Vishing Campaigns Lead to Data Theft and Extortion

    Tuesday, March 17, 2026 In: Threat Research Print

    Date: 03/17/2026

    Severity: Critical

    Summary

    Since late December 2025, the team has handled multiple incidents involving voice-based phishing (vishing) leading to data theft and extortion. These attacks have targeted organizations across Financial Services, Manufacturing, Professional & Legal Services, and Wholesale & Retail sectors. Analysis suggests most activity is linked to Bling Libra (also known as ShinyHunters) or affiliates of the Scattered LAPSUS$ Hunters alliance. The threat actors demonstrate rapid execution once initial access is obtained. In one 2025 case, they moved from access to data exfiltration in under 60 seconds.

    Indicators of Compromise (IOC) List

    IP Address : 

    199.127.61.200

    173.247.193.250

    212.247.150.205

    73.170.199.103

    185.209.199.104

    98.27.195.220

    73.159.223.249

    73.218.14.2

    198.54.111.37

    146.70.172.156

    173.53.121.241

    141.98.255.243

    174.244.18.160

    173.49.144.24

    71.233.191.224

    172.56.199.200

    70.237.135.82

    185.209.199.77

    173.11.73.245

    24.237.69.80

    23.234.100.235

    149.75.194.213

    76.127.241.83

    31.57.147.125

    45.84.107.17

    104.175.82.79

    179.43.185.226

    23.93.251.87

    23.234.100.212

    185.195.233.152

    104.193.195.200

    138.199.6.209

    193.138.218.218

    76.152.11.158

    98.26.99.167

    141.224.140.62

    185.231.32.34

    70.109.196.15

    23.234.100.107

    172.56.195.164

    75.250.181.136

    45.134.26.68

    73.51.249.216

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("23.234.100.235","23.234.100.107","173.247.193.250","45.134.26.68","23.234.100.212","31.57.147.125","199.127.61.200","173.11.73.245","185.195.233.152","45.84.107.17","141.98.255.243","146.70.172.156","193.138.218.218","212.247.150.205","73.170.199.103","185.209.199.104","98.27.195.220","73.159.223.249","73.218.14.2","198.54.111.37","173.53.121.241","174.244.18.160","173.49.144.24","71.233.191.224","172.56.199.200","70.237.135.82","185.209.199.77","24.237.69.80","149.75.194.213","76.127.241.83","104.175.82.79","179.43.185.226","23.93.251.87","104.193.195.200","138.199.6.209","76.152.11.158","98.26.99.167","141.224.140.62","185.231.32.34","70.109.196.15","172.56.195.164","75.250.181.136","73.51.249.216") or srcipaddress IN ("23.234.100.235","23.234.100.107","173.247.193.250","45.134.26.68","23.234.100.212","31.57.147.125","199.127.61.200","173.11.73.245","185.195.233.152","45.84.107.17","141.98.255.243","146.70.172.156","193.138.218.218","212.247.150.205","73.170.199.103","185.209.199.104","98.27.195.220","73.159.223.249","73.218.14.2","198.54.111.37","173.53.121.241","174.244.18.160","173.49.144.24","71.233.191.224","172.56.199.200","70.237.135.82","185.209.199.77","24.237.69.80","149.75.194.213","76.127.241.83","104.175.82.79","179.43.185.226","23.93.251.87","104.193.195.200","138.199.6.209","76.152.11.158","98.26.99.167","141.224.140.62","185.231.32.34","70.109.196.15","172.56.195.164","75.250.181.136","73.51.249.216")

    Reference:     

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-03-12-Vishing-Campaigns-Lead-to-Data-Theft-and-Extortion.txt 


    Tags

    ExtortionData StealerFinancial ServicesCritical ManufacturingGovernment Services and FacilitiesExfiltrationMalwareThreat ActorShinyhunterPhishingVishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.