ShinyHunters access to multiple connected platforms including Salesforce, Microsoft 365, SharePoint, OneDrive, Slack, Workday, Zendesk, Amazon S3, GitHub, GitLab, BrowserStack, Jira, and Azure DevOps. ShinyHunters operators pivot across these SaaS applications by exploiting single sign-on (SSO) integrations and OAuth trust relationships.
ShinyHunters extracts large datasets from compromised environments, removes security logs to limit detection capabilities, and uses compromised administrator accounts to expand attack operations. ShinyHunters extends access through stolen API keys and authentication tokens, enabling entry into development tools and internal code repositories. ShinyHunters operators leverage proxy networks, commercial VPN services, and recruited insider threats to obscure their activities and scale operations across multiple victim organizations simultaneously.
Data theft drives ShinyHunters operational model. The ShinyHunters group targets high-value information including customer databases, communication logs, internal documents, intellectual property, and financial records. ShinyHunters uses keyword-based filtering to identify and prioritize sensitive data before exfiltration through OAuth-authorized APIs or cloud storage services. ShinyHunters exfiltrates data using PowerShell scripts and legitimate cloud service APIs to blend malicious traffic with normal business operations.
ShinyHunters pressures victims with seven-figure ransom demands supported by public data leaks on ShinyHunters-branded leak sites, distributed denial-of-service (DDoS) attacks, and direct harassment campaigns targeting employees. ShinyHunters sells individual datasets on underground markets, with prices reaching up to $1 million for particularly valuable databases. ShinyHunters has publicly denied operating certain sales channels, indicating that impersonators exploit the ShinyHunters brand reputation to sell previously stolen credentials and data gathered from infostealer logs.
A separate actor called “DB+ Collector” impersonates ShinyHunters rather than operating within the legitimate group structure. This entity does not conduct network intrusions but resells previously stolen data and credentials gathered from infostealer malware logs. The risk presented by DB+ Collector involves exposure of compromised credentials rather than direct system breaches. This impersonation extends further as various actors falsely claim association with ShinyHunters within broader alliances alongside groups like Scattered Spider and LAPSUS$.
ShinyHunters has publicly denied operating certain sales channels and data-leak sites that use the ShinyHunters name, indicating that many attribution claims represent attempts to exploit their cybercriminal reputation rather than evidence of legitimate affiliation. This brand hijacking in cybercrime complicates threat intelligence and attribution efforts, as security teams must distinguish between legitimate ShinyHunters operations and copycat activities from unaffiliated threat actors exploiting the ShinyHunters brand for financial gain.
Organizations must enforce FIDO2 security keys or passkeys for all workforce accounts, particularly for high-privilege users accessing SSO-integrated applications. Push notifications, SMS codes, and TOTP authenticators remain vulnerable to ShinyHunters vishing workflows, whereas hardware-bound credentials cannot be relayed through fake help-desk calls. Implementing phishing-resistant MFA prevents ShinyHunters from capturing authentication credentials through social engineering attacks.
Organizations should limit the number of Super Admin, Organization Admin, and Global Admin accounts in Okta and Microsoft Entra environments. Enforce Just-in-Time privilege elevation for sensitive administrative operations and continuously audit authentication logs for anomalous sign-ins from anonymized IP addresses, Tor exit nodes, or residential proxy networks commonly used by ShinyHunters operators.
Organizations must implement strict controls over Salesforce Connected Apps and similar OAuth integrations. Allowlist only vetted Connected Apps, remove “API Enabled,” “Manage Connected Apps,” and mass-export permissions from general user accounts, require administrator approval for new OAuth authorizations, and define trusted IP ranges on user profiles and connected applications so that unknown or commercial-VPN networks are blocked or challenged before granting access.
Organizations must prioritize remediation and compensating controls for CVE-2025-61882 (Oracle E-Business Suite), CVE-2025-31324 (SAP NetWeaver), and CVE-2021-35587 (Oracle Access Manager), all vulnerabilities that ShinyHunters members have publicly claimed to exploit or broker. Apply vendor-provided security patches immediately and implement network segmentation to limit exposure of vulnerable systems until patches can be deployed.
Organizations should review every connected SaaS integration, particularly Salesloft, Drift, Gainsight, Mixpanel, and similar revenue or analytics applications for unused OAuth scopes or dormant authentication tokens. Rotate API keys and access credentials created by engineering teams in BrowserStack, GitHub, GitLab, Jira, and Azure DevOps. Implement regular OAuth token audits to identify and revoke unauthorized or excessive permissions that ShinyHunters could exploit.
Security teams must hunt for unauthorized OAuth authorizations in Google Workspace and Microsoft 365, monitor for soft-deletion or hard-deletion of Exchange messages with subject lines containing “new MFA,” “security method enrolled,” or equivalent security notification strings, and investigate creation of new cloud-identity accounts outside normal change management windows. These indicators suggest ShinyHunters operators attempting to hide their persistence mechanisms.
IPv4 Addresses: 24.242.93.122, 23.234.100.107, 23.234.100.235, 73.135.228.98, 157.131.172.74, 149.50.97.144, 67.21.178.234, 142.127.171.133, 76.64.54.159, 76.70.74.63, 206.170.208.23, 68.73.213.196, 37.15.73.132, 104.32.172.247, 85.238.66.242, 199.127.61.200, 209.222.98.200, 38.190.138.239, 198.52.166.197, 191.96.207.179, 196.251.83.162, 163.5.210.210, 94.156.167.237, 23.94.126.63, 198.244.224.200, 163.5.169.142
Domains: admiring-shockley.196-251-83-162.plesk.page, bless-invite.com, get-carrot-zoom.com, modernatx-zoom.com, recurly-zoom.com, sharepoint-comcast.com, workday-nike.com, workday-hubspot.com, sharepoint-workplaceview.com, newscorp-okta.com, corporate-microsoft.com, okta-louisvuitton.com, corporate-okta.com, pure-okta.com, morningstar-okta.com, sts-vodafone.com, corp-hubspot.com, signin-okta.com, bmcorpuser.internal-okta.com, help-allvuesystems.com, allvuesystems-okta.com, shinyhunte.rs, breachforums.hn
SHA256 File Hashes: Multiple malware samples associated with LummaC2, StealC, Vidar, RedLine, Meduza, and Rhadamanthys infostealer families (complete hash list available in original report)
TOR Address: shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion
Email Addresses: shinycorp@tutanota.com, shinygroup@onionmail.com
Cryptocurrency Addresses: Bitcoin (bc1q5530apqz86eywm2f84mpcyuux3dv9mmztsdxt2), Monero (87cEqA6PunENHwe5h8XtRifWuDhNQXKwzGNSbwKmrdEehY4wjRjWvZmSgE8LHTe6e5Pmnuyyiu5AWbGCC9gHUzUj5KHnSH9)
Initial Access: T1566.002 (Spearphishing Link), T1566.004 (Spearphishing Voice), T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), T1133 (External Remote Services), T1195 (Supply Chain Compromise)
Persistence: T1136.003 (Create Cloud Account), T1098.005 (Device Registration)
Privilege Escalation: T1068 (Exploitation for Privilege Escalation), T1134 (Access Token Manipulation)
Defense Evasion: T1578.005 (Modify Cloud Compute Configurations), T1550.001 (Application Access Token)
Credential Access: T1110 (Brute Force), T1111 (Multi-Factor Authentication Interception), T1528 (Steal Application Access Token), T1539 (Steal Web Session Cookie), T1555.006 (Cloud Secrets Management Stores), T1552.001 (Credentials in Files), T1003.003 (NTDS)
Collection: T1213 (Data from Information Repositories), T1119 (Automated Collection), T1074.002 (Remote Data Staging)
Exfiltration: T1567.002 (Exfiltration to Cloud Storage), T1041 (Exfiltration Over C2 Channel), T1020 (Automated Exfiltration)
Impact: T1657 (Financial Theft), T1565 (Data Manipulation), T1486 (Data Encrypted for Impact), T1498 (Network Denial of Service)
Get through updates and upcoming events, and more directly in your inbox