Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware

    Tuesday, August 27, 2024 In: Threat Research Print

    Date: 08/27/2024

    Severity: Critical

    Summary

    During an incident response managed by Unit 42, the threat actor group Bling Libra (known for ShinyHunters ransomware) shifted from their usual method of selling or publishing stolen data to extorting victims. The engagement also revealed how the group obtains legitimate credentials from public repositories to gain initial access to an organization’s Amazon Web Services (AWS) environment.

    Indicators of Compromise (IOC) List

    Domains\Urls

    https://s3browser.com

    s3browser.com 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls

    userdomainname like "https://s3browser.com" or url like "https://s3browser.com" or userdomainname like "s3browser.com" or url like "s3browser.com"

    Reference:

    https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/#section-11-title  

     


     


    Tags

    RansomwareExtortionMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.