Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

    Monday, February 2, 2026 In: Threat Research Print

    Date: 02/02/2026

    Severity: HIgh

    Summary

    The team observed increased threat activity matching tactics linked to previous ShinyHunters extortion campaigns. These operations rely heavily on advanced voice phishing (vishing) techniques. Attackers use victim-branded credential harvesting sites to capture SSO credentials and MFA codes. With initial access gained, they pivot into corporate cloud environments. Cloud-based SaaS platforms are then targeted to exfiltrate sensitive data and internal communications for extortion.

    Indicators of Compromise (IOC) List

    IP Address : 

    104.32.172.247

    142.127.171.133

    149.50.97.144

    157.131.172.74

    198.52.166.197

    199.127.61.200

    206.170.208.23

    209.222.98.200

    23.234.100.107

    23.234.100.235

    24.242.93.122

    37.15.73.132

    38.190.138.239

    67.21.178.234

    68.73.213.196

    73.135.228.98

    76.64.54.159

    76.70.74.63

    85.238.66.242

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("23.234.100.107","104.32.172.247","85.238.66.242","209.222.98.200","76.70.74.63","142.127.171.133","37.15.73.132","157.131.172.74","199.127.61.200","149.50.97.144","198.52.166.197","206.170.208.23","23.234.100.235","24.242.93.122","38.190.138.239","67.21.178.234","68.73.213.196","73.135.228.98","76.64.54.159") or srcipaddress IN ("23.234.100.107","104.32.172.247","85.238.66.242","209.222.98.200","76.70.74.63","142.127.171.133","37.15.73.132","157.131.172.74","199.127.61.200","149.50.97.144","198.52.166.197","206.170.208.23","23.234.100.235","24.242.93.122","38.190.138.239","67.21.178.234","68.73.213.196","73.135.228.98","76.64.54.159")

    Reference:

    https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft


    Tags

    MalwarePhishingVishingThreat ActorShinyhunterCredential HarvestingSaasExtortion

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.