Cybercrime group ShinyHunters is expanding its operations, targeting enterprise cloud applications using a mix of advanced tactics, according to new analysis from threat intelligence firm EclecticIQ.
The group is now combining AI-driven voice phishing (vishing), supply chain compromises, and the use of insiders (such as employees or contractors) to gain direct access to corporate networks.
EclecticIQ says that ShinyHunters is collaborating with members of other well-known cybercrime groups like Scattered Spider and The Com to conduct voice phishing attacks. The attacks often target single sign-on (SSO) platforms used by major companies in retail, airline, and telecom sectors, leading to large-scale data theft and extortion.
The group’s leader, known as ShinyCorp, is reportedly selling stolen data to ransomware operators and cybercriminals for over $1 million per company. ShinyHunters is also infiltrating developer tools and cloud platforms like Git, BrowserStack, and JFrog to conduct supply chain attacks, potentially compromising thousands of systems through a single breach point.
Researchers also discovered that the group is currently working on a ransomware-as-a-service (RaaS) tool named shinysp1d3r. Once launched, it is expected to target virtual environments such as VMware ESXi, expanding ShinyHunters' ransomware capabilities.
ShinyHunters first appeared in 2020 and remains highly active in English-speaking cybercrime forums and Telegram. EclecticIQ has identified three core members involved in recent 2025 campaigns, including the threat actor "Yukari," who is linked to both ShinyHunters and Scattered Spider.
The group uses VoIP platforms like Twilio, Google Voice, and 3CX, as well as AI-powered voice tools such as Vapi and Bland, to automate large-scale phishing calls.