The Practical Matters of CMMC-Join our Latest Webinar on Considerations and Challenges in Pursuing Certification Register Now

Dark teal and black gradient

Threat Blog

Tevora Threat Advisory: ShinyHunters Escalate Attacks via Cloud

By Anir Desai & Jose Sanchez

Featured image for post Tevora Threat Advisory: ShinyHunters Escalate Attacks via Cloud

Strategic Intelligence indicates an emerging extortion campaign linked to several threat clusters believed to be associated with the ShinyHunters criminal hacker and extortion group. The threat group, long established in high-profile data breaches, distinguishes itself by focusing on data extortion rather than the deployment of ransomware.  Their latest campaign highlights a pivot toward advanced social engineering and harassment. ShinyHunters target organizations using voice-based social engineering (vishing) attacks impersonating IT staff. They direct employees to fraudulent and victim-branded Single-Sign On (SSO) portals to capture credentials and MFA codes. Once access has been obtained, attackers move laterally through cloud and SaaS platforms such as SharePoint, OneDrive, Salesforce, Slack, and Google Workspace to exfiltrate sensitive data. The stolen data is leveraged in extortion attempts accompanied by threats and harassment towards executives, victim employees and family members, with data often appearing on published ShinyHunters-branded data leak sites. 

Impact, Evasion, and Persistence

Threat assessment: High 

Impact: Unchecked Lateral Movement & Data Exfiltration 

This is a high-risk ongoing campaign that renders standard MFA and SMS notifications ineffective. Through exploiting human trust and credentials, threat actors are gaining access to SaaS data (e.g. Salesforce, Okta, Slack) often going undetected by traditional perimeter defenses. Once the data is exfiltrated, it is coupled with aggressive tactics to extract a ransom. 

Attack Lifecycle (Kill Chain): 

  1. Victim receives a call from a spoofed number that appears to be the real IT helpdesk number from the company. The attacker asks about suspicious activity on the victim’s account. 
  1. The attacker directs the victim to a fraudulent website designed to mimic the company’s Okta or SSO portal. 
  1. The employee enters their credentials and MFA code into the fake portal. The attacker intercepts these in real-time to authenticate a session or register their own device for persistent access. 
  1. Using the stolen session, the attacker moves laterally through the SSO environment, accessing unprotected applications such as Salesforce, Slack, and email to search for sensitive documents. 
  1. Attackers contact the company with ransom demands and leak the breach to the media and regulatory agencies. Additional pressure is ramped up through harassment of executives, employees, and family members. This may also be followed by DDoS attacks on company websites, and email-flooding campaigns. 
  1. Ransom is paid or denied, if denied data is published online.

The Gap in Mature Defenses

This campaign is critical because it bypasses technical controls and increases scope by targeting cloud applications and using them for follow-up attacks. Notably, the intrusion does not rely on security vulnerabilities in the victim’s infrastructure, but rather on carefully executed social engineering. This demonstrates that even organizations with mature identity platforms remain susceptible to vishing. The attacks involve multiple coordinated threat clusters with growing levels of organization and scale.  

ShinyHunters affiliated operations are also escalating extortion tactics through harassment, data leak site postings, and other techniques. This marks a significant shift from traditional Russian-based ransomware groups. While those groups employed high pressure tactics such as notifying journalists and board members of the victim company, they typically stopped short of personal threats. 

Mobilizing Your Defenses

These developments highlight the critical requirement to implement phishing resistant authentication and stronger defenses against identity-focused attacks. Threat actors often register their own MFA device after harvesting authentication codes, allowing persistent access that may go unnoticed. Email notifications to the victim’s account are also deleted as they gain a foothold and progress through the attack lifecycle. Searches by threat actors in these cloud applications include “confidential,” “internal,” “proposal,” and personally identifiable information (PII). Data is then exfiltrated, and samples posted on data sharing applications or dedicated leak sites.  

To build resilience against this threat profile, organizations should focus on strengthening identity monitoring, validating internal communications, and proactively search for credential misuse. 

  • Identity Alerts (Okta/Entra ID): New MFA Device Registered events should be monitored, especially if they are from an untrusted location or used through a commercial VPN. Set up a policy rule to alert when MFA authentication methods are modified. Likewise, monitor anonymized IP addresses such as those from VPN services or TOR. 
  • Endpoint Scans (SentinelOne/CrowdStrike): Apply rules to EDR platforms to detect unapproved browser add-ons (e.g., ToogleBox). Browser add-ons are used to delete emails or cover their tracks without the user realizing it. 
  • Verify IT Communications: Modify and enforce a new policy rule that requires employees to verify unsolicited calls from IT support through a secondary internal channel (e.g., Teams, Slack, Internal Number). 
  • Adopt Phishing-Resistant MFA: Transition key accounts to passkeys from traditional MFA methods (e.g., Text, Phone, Notification) as they are resistant to social engineering methods. 

Coordinated Industry Response

Security researchers at Google Threat Intelligence are actively tracking the threat clusters (UNC6661, UNC6671, and UNC6240) associated with these activities to map their infrastructure and warn the community. Google and its partner have also released proactive hardening guidance and detailed workflows to help organizations. 

Actions taken to date: 

  • Blocking: Phishing domains designed to impersonate corporate portals are being added to blocklists such as Chrome Safe Browsing. 
  • Detection: Security vendors have released detection rules to flag suspicious behavior, such as the installation of malicious browser add-ons (e.g., ToogleBox) and high-volume data downloads from SharePoint. 
  • Intelligence: Indicators of Compromise (IOCs), including IP addresses associated with commercial VPNs and residential proxies used by the attackers have been released to aid organizations. 

How Tevora Can Help

The ShinyHunters campaign operates at the intersection of human vulnerability and exploitable gaps in cloud infrastructure. Tevora can help your organization harden this attack surface through targeted social engineering exercises, identity and access management reviews, comprehensive risk assessments, and validation that cloud environments are secure, resilient, and aligned with compliance requirements.  

  • Social Engineering: . Elevate your defense capabilities through realistic social engineering exercises that strengthen human-layer security while supporting compliance objectives. Using the same help desk impersonation tactics Tevora simulates voice-based phishing (vishing) attacks. We can identify high-risk employees and test your defenses before ShinyHunters does. 
  • Identity Management: Move beyond traditional phisable authentication methods (e.g., SMS, Voice, App Push) by adopting password less solutions such as passkeys. Validate your SSO configurations to ensure critical accounts are secured and lateral movement restricted.  
  • Cloud Security Services: We validate and harden cloud environments where attackers may move laterally through applications and search for sensitive information. We can ensure that least-privilege principles are enforced, misconfigurations remediated, and alerts triggered when data exfiltration is detected. 
  • Risk Management: ShinyHunters focuses on aggressive extortion tactics rather than just ransomware. We can help quantify and mitigate specific business risks associated with data leakage and extortion, ensuring your incident response plans account for these new aggressive coercion tactics.  

Contact us today to review and secure your environment 

Contact Us Today and Experience the Tevora Difference 

Get in touch with us 

General   833.292.1609 

[email protected] 

Back to Threat Blog