{ "type": "IPv4", "indicator": "94.156.167.237", "general": { "whois": "http://whois.domaintools.com/94.156.167.237", "reputation": 0, "indicator": "94.156.167.237", "type": "IPv4", "type_title": "IPv4", "base_indicator": { "id": 4130806906, "indicator": "94.156.167.237", "type": "IPv4", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "68c81c1c38f96a22d53917e9", "name": "Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion", "description": "Two cyber criminal groups, UNC6040 and UNC6395, are targeting organizations' Salesforce platforms for data theft and extortion. UNC6040 uses social engineering, particularly voice phishing, to gain access to Salesforce accounts. They trick employees into granting access or sharing credentials, then use API queries or malicious connected apps to exfiltrate data. UNC6395 exploits compromised OAuth tokens for the Salesloft Drift application to access Salesforce instances. Both groups have been observed exfiltrating large volumes of customer data. Victims of UNC6040 have received extortion emails demanding cryptocurrency payments to prevent data publication. The FBI has provided numerous IP addresses and other indicators of compromise associated with these groups, along with recommended mitigations to enhance security and prevent such attacks.", "modified": "2025-10-15T14:02:24.133000", "created": "2025-09-15T14:01:00.638000", "tags": [ "api exfiltration", "salesforce", "extortion", "data theft", "social engineering", "shinyhunters", "vishing", "oauth" ], "references": [ "https://www.ic3.gov/CSA/2025/250912.pdf" ], "public": 1, "adversary": "UNC6040, UNC6395", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 386466, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6a066c749aa35a9b1f0af246", "name": "Decryption Digest Threat Intelligence", "description": "Curated IOC feed from Decryption Digest (decryptiondigest.com) \u2014 practitioner-level cybersecurity threat intelligence covering malware, ransomware, phishing, and advanced persistent threats.", "modified": "2026-05-30T12:20:13.434000", "created": "2026-05-15T00:44:34.237000", "tags": [ "BlueNoroff", "APT", "DPRK", "c2", "credential-stealer", "ShinyHunters", "UNC6661", "data-extortion", "vishing", "data-exfiltration", "AI phishing", "ValleyRAT", "Silver Fox", "UTG-Q-1000", "ABCDoor", "China APT", "tax phishing", "Okta credential theft", "SaaS extortion", "UNC6671", "SSO phishing", "marimo RCE", "AWS credential replay", "autonomous attack", "CVE-2026-39987", "LLM agent", "post-exploitation", "Cloudflare Workers egress", "lateral movement" ], "references": [ "https://www.decryptiondigest.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "thebangster", "id": "405150", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 18, "hostname": 9, "FileHash-SHA256": 17 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "14 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "693a8a8bb6f528a603978d6b", "name": "OS - Threat Intel IOCs IPs", "description": "Our own threat intel feed IOC's", "modified": "2026-03-21T11:34:25.575000", "created": "2025-12-11T09:10:33.993000", "tags": [ "cti weekly", "digest article", "indicator type", "indicator", "gc3 cti", "weekly digest", "article" ], "references": [ "", "Threat Intel IOCs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "TaDsecurity", "id": "296213", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_296213/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 20 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cc8aefbfff4e83cfc4fa34", "name": "EbeeSep2025 Pt4", "description": "", "modified": "2025-12-04T06:44:19.596000", "created": "2025-09-18T22:42:55.965000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 242, "FileHash-SHA256": 323, "URL": 70, "domain": 80, "email": 4, "hostname": 9 }, "indicator_count": 944, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68f1e02471b2d4cdd8d21332", "name": "IOC TCS- IP", "description": "IOC from TCS", "modified": "2025-11-16T06:00:55.377000", "created": "2025-10-17T06:20:18.207000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 562, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cc8ac554821ab985796db9", "name": "EbeeSep2025 Pt3", "description": "", "modified": "2025-10-18T22:02:53.796000", "created": "2025-09-18T22:42:13.461000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 87, "FileHash-SHA256": 145, "URL": 20, "domain": 40, "email": 4, "hostname": 9 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cc52c50cd20007f4536492", "name": "Ongoing Development of \u2018shinysp1d3r\u2019 RaaS Threatening VMware ESXi Hosts", "description": "", "modified": "2025-10-18T18:03:32.945000", "created": "2025-09-18T18:43:17.440000", "tags": [], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 19, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cbffd24202c3e67cb8470a", "name": "ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications .", "description": "ShinyHunters is a financially motivated threat group operating since 2020, known for targeting enterprise cloud applications through advancing tactics, including AI-enabled voice phishing and supply chain compromises. Analysts observe that the group has expanded its operations, leveraging both malicious insiders and cybercrime forums like BreachStars and OGUsers to sell or exploit sensitive data obtained from enterprises.", "modified": "2025-10-18T12:00:59.093000", "created": "2025-09-18T12:49:22.172000", "tags": [ "shinyhunters", "online", "telegram", "shinycorp", "eclecticiq", "salesforce", "okta", "browserstack", "bland ai", "august", "june", "anydesk", "win64", "april", "hunters", "dragonforce", "restrict", "soar", "phishing", "exploit", "impact", "interception", "voice", "twitter", "virustotal", "vishing", "scattered spider", "ecrime", "compromise", "hash", "address", "bitcoin address", "xmr address" ], "references": [ "https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vishing", "display_name": "Vishing", "target": null }, { "id": "Scattered Spider", "display_name": "Scattered Spider", "target": null }, { "id": "eCrime", "display_name": "eCrime", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1578", "name": "Modify Cloud Compute Infrastructure", "display_name": "T1578 - Modify Cloud Compute Infrastructure" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" } ], "industries": [ "Retail", "Airline", "Investment", "Financial", "Social Engineering", "Banking", "Travel", "E-Commerce", "Bank", "Finance", "Aviation", "Telecoms", "Automotive", "Hospitality", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 4, "domain": 20, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cb7045d3ff5ac4e502701f", "name": "IOC- ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications", "description": "EclecticIQ analysts assess with high confidence that ShinyHunters is expanding its operations by combining AI-enabled voice phishing, supply chain compromises, and leveraging malicious insiders, such as employees or contractors, who can provide direct access to enterprise networks.\n\nShinyHunters is very likely relying on members of Scattered Spider and The Com to conduct voice phishing attacks that provide unauthorized access to single sign-on (SSO) platforms used by retail, airline, and telecom companies. The group uses this access to exfiltrate large volumes of customer data and extort victim organizations.", "modified": "2025-10-18T02:01:05.505000", "created": "2025-09-18T02:36:53.834000", "tags": [ "shinycorp", "hash", "okta", "address", "bitcoin address", "xmr address" ], "references": [ "https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-SHA256": 5, "domain": 19, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68ca9219e7ef336857c268a7", "name": "assdddfd", "description": "", "modified": "2025-10-17T10:05:50.590000", "created": "2025-09-17T10:48:57.578000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68ca921f300396860370ea5f", "name": "assdddfd", "description": "", "modified": "2025-10-17T10:05:50.590000", "created": "2025-09-17T10:49:03.590000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68c9fdf70eea4377e8c72a09", "name": "Malware Filter - Botnet List - 16-09-2025", "description": "", "modified": "2025-10-17T00:04:17.780000", "created": "2025-09-17T00:16:55.288000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68c8d68437f48f450c715280", "name": "IOC - Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion", "description": "The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions. Both groups have recently been observed targeting organizations\u2019 Salesforce platforms via different initial access mechanisms. The FBI is releasing this information to maximize awareness and provide IOCs that may be used by recipients for research and network defense.", "modified": "2025-10-16T03:00:48.677000", "created": "2025-09-16T03:16:20.572000", "tags": [], "references": [ "https://www.ic3.gov/CSA/2025/250912.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68ca4a5a616ce78b3f3fbdca", "name": "Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion", "description": "", "modified": "2025-10-15T14:02:24.133000", "created": "2025-09-17T05:42:50.952000", "tags": [ "api exfiltration", "salesforce", "extortion", "data theft", "social engineering", "shinyhunters", "vishing", "oauth" ], "references": [ "https://www.ic3.gov/CSA/2025/250912.pdf" ], "public": 1, "adversary": "UNC6040, UNC6395", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "68c81c1c38f96a22d53917e9", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "references": [ "", "https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications", "https://www.ic3.gov/CSA/2025/250912.pdf", "Threat Intel IOCs", "https://www.decryptiondigest.com", "https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt", "Sep week3.pdf" ], "related": { "alienvault": { "adversary": [ "UNC6040, UNC6395" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "CryptoGen Cyber Threat Intelligence Advisory", "Multiple", "UNC6040, UNC6395" ], "malware_families": [ "Ecrime", "Scattered spider", "Vishing" ], "industries": [ "Telecoms", "Aviation", "Energy", "E-commerce", "Social engineering", "Airline", "Banking", "Finance", "Retail", "Travel", "Financial", "Investment", "Hospitality", "Bank", "Automotive" ] } } }, "false_positive": [], "validation": [], "asn": "AS48584 sarnica net", "city_data": true, "city": "Dospat", "region": "21", "continent_code": "EU", "country_code3": "BGR", "country_code2": "BG", "subdivision": "21", "latitude": 41.5635, "postal_code": "4837", "longitude": 24.0967, "accuracy_radius": 20, "country_code": "BG", "country_name": "Bulgaria", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/bg.png", "flag_title": "Bulgaria", "sections": [ "general", "geo", "reputation", "url_list", "passive_dns", "malware", "nids_list", "http_scans" ] }, "geo": { "asn": "AS48584 sarnica net", "city_data": true, "city": "Dospat", "region": "21", "continent_code": "EU", "country_code3": "BGR", "country_code2": "BG", "subdivision": "21", "latitude": 41.5635, "postal_code": "4837", "longitude": 24.0967, "accuracy_radius": 20, "country_code": "BG", "country_name": "Bulgaria", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/bg.png", "flag_title": "Bulgaria" }, "geo_ipapicom": { "country": "The Netherlands", "country_code": "NL", "region": "North Holland", "city": "Amsterdam", "zip": "1012", "latitude": 52.3676, "longitude": 4.90414, "timezone": "Europe/Amsterdam", "isp": "Offerhost Solutions Inc", "org": "Offerhost Solutions Inc", "asn": "AS208220 Offerhost Solutions Inc", "asn_name": "offerhostinc", "is_proxy": false, "is_hosting": false, "source": "ip-api.com" }, "pulse_count": 14, "pulses": [ { "id": "68c81c1c38f96a22d53917e9", "name": "Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion", "description": "Two cyber criminal groups, UNC6040 and UNC6395, are targeting organizations' Salesforce platforms for data theft and extortion. UNC6040 uses social engineering, particularly voice phishing, to gain access to Salesforce accounts. They trick employees into granting access or sharing credentials, then use API queries or malicious connected apps to exfiltrate data. UNC6395 exploits compromised OAuth tokens for the Salesloft Drift application to access Salesforce instances. Both groups have been observed exfiltrating large volumes of customer data. Victims of UNC6040 have received extortion emails demanding cryptocurrency payments to prevent data publication. The FBI has provided numerous IP addresses and other indicators of compromise associated with these groups, along with recommended mitigations to enhance security and prevent such attacks.", "modified": "2025-10-15T14:02:24.133000", "created": "2025-09-15T14:01:00.638000", "tags": [ "api exfiltration", "salesforce", "extortion", "data theft", "social engineering", "shinyhunters", "vishing", "oauth" ], "references": [ "https://www.ic3.gov/CSA/2025/250912.pdf" ], "public": 1, "adversary": "UNC6040, UNC6395", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 386466, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6a066c749aa35a9b1f0af246", "name": "Decryption Digest Threat Intelligence", "description": "Curated IOC feed from Decryption Digest (decryptiondigest.com) \u2014 practitioner-level cybersecurity threat intelligence covering malware, ransomware, phishing, and advanced persistent threats.", "modified": "2026-05-30T12:20:13.434000", "created": "2026-05-15T00:44:34.237000", "tags": [ "BlueNoroff", "APT", "DPRK", "c2", "credential-stealer", "ShinyHunters", "UNC6661", "data-extortion", "vishing", "data-exfiltration", "AI phishing", "ValleyRAT", "Silver Fox", "UTG-Q-1000", "ABCDoor", "China APT", "tax phishing", "Okta credential theft", "SaaS extortion", "UNC6671", "SSO phishing", "marimo RCE", "AWS credential replay", "autonomous attack", "CVE-2026-39987", "LLM agent", "post-exploitation", "Cloudflare Workers egress", "lateral movement" ], "references": [ "https://www.decryptiondigest.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "thebangster", "id": "405150", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 18, "hostname": 9, "FileHash-SHA256": 17 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "14 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "693a8a8bb6f528a603978d6b", "name": "OS - Threat Intel IOCs IPs", "description": "Our own threat intel feed IOC's", "modified": "2026-03-21T11:34:25.575000", "created": "2025-12-11T09:10:33.993000", "tags": [ "cti weekly", "digest article", "indicator type", "indicator", "gc3 cti", "weekly digest", "article" ], "references": [ "", "Threat Intel IOCs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "TaDsecurity", "id": "296213", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_296213/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 20 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cc8aefbfff4e83cfc4fa34", "name": "EbeeSep2025 Pt4", "description": "", "modified": "2025-12-04T06:44:19.596000", "created": "2025-09-18T22:42:55.965000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 242, "FileHash-SHA256": 323, "URL": 70, "domain": 80, "email": 4, "hostname": 9 }, "indicator_count": 944, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68f1e02471b2d4cdd8d21332", "name": "IOC TCS- IP", "description": "IOC from TCS", "modified": "2025-11-16T06:00:55.377000", "created": "2025-10-17T06:20:18.207000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 562, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cc8ac554821ab985796db9", "name": "EbeeSep2025 Pt3", "description": "", "modified": "2025-10-18T22:02:53.796000", "created": "2025-09-18T22:42:13.461000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 87, "FileHash-SHA256": 145, "URL": 20, "domain": 40, "email": 4, "hostname": 9 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cc52c50cd20007f4536492", "name": "Ongoing Development of \u2018shinysp1d3r\u2019 RaaS Threatening VMware ESXi Hosts", "description": "", "modified": "2025-10-18T18:03:32.945000", "created": "2025-09-18T18:43:17.440000", "tags": [], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 19, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cbffd24202c3e67cb8470a", "name": "ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications .", "description": "ShinyHunters is a financially motivated threat group operating since 2020, known for targeting enterprise cloud applications through advancing tactics, including AI-enabled voice phishing and supply chain compromises. Analysts observe that the group has expanded its operations, leveraging both malicious insiders and cybercrime forums like BreachStars and OGUsers to sell or exploit sensitive data obtained from enterprises.", "modified": "2025-10-18T12:00:59.093000", "created": "2025-09-18T12:49:22.172000", "tags": [ "shinyhunters", "online", "telegram", "shinycorp", "eclecticiq", "salesforce", "okta", "browserstack", "bland ai", "august", "june", "anydesk", "win64", "april", "hunters", "dragonforce", "restrict", "soar", "phishing", "exploit", "impact", "interception", "voice", "twitter", "virustotal", "vishing", "scattered spider", "ecrime", "compromise", "hash", "address", "bitcoin address", "xmr address" ], "references": [ "https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vishing", "display_name": "Vishing", "target": null }, { "id": "Scattered Spider", "display_name": "Scattered Spider", "target": null }, { "id": "eCrime", "display_name": "eCrime", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1578", "name": "Modify Cloud Compute Infrastructure", "display_name": "T1578 - Modify Cloud Compute Infrastructure" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" } ], "industries": [ "Retail", "Airline", "Investment", "Financial", "Social Engineering", "Banking", "Travel", "E-Commerce", "Bank", "Finance", "Aviation", "Telecoms", "Automotive", "Hospitality", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 4, "domain": 20, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cb7045d3ff5ac4e502701f", "name": "IOC- ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications", "description": "EclecticIQ analysts assess with high confidence that ShinyHunters is expanding its operations by combining AI-enabled voice phishing, supply chain compromises, and leveraging malicious insiders, such as employees or contractors, who can provide direct access to enterprise networks.\n\nShinyHunters is very likely relying on members of Scattered Spider and The Com to conduct voice phishing attacks that provide unauthorized access to single sign-on (SSO) platforms used by retail, airline, and telecom companies. The group uses this access to exfiltrate large volumes of customer data and extort victim organizations.", "modified": "2025-10-18T02:01:05.505000", "created": "2025-09-18T02:36:53.834000", "tags": [ "shinycorp", "hash", "okta", "address", "bitcoin address", "xmr address" ], "references": [ "https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-SHA256": 5, "domain": 19, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68ca9219e7ef336857c268a7", "name": "assdddfd", "description": "", "modified": "2025-10-17T10:05:50.590000", "created": "2025-09-17T10:48:57.578000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "94.156.167.237", "type": "IPv4" }, "abuseipdb": { "error": "AbuseIPDB daily limit reached (1,000/day).", "indicator": "94.156.167.237" }, "urlhaus": { "indicator": "94.156.167.237", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780195224.7307405 }