Threat Actor Profile
Medium
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (5)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': '2025-10-03',
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2024-04-23T00:00:00+00:00',
'group': 'shinyhunters',
'has_negotiations': False,
'has_ransomnote': False,
'lastseen': '2026-04-28T06:41:14.201436+00:00',
'locations': [{'available': True,
'fqdn': 'breachforums.hn',
'slug': 'https://breachforums.hn/',
'title': 'This Domain Has Been Seized',
'type': 'DLS'},
{'available': True,
'fqdn': 'shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion',
'slug': 'http://shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion',
'title': 'SH',
'type': 'DLS'},
{'available': False,
'fqdn': 'toolatedhs5dtr2pv6h5kdraneak5gs3sxrecqhoufc5e45edior7mqd.onion',
'slug': 'http://toolatedhs5dtr2pv6h5kdraneak5gs3sxrecqhoufc5e45edior7mqd.onion',
'title': 'SH',
'type': 'DLS'},
{'available': True,
'fqdn': 'shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion',
'slug': 'http://shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion',
'title': 'SH',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': False,
'locations': [{'available': True,
'fqdn': 'breachforums.hn',
'slug': 'https://breachforums.hn/',
'title': 'This Domain Has Been Seized',
'type': 'DLS'},
{'available': True,
'fqdn': 'shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion',
'slug': 'http://shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion',
'title': 'SH',
'type': 'DLS'},
{'available': False,
'fqdn': 'toolatedhs5dtr2pv6h5kdraneak5gs3sxrecqhoufc5e45edior7mqd.onion',
'slug': 'http://toolatedhs5dtr2pv6h5kdraneak5gs3sxrecqhoufc5e45edior7mqd.onion',
'title': 'SH',
'type': 'DLS'},
{'available': True,
'fqdn': 'shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion',
'slug': 'http://shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion',
'title': 'SH',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'ransomware_live_group': 'shinyhunters',
'tools': {},
'url': 'https://www.ransomware.live/group/shinyhunters',
'victims': 98,
'vulnerabilities': [{'CVE': 'CVE-2025-61882',
'CVSS': 9.8,
'Product': 'Oracle E-Business Suite '
'(EBS)',
'Vendor': 'Oracle',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2026-20045',
'CVSS': 8.2,
'Product': 'Cisco Unified '
'Communications',
'Vendor': 'Cisco',
'severity': 'HIGH'},
{'CVE': 'OAuth Abuse',
'CVSS': None,
'Product': 'Snowflake (credential '
'stuffing / no MFA)',
'Vendor': 'Snowflake',
'severity': 'UNKNOWN'}]},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Voice calls to helpdesk '
'pretending to be employees to '
'obtain password reset or MFA '
'bypass.',
'technique_id': 'T1566.003',
'technique_name': 'Phishing: Spearphishing Voice '
'(Vishing)'},
{'technique_details': 'Scanning GitHub/Bitbucket '
'repositories for exposed API '
'keys and OAuth tokens (Secret '
'Hunting).',
'technique_id': 'T1552.004',
'technique_name': 'Unsecured Credentials: Private '
'Keys'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Use of malicious "Connected" '
'OAuth applications to '
'maintain persistent access to '
'Salesforce and Microsoft 365 '
'environments without needing '
'passwords.',
'technique_id': 'T1550.001',
'technique_name': 'Use Alternate Authentication '
'Material: Application Access '
'Token'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_details': 'Frequent targets include '
'Confluence, Jira, and '
'SharePoint to collect '
'internal documentation and '
'plaintext credentials.',
'technique_id': 'T1213',
'technique_name': 'Data from Information '
'Repositories'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Use of legitimate cloud tools '
'and native APIs to "drain" '
'data from CRMs (Salesforce) '
'directly to C2 servers.',
'technique_id': 'T1567',
'technique_name': 'Exfiltration Over Web '
'Service'}]}],
'url': 'https://www.ransomware.live/group/shinyhunters',
'victims': 98,
'vulnerabilities': [{'CVE': 'CVE-2025-61882',
'CVSS': 9.8,
'Product': 'Oracle E-Business Suite (EBS)',
'Vendor': 'Oracle',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2026-20045',
'CVSS': 8.2,
'Product': 'Cisco Unified Communications',
'Vendor': 'Cisco',
'severity': 'HIGH'},
{'CVE': 'OAuth Abuse',
'CVSS': None,
'Product': 'Snowflake (credential stuffing / no MFA)',
'Vendor': 'Snowflake',
'severity': 'UNKNOWN'}]}