ShinyHunters, CL0P Return with New Claimed Victims

The return of the ShinyHunters group marks a shift back to open‑source‑style data dumping via an onion‑hosted leak site. After high‑profile breaches of PornHub and Salesforce in 2025, the actors now focus on a vishing campaign that harvests single sign‑on credentials for Okta, Microsoft and Google. By leveraging social engineering, they can pivot into enterprise SaaS environments, as demonstrated by the recent compromises of SoundCloud, Betterment and Crunchbase. The group’s public claim of additional victims suggests a scaling operation that could pressure organizations to reassess their MFA and SSO controls.

Meanwhile, the CL0P ransomware syndicate has announced 43 new victims, expanding its extortion portfolio beyond the Oracle E‑Business Suite exploits that yielded over a hundred compromises last year. Targets span a major hotel chain, an IT services firm, a UK payment processor, a workforce‑management provider, and a Canadian mining company, indicating a broad industry focus. The absence of technical indicators—no disclosed vulnerabilities, exfiltrated data samples, or ransom deadlines—makes attribution difficult and hampers defensive response. Analysts suspect the group is probing internet‑facing file servers such as Gladinet CentreStack for entry points.

Both campaigns underscore the growing convergence of social‑engineering and ransomware tactics. Enterprises that rely heavily on SSO must enforce strict verification, continuous monitoring, and adaptive MFA to thwart credential‑theft vectors. At the same time, robust backup strategies, network segmentation, and rapid incident‑response playbooks are essential to limit CL0P’s impact. As threat actors publicize victim lists without proof, security teams should treat such claims as early warnings and prioritize threat‑intelligence integration to stay ahead of evolving attack surfaces.