Skip to content

🏴‍☠️ ShinyHunters

Threat-actor battle card · maintained from public sources · last updated 2026-06-24 · also known as UNC6240, "Scattered Lapsus$ Hunters" (claimed collective branding)

CategoryData-theft extortion
AttributionFinancially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem
First seen2020
StatusActive
Rank#13
Recent victims · last ~9d4
All-time victims129
Primary targetsHigher education, Telecom, Retail, Travel/Hospitality, Technology, SaaS/CRM data

Overview

ShinyHunters (tracked by Mandiant/Google Threat Intelligence as UNC6240) is a long-running, financially motivated data-theft extortion brand active since 2020, historically known for selling and leaking large databases on cybercrime forums (BreachForums lineage). In 2025-26 it shifted from forum sales to named, deadline-driven extortion via its own data-leak site, and into operator-grade intrusion — most notably exploiting an Oracle PeopleSoft zero-day at scale. It is one of the brands marketed under the "Scattered Lapsus$ Hunters" collective banner alongside Scattered Spider and Lapsus$-adjacent actors, though the exact membership overlap is unconfirmed.

Tradecraft

  • Mass zero-day exploitation (2026): Exploited CVE-2026-35273 (CVSS 9.8, unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools Environment Management) as a zero-day between May 27 and June 9, 2026 — predating Oracle's June 10 out-of-band advisory. Targeted /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints.
  • C2 / RAT: Deployed MeshCentral agents masquerading as Microsoft Azure NetApp Files (azurenetfiles.net, WebSocket Secure over 443); custom-signed meshagent*-azure-ops binaries.
  • Lateral movement: Custom [victim]_fanout.sh SSH credential-spraying script reading /etc/hosts, trying hardcoded admin/app credentials, and dropping a README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT defacement marker into WebLogic/Process Scheduler directories.
  • Exfiltration: zstd compression of staged data, then publication on the ShinyHunters DLS.
  • Social-engineering / CRM theft: Separately associated with the 2025-26 wave of Salesforce / OAuth data-theft extortion (voice-phishing, malicious connected-apps, third-party integration abuse) hitting dozens of enterprises.

Notable victims

  • Oracle PeopleSoft campaign (2026) — Mandiant notified 100+ organisations with vulnerable endpoints; 68% higher education, mostly US. University of Nottingham is the first confirmed victim; data published on the ShinyHunters DLS from June 9, 2026. Google Threat Intelligence · SecurityWeek
  • Carnival Corporation — 5,995,277 individuals (Holland America Mariner Society loyalty programme); names, DOB, address, passport and driver's-license numbers; social-engineering of a Carnival employee April 14, 2026; notifications dated May 27, 2026. BleepingComputer
  • University of Nottingham — 40GB+ billing/payment-card/student-finance data claimed; university confirmed the incident June 11, 2026. The Record

Assessment

ShinyHunters has matured from a data broker into a capable intrusion operator: the PeopleSoft campaign shows it can find, weaponise, and scale a high-value enterprise zero-day faster than the vendor can patch — the same opportunistic mass-extortion model practised by Cl0p, now applied to ERP/HR platforms. Its concentration on higher education reflects the sector's large attack surface of internet-exposed PeopleSoft HR/finance systems and constrained patch cadence. The brand's overlap with the Scattered Spider / Lapsus$ "Com" ecosystem makes attribution fluid and capability-sharing likely. Structural mitigation: remove internet exposure of PeopleSoft PSEMHUB/integration gateways, patch CVE-2026-35273 on emergency timelines, and treat any unpatched, exposed PeopleSoft instance as presumed-compromised. For Salesforce/CRM exposure, enforce phishing-resistant MFA and audit third-party connected-app OAuth scopes.

Sources

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 18 icsecurity.com ShinyHunters Extortion · unknown · United States 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 7d ago · Sources: ransomware.live DLS
Jun 18 One Medical ShinyHunters Extortion · healthcare · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 7d ago · unauthorized access to a third-party legacy file-storage system holding archived senior-patient data (demographic + clinical records across Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, Seattle); access June 8-11, discovered June 13, disclosed June 17; ShinyHunters claims 8.8 TB exfiltrated (🟥 unverified, no proof samples) with a June 22 extortion deadline; affected-individual count not yet disclosed · Sources: HIPAA Journal · BankInfoSecurity
Jun 18 NAIC.org ShinyHunters Extortion · unknown · United States 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 7d ago · Sources: ransomware.live DLS
Jun 16 Ralph Lauren ShinyHunters Extortion · unknown · United States 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 9d ago · Sources: ransomware.live DLS
Jun 15 icc.edu ShinyHunters Extortion · unknown · United States 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 10d ago · Sources: ransomware.live DLS
Jun 15 moody.edu ShinyHunters Extortion · unknown · United States 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 10d ago · Sources: ransomware.live DLS
Jun 15 glendale.edu ShinyHunters Extortion · unknown · United States 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 10d ago · Sources: ransomware.live DLS
Jun 09 University of Nottingham ShinyHunters Extortion · education · UK 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 16d ago · The Record · Sources: ransomware.live DLS; university confirmed incident 2026-06-11; claim: 40GB+ billing/payment-card/student-finance data

May 2026

May 27 Carnival Corporation ShinyHunters Extortion · travel · hospitality/US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; English-speaking, overlaps/collaborates with the wider Scattered Spider / Lapsus$ ("The Com") ecosystem · #13 active · 129 total · disclosed 29d ago · 5,995,277 individuals affected; names, dates of birth, addresses, email, phone, passport and driver's license numbers; social-engineering attack on Carnival employee led to account compromise April 14, 2026; data exfiltrated before access blocked; breach notification letters dated May 27, 2026 · Sources: BleepingComputer · The Register · Malwarebytes

← All threat actors · Full victim database →