Background & Attribution: Who (or what) is ShinyHunters?

ShinyHunters first gained notoriety through data marketplace operations and the management of underground forums like BreachForums. Over time, they became synonymous with mass data leaks and credential theft. However, a wave of arrests and takedowns in 2024 diminished their visibility - until now.

In 2025, a fresh campaign began surfacing across threat intelligence reports. This new incarnation is more surgical, shifting from indiscriminate data leaks to targeted intrusions in cloud environments, especially Salesforce. The attack is attributed in two distinct phases:

• UNC6040 - Intrusion phase
• UNC6240 - Extortion phase

The attackers claim the ShinyHunters brand during extortion, a move likely designed to amplify psychological pressure. Their reputation precedes them and leveraging that legacy is part of the attack.

In our case, we were not among the affected organizations, but as part of continuous threat monitoring, we detected and analyzed their activity patterns to inform early detection and improve defenses, especially for customer environments dependent on Salesforce and similar SaaS platforms.

1. A New Chapter in an Old Brand

The return of ShinyHunters is not a rehash of old tricks, but an evolved campaign that blends social engineering, OAuth misuse, and delayed extortion in a cloud-native way. Their current operations are anything but brute force; they're carefully staged.

Rather than exploit platform vulnerabilities, they manipulate people. Specifically, they deceive end users into approving malicious connected apps within Salesforce. Once granted OAuth access, the attackers gain long-term, API-level access to sensitive data, with no need for passwords, exploits, or elevated permissions.

Our detection team flagged this emerging technique early. While we confirmed no intrusion occurred in our systems, this allowed us to calibrate our hunting strategies and support proactive hardening across customer environments.

2. The Human Vector: Why Vishing Works Again

It always comes back to trust. The campaign begins with vishing (phone-based phishing). Attackers impersonate internal IT, technical support, or CRM partners, claiming there's a Salesforce problem requiring urgent intervention.

Their calls are well-scripted. The attacker leads the victim to Salesforce’s Connected App Authorization page, asks them to input a code, or walks them through “troubleshooting.” What’s actually happening is the victim is approving a malicious connected app that will extract data via OAuth tokens.

Early on, threat actors created these apps using Salesforce trial accounts. More recently, they’ve moved to using compromised accounts from other organizations, reducing traceability and making the apps appear legitimate.

As part of our SOC hunting activities, we modeled and simulated these flows to ensure our detection logic would catch unusual app consents and unexpected OAuth usage.

3. Silent Harvesting: Exfiltration Under the Radar

Post-access, the actors don’t smash-and-grab; they act like quiet insiders. They begin with small queries to validate access, then expand scope over time, exporting Accounts, Contacts, Leads, and custom objects. Exfiltration is often chunked to avoid obvious spikes.

Activity is routed over TOR or commercial VPNs (e.g., Mullvad). In some cases, modified Salesforce Data Loader scripts or custom Python tools automate harvesting. Connected apps may be disguised with innocuous names like My Ticket Portal.

We mapped these behaviors into alerting rules and baselines. For managed customers, we monitor anomalies in connected-app behavior, unusual API bursts, and OAuth token issuance patterns to reduce dwell time.

4. The Long Wait: Extortion by Delay

Unlike typical ransomware timelines, extortion may arrive weeks or months after the breach. This delay cools logs, muddles memory of the incident, and increases pressure - especially when demands come under the ShinyHunters name.

Victims are pushed to pay in Bitcoin within 72 hours, with threats to leak customer or sales data. Contact points observed include shinycorp@tuta[.]com and shinygroup@tuta[.]com.

This underscores the need for long-retention telemetry and eyes on OAuth activity well past the initial anomaly.

5. Collaboration, Convergence & the Threat Ecosystem

Multiple intelligence teams (e.g., ReliaQuest, Obsidian Security, Varonis) have noted overlaps between UNC6040/UNC6240 and Scattered Spider (UNC3944). Shared domains, similar impersonation scripts, and OAuth-based intrusions suggest collaboration or shared tooling. Collectives like “The Com” may facilitate this blending of identities and resources.

Detection therefore follows behaviors, not brand names. Our threat models correlate tactics across groups, acknowledging that adversary boundaries are often artificial.

6. Implications for Cloud-Native Security & Customer Resilience

• Identity isn’t enough: OAuth abuse can bypass MFA and standard auth tracking.
• Trust flows are attack surfaces: Connected apps, token scopes, and consent flows must be governed and monitored.
• Response must fit long dwell: Delayed extortion demands long-term log visibility and continuous monitoring.
• Detection must follow the API: API-based access is now a primary breach vector.
• Shared responsibility: Platforms secure infrastructure; customers must own OAuth governance and anomaly detection.

How We Help

• Tailored detection rules for connected-app misuse
• Continuous hunting for Salesforce-specific anomalies
• Proactive threat-intel briefings
• Simulation of real-world OAuth abuse patterns
• Behavioral baselines via SIEM integrations

Conclusion

ShinyHunters’ resurgence blends psychological pressure, cloud permissions, and delayed extortion into a potent formula. While our organization was not targeted, we proactively analyzed the campaign and built defensive strategies to protect our environment and customers. Continuous hunting and sustained curiosity - not mere reactivity - are essential today.

Indicators of Compromise (IOCs)

Extortion Email Sender Addresses (UNC6240)

shinycorp@tuta[.]com
shinygroup@tuta[.]com

Notable IP Addresses Associated with UNC6040 (from FBI / IC3 disclosures)

23.162.8.66
23.234.69.167
23.94.126.63
31.58.169.85
31.58.169.92
31.58.169.96
68.235.46.202
68.235.46.151
68.235.46.208
68.63.167.122
69.246.124.204
35.186.181.1
37.19.200.132
37.19.200.141
37.19.200.154
37.19.200.167
185.141.119.166
185.141.119.168
185.141.119.181
198.44.129.88
195.54.130.100
196.251.83.162

The SOCcare project is co-funded by the European Union, alongside our collaborators University POLITEHNICA of Bucharest and NRD Cyber Security and supported by the European Cybersecurity Competence Centre (ECCC) under Grant Agreement No. a101145843.