1. Executive Summary

Augur Security has prepared this brief to outline recent intelligence related to ShinyHunters, a financially motivated threat actor known for large-scale data theft and breach monetization. Over the past year, ShinyHunters has expanded beyond its origins as a data broker to high-velocity social engineering and extortion. Augur researchers are tracking significant activity and infrastructure overlap linking the group to ongoing campaigns targeting enterprise identity providers, single sign-on platforms, and cloud environments. In September 2025, Augur also began tracking a newer, compound cluster (ScatteredLapsu$ShinyHunters) linking ShinyHunters, ScatteredSpider, and LAPSU$ through shared infrastructure and operations. This indicates that the ShinyHunters group is moving further into the ransomware-affiliate ecosystem, making it an even greater risk to enterprise environments.

‍

This brief details Augur's tracking of ShinyHunters across a six-year prediction window, covering preemptively identified CIDRs, active bulletproof hosting ranges, and IOCs associated with ongoing threat actor campaigns. Augur has also identified the group's use of Tor exit nodes and leased network infrastructure to orchestrate real-time session hijacking and MFA bypass across enterprise environments, making infrastructure monitoring integral as campaign artifacts remain sparse. The findings presented here are intended to support threat hunting and defense for organizations operating Okta and other SSO-guarded Software-as-a-Service (SaaS).

‍

1.1 Background

ShinyHunters (also tracked concurrently as UNC6040, UNC6661, UNC6671, and UNC6240) is a financially motivated cybercrime brand built around data theft, notoriety, and extortion. Augur tracking indicates that the ShinyHunters moniker originally referred to a real core group of hackers, a judgment supported by U.S. Department of Justice action against Sébastien Raoult and co-conspirators. However, recent tracking indicates that ShinyHunters' activity now functions more like a brand, encompassing a wide network of operators, affiliates, and likely impersonators who use overlapping tradecraft to build their own reputations. This assessment is further corroborated by Google’s Threat Intelligence Group, whose recent coverage splits tracking of ShinyHunters-branded activity across multiple UNC clusters, accounting for increased partnerships and active impersonation. 

The core technical shift between the original ShinyHunters gang and the new threat collective is a transition from breach-market affiliate to identity-focused SaaS extortion actor. Earlier ShinyHunters activity centered on covertly stealing enterprise datasets and rapid monetization, but recent evolutions in tradecraft now show a different operating model. Operators now run extensive vishing (voice phishing) and fake helpdesk scams to gain access to enterprise cloud environments and exfiltrate data at scale. These enterprise-focused campaigns also frequently enable follow-on compromise, allowing operators to pivot from a single compromised identity to multiple downstream customers, as seen in downstream ShinyHunters-linked intrusions against Google, Cisco, Adidas, Qantas, and LVMH. The group poses significant risk to authorization tokens and identity-dependent access paths.

‍

2. Assessment

Augur assesses with high confidence that ShinyHunters no longer represents the core 2022 group, which includes Sébastien Raoult and known associates. Although certain operators may have persisted within the group, today’s collective activity indicates that the group has fragmented over the years. Raoult’s arrest confirmed that, while ShinyHunters originally had a core membership in the data-theft affiliate market, information about his arrest and conspirators largely assisted disruption operations over the years, purportedly destabilizing the original ShinyHunters group. Forensically, third-party tracking corroborates this indication and no longer treats recent ShinyHunters activity as the work of one static roster; even Google’s Threat Intelligence Group has split the activity across UNC6661, UNC6671, and UNC6240 to account for shifting partnerships and possible impersonation. The group’s evolution in tradecraft, along with its targeting overlap, now points to the broader eCrime ecosystem rather than to a single clear organization. Augur’s own tracking of repeated overlaps with social-engineering operators and ransomware affiliates supports the view that ShinyHunters now functions more as an affiliate-driven extortion brand than as the small data-theft team it began as.

‍

2.1 Recent Campaigns

In 2024 and 2025, ShinyHunters launched several successful campaigns, with the Snowflake and Salesforce operations offering the clearest view of its evolving tradecraft. Both campaigns focused on identity compromise and SSO credential theft, giving attackers unfettered access to customer cloud environments and data. In the Snowflake intrusions, previously stolen credentials gave the actors direct access to customer instances, allowing them to exfiltrate large volumes of sensitive data from multiple organizations and leverage that access for extortion.

‍

This access model matured further in the Salesforce campaign. Operators used vishing and fake help-desk lures to manipulate users into authorizing a modified Salesforce Data Loader app, granting the actors persistent access to Salesforce environments and, in some cases, adjacent services like Okta and Microsoft 365. Google publicly disclosed it was affected by this campaign, and reporting tied the broader wave to additional major brands, including Adidas, Qantas, LVMH, and Allianz Life. The 2024-2025 changes in the ShinyHunters operational model allowed the group to evolve from simple data theft to an identity-focused SaaS extortion actor, with the group establishing its ability to turn a single compromised token into downstream client exposure.

‍

In 2026, Augur is tracking the group across two new campaigns, most notably the January 2026 Okta-focused phishing wave and the ongoing Salesforce Aura campaign. The group’s January activity began with a widespread Okta-focused phishing campaign against enterprise identity portals, with Augur tracking infiltration attempts across 100 organizations using live phishing panels. At the same time, Mandiant researchers tracked a related ShinyHunters cluster engaging in a new vishing campaign designed to intercept SSO credentials and MFA tokens. In parallel, the group has also continued targeting Salesforce through aggressive abuse of public-facing Experience Cloud environments. Augur tracking across 2026 shows the group repurposing Salesforce Aura Inspector - a Mandiant-built tool for helping defenders identify access control misconfigurations in Salesforce Aura - to scan for and abuse exposed Experience Cloud portals and Aura endpoints. This allowed ShinyHunter affiliates to query sensitive CRM data directly without an authenticated login and to exfiltrate data in bulk. Now, operators are no longer confined to vishing operations. Instead, ShinyHunter operators can target weak cloud authorizations to expose enterprise business logic and data without relying on traditional access controls. The combined focus on vishing and identity abuse makes the current threat materially stronger than the group’s earlier breach-market activity.

‍

‍

3. Technical Indicators

Augur’s position as both a threat intelligence repository and a preemptive defense provider has enabled the Augur Research team to identify and disrupt ShinyHunters campaign infrastructure prior to phishing panel activation. The following indicators of compromise (IOCs) reflect infrastructure and artifacts associated with these operations, both from Augur’s corpus and externally reported feeds. Augur advises CISOs, security teams, and SOC analysts to monitor activity involving these indicators, as interactions with or communications to them may indicate active targeting or compromise.

‍

Table 1: IPv4 Preemptively Identified by Augur

‍

Table 2: External IOCs tracked with the 2025 Voice Phishing Campaign

‍

4. ShinyHunters TTPs - MITRE ATT&CK

‍

Table 3: Mitre Attack Mapping

‍

5. At Risk

The group continues to remain a threat to enterprise environments, where successfully compromised identities contribute to the exploitation of multiple downstream systems. This specifically increases the risk for organizations using centralized SSO, Salesforce, Microsoft 365, Okta, and other SaaS vendors tied to the same user session. Augur recommends hardening against the ShinyHunters access model, specifically reinforcing targeted identity providers, CRM platforms, customer data stores, and public-facing cloud portals with weak authorization. 

‍

Individuals most at risk are employees closest to critical access paths, like IT help desk staff, IAM/SSO administrators, and CRM owners with powerful credentials. Operators target these individuals, who have broad internal access, to increase the chance of successfully phishing administrator tokens, allowing them to exfiltrate customer data and pivot to exposed consumer PII (Personally Identifiable Information). The January 2026 vishing activity specifically targeted employees through fake MFA-update calls and victim-branded login pages, while the Salesforce campaign abused connected apps and weak cloud permissions. Those at the intersection of access and authentication in large organizations remain a high-value target for ShinyHunters and should defend accordingly.

‍

‍

Table 4: Reported breaches

‍

Augur has observed several profiles and infrastructure hosting patterns associated with ShinyHunters in Section 3, specifically overlap with infrastructure linked to financially motivated intrusion sets and broader eCrime actors tracked across the Augur platform. This indicates reuse of common hosting providers, relay services, and phishing-based tooling across multiple threat actor categories. For SOC analysts and defenders, Augur classified interactions with these indicators as high-confidence risk signals, as infrastructure of this type is actively being used for malicious purposes. Their presence or any attempted connection to infrastructure in Appendix A in your environment warrants immediate investigation.

‍

6. Recommendations

‍

To address the persistent and evolving threat posed by ShinyHunters and its affiliate operators, Augur Security recommends CISOs prioritize Identity-Centric Defense and Human-Process hardening. ShinyHunters operators often bypass technical controls through social engineering, requiring a proactive defense that focuses on breaking the "Live Phishing" cycle.

‍

6. 1 Proactive Threat Intelligence

• Leverage Augur's preemptive infrastructure detection capabilities to identify and disrupt phishing domains and supporting infrastructure before email delivery or user interaction occurs, reducing downstream SOC alert fatigue.
• Identity Provider (IdP) Log Auditing: Actively hunt for "Internal" or "My" lookalike domains in DNS and proxy logs (e.g., [company]-okta.com or my-[company]-internal.com). Utilize Augur threat intelligence feeds, specifically tracking ShinyHunters infrastructure reuse.

‍

6.2 Identity & Access Management (IAM) Hardening

• Enforce Phishing-Resistant MFA: Transition all users, starting with privileged accounts, to FIDO2/WebAuthn-based authentication (e.g., YubiKeys, Okta FastPass, or Passkeys). Discontinue use of phishable factors such as SMS, voice calls, and standard push notifications, which are easily intercepted by ShinyHunters’ Live Phishing Panels.
• Implement Strict Session Binding: Enable ASN (Autonomous System Number) binding for administrative sessions to prevent session hijacking. If an attacker steals a session cookie, the session should be invalidated if the source IP or network profile shifts significantly.
• Accelerated Session Timeouts: Reduce session lifetimes for high-value SaaS applications (Salesforce, Snowflake, AWS Console). Force frequent re-authentication for any activity originating from unmanaged or new devices.
• MFA Enrollment Guardrails: Implement a "MFA Lockdown" policy where any new device enrollment triggers an immediate 24-hour quarantine on sensitive data exports and requires out-of-band approval from a security administrator.

‍

6.3 Help Desk & Administrative Process Reform

• Mandatory Identity Verification: Require IT help desk personnel to conduct a live video call for all admin password or MFA resets. The user must verify a physical government ID against HR records to move forward.
• Out-of-Band Manager Approval: Formalize a "Two-Key" system for credential resets. No reset should be processed without a secondary approval from the requesting employee's direct manager via a known internal communication channel (e.g., Slack or Teams).
• Verification Call-Backs: Prohibit the processing of support requests on inbound calls. Instruct help desk agents to hang up and call the employee back on a verified corporate phone number registered in the company directory.
• Employee Verification Codes: Deploy a system that allows employees to generate a rotating 6-digit verification code in their browsers. Help desk agents must request this code to verify that the caller is a legitimate employee.

‍

6.4 Monitoring & Detection Strategies

• Detect "MFA-then-Login" Anomalies: Configure SIEM alerts for any instance in which a new MFA factor is enrolled, followed by a login from a different IP or geographic region within a 60-minute window.
• SaaS Data Export Monitoring: Monitor for the execution of high-volume data tools (e.g., Salesforce Data Loader, ToogleBox, or Google Workspace bulk exports). These are the primary post-exploitation tools ShinyHunters use for rapid exfiltration.
• Restrict Non-Human Identities (NHI): Audit and restrict the scope of service accounts and API keys. ShinyHunters frequently pivots from a compromised user session to long-lived API tokens to maintain persistence and bypass future MFA prompts.

‍

Report prepared by Augur Research

For questions or additional analysis, contact: research@augursecurity.com

‍