Full Report
Executive Summary EclecticIQ analysts assess with high confidence that ShinyHunters is expanding its operations by combining AI-enabled voice phishing, supply chain compromises, and leveraging malicious insiders, such as employees or contractors, who can provide direct access to enterprise networks.
Analysis Summary
# Threat Actor: ShinyHunters
## Attribution & Identity
Financially motivated threat group that first emerged in 2020.
**Leader:** ShinyCorp (aliases: sp1d3rhunters or shinyc0rp in Telegram).
**Associated/Collaborating Groups:** Scattered Spider, The Com, Lapsus$.
**Operational Channels:** Telegram, English-speaking cybercrime forums (BreachStars, OGUsers, DarkForums).
## Activity Summary
ShinyHunters is assessed to be expanding operations by integrating AI-enabled voice phishing, supply chain compromises, and utilizing malicious insiders. They are focused on financially motivated data extortion. The group sells stolen datasets to ransomware affiliates and other eCrime actors for high prices (exceeding $1M per company). They are actively developing the ‘shinysp1d3r’ Ransomware-as-a-Service (RaaS) network, designed to encrypt VMware ESXi environments.
## Tactics, Techniques & Procedures
- **Initial Access/Social Engineering:** AI-enabled voice phishing (vishing), often conducted by hired members of Scattered Spider.
- **Insider Threat:** Leveraging malicious insiders (employees or contractors) to gain direct access to enterprise networks.
- **Supply Chain Compromise:** Targeting high-privilege engineering accounts on Git, BrowserStack, JFrog, and cloud project management platforms to infiltrate CI/CD pipelines.
- **Access Brokerage:** Collaborating with actors like Rey (Angel RaaS) who conduct brute force attacks against edge network devices (VPN/firewalls) and exploit known vulnerabilities in internet-facing servers.
- **Identity Compromise:** Targeting Single Sign-On (SSO) platforms.
- **Extortion:** Data exfiltration and subsequent extortion against victim organizations.
- **Specific Member Activity:** Actor Rey directs initial access operations; Actor Sevy carries out voice call phishing campaigns.
- **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
- **Sectors:** Retail, Airline, Telecom companies.
- **Geography:** Not explicitly detailed, but target organizations use enterprise cloud applications.
- **Victims:** Organizations selling access to high-privilege engineering accounts on platforms like Git, BrowserStack, and JFrog. Specific mention of Salesforce users in airline and retail sectors.
## Tools & Infrastructure
- **RaaS Infrastructure:** Currently developing ‘shinysp1d3r’ RaaS.
- **Phishing Infrastructure:** Uses Evilginx phishing infrastructure (associated domains like `bless-invite[.]com`, `get-carrot-zoom[.]com`, `modernatx-zoom[.]com`, `recurly-zoom[.]com`).
- **Communication:** qTox ID owned by ShinyCorp: `BD1B683FD3E6CB094341317A4C09923B7AE3E7903A6CDB90E5631EC7DC1452636FF35D9F5AF2`.
- **Financial:** Bitcoin Address: `bc1q5530apqz86eywm2f84mpcyuux3dv9mmztsdxt2`; XMR Address: `87cEqA6PunENHwe5h8XtRifWuDhNQXKwzGNSbwKmrdEehY4wjRjWvZmSgE8LHTe6e5Pmnuyyiu5AWbGCC9gHUzUj5KHnSH9`.
- **Observed IPs (Likely ShinyHunters Infrastructure):** `191[.]96[.]207[.]179`, `196[.]251[.]83[.]162`, `163[.]5[.]210[.]210`, `94[.]156[.]167[.]237`, `23[.]94[.]126[.]63`, `198[.]244[.]224[.]200`.
## Implications
ShinyHunters is evolving into a sophisticated, multi-faceted threat actor by combining social engineering (AI vishing), insider threat exploitation, and supply chain access. Their readiness to launch a dedicated RaaS and their integration into the broader eCrime ecosystem (through affiliates like Scattered Spider and The Com) suggests an increased capacity for large-scale, high-impact data extortion campaigns aimed at critical infrastructure sectors.
## Mitigations
- Implement strong multi-factor authentication, particularly for SSO platforms, and monitor for suspicious MFA/SSO login attempts indicative of voice phishing success.
- Harden CI/CD pipelines and enforce strict access controls for high-privilege engineering accounts on source control and artifact repositories (Git, JFrog).
- Increase monitoring and vetting processes for contractors and employees who possess privileged access, as ShinyHunters actively leverages malicious insiders.
- Enhance detection capabilities against targeted social engineering campaigns, specifically AI-enabled voice phishing.
- Prepare incident response strategies for potential VMware ESXi ransomware encryption, anticipating the release of the ‘shinysp1d3r’ RaaS.