Instructure Canvas. Cushman & Wakefield. NVIDIA Armenia. All ShinyHunters Today. Our Subscribers Have Had The Operator's Infrastructure Indexed Since April 2.

Three named victims hit the wires today, all attributed to the same operator. The ShinyHunters group, also tracked by Mandiant as UNC6040, claimed responsibility for the Instructure Canvas breach affecting roughly 275 million student, teacher, and staff records across 8,809 institutions. The same group claimed Cushman & Wakefield, exposing 500,000 Salesforce records. The same group breached an NVIDIA GeForce NOW Alliance partner in Armenia. Three sectors — education, commercial real estate, gaming infrastructure — one operator, one news cycle.

The technical signature of the campaign is consistent with the March 2026 EclecticIQ writeup that documented ShinyHunters/UNC6040 hitting EC, TELUS, and Cisco. The operator's preferred initial-access path is Salesforce social engineering — calling employees, pretending to be IT, walking them through a malicious OAuth connector. Once the connector is installed, the data extraction is unrelenting and fast. Disclosure follows weeks or months later, after the data goes up on the dark web. The defender shape is to know the operator's hosting infrastructure before the OAuth call lands, because the social-engineering call is not preventable through indicator blocking — but the C2 callbacks afterward are.

What our subscribers have had in their feed

DugganUSA indexed the EclecticIQ March 2026 ShinyHunters disclosure on April 2, 2026. The thirty-six IP addresses attributed in that writeup were ingested into our iocs index, tagged ShinyHunters/UNC6040 infrastructure, sourced as eclecticiq, and exported to the public STIX 2.1 feed within hours. From that moment forward, any organization pulling our feed into OPNsense as a DNS sinkhole zone, into Suricata as a rule set, into Splunk ES as a TAXII collection, or into a Cloudflare Worker bulk-IP-block ruleset, was blocking ShinyHunters callbacks before the next victim got the social-engineering phone call.

A subset of the indexed addresses, for the operator-receipt record:

• 185.93.3.195

• 191.96.207.179

• 196.251.83.162

• 163.5.210.210

• 94.156.167.237

• 23.94.126.63

• 198.244.224.200

• 138.199.60.10

Each of these has been continuously available in our public STIX feed for forty-six days as of today's disclosure window. We are not claiming we predicted the specific victims. We are claiming the operator's exfiltration paths were in our customers' detection pipeline before the operator placed the call.

What today's victims could have done

Instructure Canvas, Cushman & Wakefield, and an NVIDIA partner in Armenia are not DugganUSA subscribers, as far as we can tell from the public STIX feed pull logs that record consumer identity at the User-Agent and Bearer-key level. Microsoft is, AT&T is, Starlink is, and approximately two hundred seventy other organizations across forty-six countries are. The feed is free, anonymous registration is thirty seconds, the rate limit is generous, and the indicator format is industry-standard STIX 2.1.

The question to ask is not whether DugganUSA could have prevented these three breaches specifically. The question is whether the defender posture inside Instructure, Cushman, and the NVIDIA partner had any external threat-intelligence source that named ShinyHunters/UNC6040 infrastructure before today. If the answer is no, the gap is in feed selection, not in the marketplace. If the answer is yes from another vendor, fine — but verify the date that source first indexed the operator. Our date is April 2. Ours is public, free, and indexed by a two-person shop in Minneapolis on a six-thousand-dollar annual operating budget.

The structural lesson

Vendor threat intelligence reports about ShinyHunters/UNC6040 have been published consistently since 2024. The operator has been observed, named, and attributed. The infrastructure has been catalogued, sometimes by name, sometimes by IP range, sometimes by certificate signer. Whether your organization is exposed to the next ShinyHunters campaign is not a function of whether the intelligence exists. It is a function of whether the intelligence is in your detection pipeline at machine speed.

Three sectors today. One operator. Forty-six days of lead time available, free, to any defender who knew where to pull.

What this looks like in your stack

The DugganUSA STIX 2.1 feed is live at analytics.dugganusa.com/api/v1/stix-feed. CSV blocklists for direct router and firewall ingestion are at the same domain, organized by indicator type. The same indicators are available as Suricata rules, OPNsense DNS sinkhole zones, and TAXII 2.1 collections. The MCP tool [email protected] exposes the same corpus to AI agents via STDIO, including the new platform-status health surface for ops triage.

ShinyHunters infrastructure has been in this feed since April 2, 2026. It is in this feed today. It will be in this feed tomorrow when the next victim is announced.

— Patrick Duggan, DugganUSA LLC, Minneapolis

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com