ShinyHunters Scorched Earth: Inside the Identity-Centric Ransomware Spree Hitting Household Names

ShinyHunters dumped roughly 38 million records and terabytes of internal corporate data from a group of victims on April 21, 2026, with the group claiming to have compromised approximately 40 organizations total [3]. The group's "Pay or Leak" model isn't new, but the scale, speed, and target selection are. Alert 360, Amtrak, the European Commission, Ameriprise Financial, Carnival Corporation, Zara, 7-Eleven, Rockstar Games, Panera Bread, and dozens more have all had data published after ransom deadlines expired[1][2][3]. The gang has signaled it will keep stolen data online indefinitely [3].

This isn't a single campaign. It's at least three overlapping intrusion strategies: vishing attacks targeting SSO credentials, third-party SaaS compromises through platforms like Snowflake and Salesforce, and a supply chain attack on the Trivy security scanner that enabled the European Commission breach [5][7]. Google Threat Intelligence tracks the operation across multiple threat clusters: UNC6661, UNC6671, and UNC6240 [5][6].

Background: From Data Broker to Full-Spectrum Extortion

ShinyHunters built its reputation as a data theft and brokerage operation. The group's earlier campaigns focused on stealing credentials and selling stolen databases. The 2024 Snowflake campaign, which used credentials harvested from infostealer malware dating back to 2020, demonstrated the group's patience and its focus on identity as an attack surface.

That Snowflake operation yielded 1.5 billion records from victim Salesforce instances in August 2025, accessed through 760 compromised Salesforce instances via a Drift integration. The tooling matured from there.

The group's philosophical core hasn't changed: "the goal is not to hack in through software exploits but to log in". Every major campaign this year reflects that identity-centric approach.

The Vishing Pipeline: SSO Credential Harvesting at Scale

Okta issued a warning about sophisticated vishing attacks targeting SSO credentials across Google, Microsoft, and Okta environments, with the campaign active since January 2026 [4]. Mandiant's analysis confirmed ShinyHunters' involvement through linked threat clusters [5][6].

The attack flow is consistent. UNC6661 operators call employees posing as internal IT staff, claiming the company is updating MFA settings [5]. They direct targets to credential harvesting sites that mirror the victim's actual SSO portal. The phishing domains follow predictable naming patterns: <companyname>sso.com, my<companyname>sso.com, my-<companyname>sso.com, and <companyname>internal.com [11][5].

The MFA bypass is straightforward. Push notification challenges that use number matching or number selection can be defeated by a social engineer who simply asks the target to enter a specific number while on the phone [6]. Once authenticated, attackers enable the ToogleBox Recall add-on for the victim's Google Workspace account, giving them the ability to search and delete emails that might alert the victim or security teams [5].

Confirmed victims of this vishing pipeline include Panera Bread (5 million records, January 2026, via Microsoft Entra SSO), SoundCloud, Match Group, Crunchbase, and Betterment [2][6]. Alert 360's 2.5 million record breach also originated from an Okta-targeted vishing campaign.

Third-Party SaaS Compromise: The Snowflake and Salesforce Vectors

ShinyHunters didn't stop at direct credential theft. A parallel operation exploited third-party integrations to access victim data through SaaS platforms.

The Rockstar Games breach, disclosed in April 2026, came through a compromise of Anodot, a third-party analytics service. Attackers used Anodot's access to reach Rockstar's Snowflake environment, resulting in 78.6 million stolen records [2]. Zara's breach followed the same Anodot-to-Snowflake pathway [1][3]. Snowflake had previously warned customers to check for malicious traffic from a user agent identifying itself as "rapeflake" [10].

The Salesforce vector was equally productive. The Amtrak breach, with the group threatening data leak in April 2026, compromised 9.4 million Salesforce records including over 2.1 million unique email addresses, names, physical addresses, and customer support records [9]. 7-Eleven lost over 600,000 records through its Salesforce environment [1]. ShinyHunters claims to have compromised between 300 and 400 organizations through Salesforce Experience Cloud sites alone [14], using a tool called AuraInspector to exploit misconfigurations [14].

Carnival Corporation suffered the largest single-victim breach: 8.7 million records stolen [1].

European Commission: Supply Chain Attack via Trivy

The European Commission breach stands apart from the rest. Detected on March 24, 2026, with initial access later traced to March 19, the attack compromised over 350GB of data including mail server dumps, databases, confidential documents, contracts, SSO user directories, DKIM signing keys, and AWS configuration snapshots[7].

The entry point wasn't vishing or SaaS abuse. A group tracked as TeamPCP (also designated UNC6780) had compromised Aqua Security's Trivy container scanner through CVE-2026-33634, a critical supply chain vulnerability [7]. Between March 19 and March 27, TeamPCP also compromised KICS, LiteLLM, and Telnyx SDK. The attackers acquired an AWS API key and used TruffleHog to scan for secrets and validate AWS credentials by calling the Security Token Service [7].

The stolen data included 51,992 files related to outbound email communications totaling 2.22 GB, along with ID document pictures that constitute personally identifiable information[7]. ShinyHunters posted the data publicly on March 26, just two days after detection.

The European Commission breach involved initial access by TeamPCP (tracked separately from ShinyHunters), with ShinyHunters handling the subsequent data extortion. The supply chain attack represents a different capability set than the vishing and SaaS compromise operations, suggesting either collaboration between groups or ShinyHunters acquiring access from TeamPCP.

The "Pay or Leak" Enforcement Model

ShinyHunters' willingness to dump data after failed negotiations is central to understanding the current campaign. Alert 360's data was published after the group stated: "We failed to come to an agreement to prevent the release of the data". Amtrak was given a ransom deadline of April 14; after it expired, portions of the data were leaked [2]. The group explicitly threatened Ameriprise Financial with a 200GB data leak on the dark web [8].

The Ameriprise breach, which occurred March 2, 2026 and was discovered March 18, affected nearly 48,000 people [8]. Two class action lawsuits were filed and then voluntarily dismissed [8].

The messaging to victims in current negotiations is blunt. One leak announcement included the warning of "several annoying (digital) problems that'll come your way" [3]. With 40 victims now publicly exposed and data remaining online indefinitely, the group is making an example of every organization that doesn't pay [3].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

SSO Phishing Domain Monitoring: Alert on DNS queries matching the patterns sso.com, mysso.com, my-sso.com, and internal.com where the prefix matches your organization's name or common abbreviations. Cross-reference domain registrations at nicenic.com and tucows.com against these patterns [5][11].

Vishing Indicators in Help Desk Logs: ShinyHunters operators call employees claiming to update MFA settings [5]. Any inbound call requesting MFA changes followed by an SSO authentication event within minutes warrants investigation. Correlate help desk tickets about MFA resets with authentication logs.

Snowflake/Salesforce Anomalies: Hunt for the user agents rapeflake and rapeforce in SaaS platform access logs [2]. Monitor for bulk data export operations from Snowflake and Salesforce, particularly from service accounts or recently authenticated sessions. Query for Salesforce Experience Cloud access from unexpected IP ranges.

Google Workspace: Search for the ToogleBox Recall add-on being enabled on any Workspace account [5]. This is a strong indicator of post-compromise activity. Monitor Google Workspace admin logs for new add-on installations, especially those with email search and deletion capabilities.

PowerShell Data Exfiltration: ShinyHunters uses PowerShell to download sensitive data from SharePoint and OneDrive [5]. Monitor for PowerShell processes initiating large numbers of HTTP GET requests to SharePoint/OneDrive APIs, particularly outside normal business hours.

Supply Chain Indicators: Monitor for outbound connections to checkmarx.zone [15]. Audit CI/CD pipelines for unexpected modifications to Trivy, KICS, or LiteLLM dependencies. Check for the presence of sysmon.service systemd units and tpcp.tar.gz files on build servers [15].

Analysis

ShinyHunters has operationalized three distinct intrusion methodologies simultaneously: social engineering via vishing, SaaS platform abuse through third-party integrations, and leveraging supply chain compromises. Each method targets identity and access rather than traditional network perimeter vulnerabilities. This makes the group particularly dangerous to organizations that have invested heavily in network security but lack mature identity governance.

The 40-victim count and 38 million leaked records represent a significant acceleration from the group's historical pace [3]. The use of multiple tracked threat clusters (UNC6661, UNC6671, UNC6240) suggests either a larger operational team than previously understood, or an affiliate model [5][6].

The targeting pattern is deliberate. Regulated industries (financial services, healthcare, transportation, government) face disproportionate consequences from data breaches. Ameriprise faced class action lawsuits within weeks [8]. The European Commission breach exposed diplomatic and regulatory communications. These aren't targets of opportunity; they're selected for maximum leverage during ransom negotiations.

References

[1] https://www.scworld.com/brief/multiple-other-companies-purportedly-breached-by-shinyhunters-over-9m-record-leak-warned

[2] https://en.wikipedia.org/wiki/ShinyHunters

[3] https://cybernews.com/news/shinyhunters-myteresa-zara-carnival-7eleven-data-leak/

[4] https://rhisac.org/threat-intelligence/okta-warns-users-of-custom-vishing-kits-potentially-affiliated-with-shinyhunters/

[5] https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft

[6] https://www.helpnetsecurity.com/2026/02/02/shinyhunters-mfa-social-engineering/

[7] https://www.helpnetsecurity.com/2026/04/03/european-commission-cloud-breach/

[8] https://thinkadvisor.com/amp/2026/04/20/ameriprise-data-breach-affected-nearly-48000/

[9] https://cybernews.com/security/hackers-threaten-amtrak-data-leak/

[10] https://www.thestack.technology/snowflake-breach-update-rapeflake/

[11] https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/

[12] https://www.bleepingcomputer.com/news/security/meet-shinysp1d3r-new-ransomware-as-a-service-created-by-shinyhunters/

[13] https://www.anomali.com/blog/anomali-cyber-watch-chrome-zero-day-sneaky-2fa-digitstealer-apt24-and-more

[14] https://www.reco.ai/blog/inside-the-shinyhunters-experience-cloud-campaign-iocs-detection-logic-and-whats-at-risk

[15] https://github.com/ugurrates/teampcp-supply-chain-attack

Hunt Guide: Hunt Report: ShinyHunters Identity-Centric Extortion Campaign

Hypothesis: If ShinyHunters or affiliated threat clusters (UNC6661, UNC6671, UNC6240, TeamPCP) are active in our environment, we expect to observe vishing-related SSO authentications, suspicious SaaS platform access with rapeflake/rapeforce user agents, ToogleBox Recall add-on installations, and supply chain indicators including connections to checkmarx.zone in our authentication logs, SaaS platform logs, Google Workspace audit logs, and CI/CD environments.

Intelligence Summary: ShinyHunters has compromised 40+ organizations and leaked 38 million records through a coordinated campaign using vishing for SSO credential theft, third-party SaaS platform abuse, and supply chain attacks via compromised development tools. The group employs a 'Pay or Leak' extortion model, dumping victim data publicly when ransoms aren't paid, with confirmed breaches at Amtrak, European Commission, Ameriprise Financial, Carnival Corporation, and others.

Confidence: High | Priority: Critical

Scope

• Networks: All Azure AD/Okta federated environments, Google Workspace tenants, Snowflake/Salesforce instances, and CI/CD build infrastructure
• Timeframe: Last 90 days with focus on January-April 2026
• Priority Systems: SSO providers, SaaS platforms with customer data, development/build servers running Trivy/KICS/LiteLLM

MITRE ATT&CK Techniques

T1566.004 — Phishing: Spearphishing Voice (Initial Access) [P1]

ShinyHunters operators conduct vishing campaigns impersonating IT help desk staff, claiming to update MFA settings, then directing targets to credential harvesting sites that mirror legitimate SSO portals

Splunk SPL:

index=helpdesk ("MFA" OR "multi-factor" OR "authentication") ("update" OR "reset" OR "change") | eval time_window=relative_time(_time, "+15m") | join type=outer user [search index=auth sourcetype=okta:im2 OR sourcetype=azure:aad:signin | where _time < time_window] | where isnotnull(authentication_time) | table _time user ticket_id phone_number authentication_time src_ip user_agent

Elastic KQL:

(event.module:helpdesk AND (MFA OR "multi-factor" OR authentication) AND (update OR reset OR change)) OR (event.module:okta OR event.module:azure) | stats count by user.name, @timestamp, source.ip

Sigma Rule:

title: Potential Vishing Followed by SSO Authentication
id: 8a7b4d2e-9c3f-4e5a-b1d6-7f8c9e2a3b4d
status: experimental
author: RedSheep Security/Stone
description: Detects help desk tickets about MFA changes followed by SSO authentication within 15 minutes
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
logsource:
  category: authentication
  product: windows
detection:
  selection_helpdesk:
    EventID: 1000
    Source: 'HelpDesk'
    Message|contains:
      - 'MFA'
      - 'multi-factor'
      - 'authentication'
    Message|contains:
      - 'update'
      - 'reset'
      - 'change'
  selection_auth:
    EventID: 4624
    LogonType: 3
  timeframe: 15m
  condition: selection_helpdesk and selection_auth | near
falsepositives:
  - Legitimate help desk assisted MFA resets
level: high
tags:
  - attack.initial_access
  - attack.t1566.004

Correlate with call recordings if available. High false positive rate during legitimate MFA reset campaigns. Focus on off-hours activity.

T1566.002 — Phishing: Spearphishing Link (Initial Access) [P1]

Credential harvesting sites using predictable naming patterns like <companyname>sso.com and my-<companyname>sso.com registered through nicenic.com and tucows.com

Splunk SPL:

index=dns OR index=proxy | rex field=query "(?<suspicious_domain>(\w+sso\.com|my\w+sso\.com|my-\w+sso\.com|\w+internal\.com))" | where match(suspicious_domain, "(?i)(dha|nadcoe|tricare|health|medical|defense)") | stats count by suspicious_domain src_ip user | lookup domain_whitelist domain AS suspicious_domain OUTPUT whitelisted | where isnull(whitelisted)

Elastic KQL:

dns.question.name:(*sso.com OR my*sso.com OR my-*sso.com OR *internal.com) AND dns.question.name:(dha* OR nadcoe* OR tricare* OR health* OR medical* OR defense*) AND NOT dns.question.name:(microsoft.com OR okta.com OR google.com)

Sigma Rule:

title: ShinyHunters SSO Phishing Domain Access
id: 7c5a8b9d-2e4f-4a6c-b8e5-9f7d3c2a1b5e
status: stable
author: Mandiant, adapted by RedSheep Security
description: Detects DNS queries to ShinyHunters phishing domains mimicking corporate SSO portals
references:
  - https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/
logsource:
  category: dns
detection:
  selection:
    query|endswith:
      - 'sso.com'
      - 'internal.com'
    query|contains:
      - 'my-'
      - 'my'
  filter:
    query|endswith:
      - '.microsoft.com'
      - '.okta.com'
      - '.google.com'
      - '.auth0.com'
  condition: selection and not filter
falsepositives:
  - Legitimate SSO providers
level: high
tags:
  - attack.initial_access
  - attack.t1566.002

Whitelist your legitimate SSO domains. Monitor for newly registered domains matching these patterns via passive DNS feeds.

T1078.004 — Valid Accounts: Cloud Accounts (Defense Evasion) [P2]

Use of compromised SSO credentials to access cloud services including Google Workspace, Microsoft 365, and Okta-protected applications

Splunk SPL:

index=azure_ad sourcetype=azure:aad:signin | eval hour=strftime(_time,"%H") | where (hour<6 OR hour>20) OR src_ip!="10.0.0.0/8" OR src_ip!="172.16.0.0/12" OR src_ip!="192.168.0.0/16" | lookup geoip clientip AS src_ip OUTPUT Country | where Country!="United States" | stats count values(app_name) AS accessed_apps by user src_ip Country user_agent | where count>5

Elastic KQL:

event.module:azure AND event.dataset:azure.signinlogs AND (source.geo.country_name:* AND NOT source.geo.country_name:"United States") AND (@timestamp:[* TO now-6h] OR @timestamp:[now-20h TO *])

Baseline normal authentication patterns per user. Alert on new countries, unusual hours, or rapid app access after authentication.

T1098.002 — Account Manipulation: Additional Email Delegate Permissions (Persistence) [P1]

Installation of ToogleBox Recall add-on in Google Workspace to search and delete emails that might alert victims or security teams

Splunk SPL:

index=gws_logs sourcetype=gws:reports:admin event_name="ADD_APPLICATION" OR event_name="AUTHORIZE_API_CLIENT" | search application_name="ToogleBox Recall" OR application_name="*ToogleBox*" OR application_name="*Recall*" | table _time user email application_name api_scopes event_name src_ip

Elastic KQL:

event.module:gsuite AND (event.action:"ADD_APPLICATION" OR event.action:"AUTHORIZE_API_CLIENT") AND gsuite.admin.application.name:("ToogleBox Recall" OR *ToogleBox* OR *Recall*)

Sigma Rule:

title: ToogleBox Recall Add-on Installation
id: 9d8c7e3a-1b5f-4c7e-a2d9-8f6b4e3c9a7d
status: experimental
author: RedSheep Security/Stone
description: Detects installation of ToogleBox Recall add-on used by ShinyHunters for email manipulation
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
logsource:
  service: google_workspace
  product: google_workspace
detection:
  selection:
    event_name:
      - 'ADD_APPLICATION'
      - 'AUTHORIZE_API_CLIENT'
    application_name|contains:
      - 'ToogleBox'
      - 'Recall'
      - 'Toggle'
  condition: selection
falsepositives:
  - None known
level: critical
tags:
  - attack.persistence
  - attack.t1098.002

Immediately investigate and remove this add-on if found. Review email deletion logs for the affected user account.

T1530 — Data from Cloud Storage (Collection) [P1]

Bulk data export operations from Snowflake and Salesforce platforms, particularly using rapeflake/rapeforce user agents

Splunk SPL:

index=snowflake sourcetype=snowflake:query_history | where (bytes_scanned > 1000000000 OR rows_produced > 1000000) | search user_agent="rapeflake" OR user_agent="*rape*" | eval gb_scanned=round(bytes_scanned/1024/1024/1024,2) | stats sum(gb_scanned) AS total_gb values(query_text) AS queries by user client_application_id warehouse_name | where total_gb > 10

Elastic KQL:

event.module:snowflake AND (user_agent:"rapeflake" OR user_agent:*rape*) AND (snowflake.bytes_scanned:>1000000000 OR snowflake.rows_produced:>1000000)

Alert on any instance of rapeflake/rapeforce user agents. Also monitor for large data exports outside business hours or from service accounts.

T1195.002 — Supply Chain Compromise: Software Dependencies (Initial Access) [P1]

TeamPCP compromised Trivy container scanner through CVE-2026-33634, affecting multiple organizations using the tool in CI/CD pipelines

Splunk SPL:

index=cicd OR index=network | search dest="checkmarx.zone" OR dest_ip="45.142.122.0/24" | stats count by src_ip dest process_name user | append [search index=linux sourcetype=linux_secure | search "sysmon.service" | fields host user _time]

Elastic KQL:

(destination.domain:"checkmarx.zone" OR destination.ip:"45.142.122.0/24") OR (process.name:"sysmon.service" AND event.module:system)

Sigma Rule:

title: TeamPCP Supply Chain Indicators
id: 6e9d8f2b-3c7a-4b5e-9a8d-7f6c5e4b3a9c
status: experimental
author: RedSheep Security/Stone
description: Detects indicators of TeamPCP supply chain compromise including C2 communication and persistence
references:
  - https://github.com/ugurrates/teampcp-supply-chain-attack
logsource:
  product: linux
detection:
  selection_network:
    DestinationHostname: 'checkmarx.zone'
  selection_service:
    Image|endswith: '/systemd'
    CommandLine|contains: 'sysmon.service'
  selection_file:
    TargetFilename|contains:
      - 'sysmon.service'
      - 'environmentAuthChecker.js'
      - 'tpcp.tar.gz'
  condition: 1 of selection_*
falsepositives:
  - Unlikely
level: critical
tags:
  - attack.initial_access
  - attack.t1195.002
  - cve.2026.33634

Immediately isolate any system communicating with checkmarx.zone. Audit all Trivy, KICS, and LiteLLM installations for compromise.

T1059.001 — Command and Scripting Interpreter: PowerShell (Execution) [P2]

PowerShell used to download sensitive data from SharePoint and OneDrive environments after initial compromise

Splunk SPL:

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104 | rex field=ScriptBlockText "(?<sharepoint_url>https://\S+\.sharepoint\.com\S+)" | where isnotnull(sharepoint_url) | rex field=ScriptBlockText "(Invoke-WebRequest|Invoke-RestMethod|wget|curl)" | stats count values(ScriptBlockText) by Computer user sharepoint_url | where count > 10

Elastic KQL:

event.code:4104 AND powershell.script_block_text:(*.sharepoint.com* OR *.onedrive.com*) AND powershell.script_block_text:("Invoke-WebRequest" OR "Invoke-RestMethod" OR "wget" OR "curl")

Monitor for PowerShell downloading multiple files from SharePoint/OneDrive, especially outside business hours. Correlate with unusual authentication events.

T1543.002 — Create/Modify System Process: Systemd Service (Persistence) [P1]

TeamPCP establishes persistence through creation of sysmon.service systemd unit files on compromised build servers

Splunk SPL:

index=linux sourcetype=linux_audit type=SYSCALL comm="systemctl" | search a0="*sysmon.service*" OR exe="*/systemd" | append [search index=fim sourcetype=fim:change file_path="/etc/systemd/system/sysmon.service" OR file_path="/lib/systemd/system/sysmon.service"] | stats values(comm) values(exe) values(file_path) by host user _time

Elastic KQL:

event.module:auditd AND (process.executable:*systemctl* AND process.args:*sysmon.service*) OR file.path:("/etc/systemd/system/sysmon.service" OR "/lib/systemd/system/sysmon.service")

sysmon.service is a known TeamPCP persistence mechanism. Any creation of this service should trigger immediate investigation.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (dest="checkmarx.zone" OR query="checkmarx.zone" OR url="*checkmarx.zone*") | stats count by index sourcetype src_ip dest_port

index=* ("sysmon.service" OR filename="sysmon.service" OR file_path="*sysmon.service") | stats count by index sourcetype host user

index=* "environmentAuthChecker.js" | stats count by index sourcetype host user file_path

index=* ("tpcp.tar.gz" OR filename="tpcp.tar.gz") | stats count by index sourcetype host user action

YARA Rules

ShinyHunters_UserAgent_Detection — Detects ShinyHunters-specific user agents in network traffic and logs

rule ShinyHunters_UserAgent_Detection {
    meta:
        description = "Detects ShinyHunters rapeflake/RapeForce user agents"
        author = "RedSheep Security/Stone"
        date = "2026-04-24"
        reference = "https://www.thestack.technology/snowflake-breach-update-rapeflake/"
    strings:
        $ua1 = "rapeflake" nocase
        $ua2 = "RapeForce" nocase
        $ua3 = "User-Agent: rapeflake" nocase
        $ua4 = "User-Agent: RapeForce" nocase
    condition:
        any of them
}

TeamPCP_Supply_Chain_Artifacts — Detects TeamPCP supply chain attack artifacts

rule TeamPCP_Supply_Chain_Artifacts {
    meta:
        description = "Detects TeamPCP supply chain attack components"
        author = "RedSheep Security/Stone"
        date = "2026-04-24"
        reference = "https://github.com/ugurrates/teampcp-supply-chain-attack"
    strings:
        $s1 = "sysmon.service" fullword
        $s2 = "environmentAuthChecker.js" fullword
        $s3 = "tpcp.tar.gz" fullword
        $s4 = "checkmarx.zone" fullword
        $s5 = "TeamPCP" nocase
    condition:
        2 of them
}

Suricata Rules

SID 3000001 — ShinyHunters rapeflake user agent detected

alert http any any -> any any (msg:"ShinyHunters rapeflake user agent detected"; flow:established,to_server; content:"User-Agent|3a| rapeflake"; http_header; nocase; classtype:trojan-activity; sid:3000001; rev:1;)

SID 3000002 — ShinyHunters RapeForce user agent detected

alert http any any -> any any (msg:"ShinyHunters RapeForce user agent detected"; flow:established,to_server; content:"User-Agent|3a| RapeForce"; http_header; nocase; classtype:trojan-activity; sid:3000002; rev:1;)

SID 3000003 — TeamPCP C2 communication to checkmarx.zone

alert dns any any -> any 53 (msg:"TeamPCP DNS query for checkmarx.zone"; dns_query; content:"checkmarx.zone"; nocase; classtype:command-and-control; sid:3000003; rev:1;)

SID 3000004 — Potential ShinyHunters SSO phishing domain

alert dns any any -> any 53 (msg:"Potential ShinyHunters SSO phishing domain"; dns_query; pcre:"/\b\w+sso\.com|my\w+sso\.com|my-\w+sso\.com|\w+internal\.com/i"; classtype:social-engineering; sid:3000004; rev:1;)

Data Source Requirements

Sources

• Multiple other companies purportedly breached by ShinyHunters
• ShinyHunters - Wikipedia
• ShinyHunters leak data from Mytheresa, Zara, Carnival, and 7-Eleven
• Okta warns users of custom vishing kits potentially affiliated with ShinyHunters
• Expansion of ShinyHunters&#39; SaaS data theft extortion
• ShinyHunters uses social engineering to bypass MFA
• European Commission cloud-based environment breached
• Ameriprise Data Breach Affected Nearly 48,000
• Hackers threaten Amtrak with data leak in April
• Snowflake breach update: &#39;rapeflake&#39;
• Mandiant details how ShinyHunters abuse SSO to steal cloud data
• Meet ShinySp1d3r: New ransomware-as-a-service created by ShinyHunters
• Anomali Cyber Watch: Chrome Zero-Day, Sneaky 2FA, DigitStealer
• Inside the ShinyHunters Experience Cloud Campaign
• TeamPCP Supply Chain Attack