top of page
Search

UNC6040 Is ShinyHunters: One Cluster, Five Victims, Receipts in Our Index

  • Writer: Patrick Duggan
    Patrick Duggan
  • 3 minutes ago
  • 4 min read

# UNC6040 Is ShinyHunters: One Cluster, Five Victims, Receipts in Our Index


Mandiant tags the actor as UNC6040. Their leak-site brand is ShinyHunters. Same cluster, two names — one for the Mandiant attribution graph, one for the public extortion site. They have been one of the most active vishing-driven data-extortion clusters in the West for the past quarter. We have indexed receipts on five named victims, infrastructure indicators on the C2 and exfil paths, and adversary-profile context that places them in a specific tradecraft niche that is structurally hard to defend against.


If you searched "UNC6040" and landed here, this page is the index entry. The deeper coverage is in the corpus.


What we have on UNC6040 / ShinyHunters



Five named victims with quantified lead time in our victim_protection_requests ledger:


  • ADT Inc. (US, home security, breach 2026-04-20) — 10 million records exposed. Our first indicator on ShinyHunters' Vercel-themed methodology was Apr 19. Lead time: +1 day.

  • Inditex (ES, retail-fashion, breach 2026-04-24) — 9 million records. Same Vercel methodology indicator from Apr 19. Lead time: +5 days.

  • Kemper Corporation (US, insurance, breach 2026-04-24) — 13 million records, 29 GB of data. Same starting indicator. Lead time: +5 days.

  • Amtrek (US, transport, breach 2026-04-24) — 2.1 million records. Same starting indicator. Lead time: +5 days.


That is one indicator producing four breaches inside five days, which tells you the cluster runs a campaign cadence rather than one-off opportunism.


Infrastructure indicators in our iocs index — sample IPs tagged ShinyHunters/UNC6040 infrastructure. Data extortion group:


  • 185.93.3.195

  • 191.96.207.179

  • 196.251.83.162

  • ... plus seven more IPs in the same campaign tag


Blog coverage — 7 dedicated posts touching UNC6040 / ShinyHunters in the corpus, including:


  • "ShinyHunters Hit Six Companies in Seven Days. Here Are Ten Salesforce-Plus-Okta Targets That Fit the Pattern"

  • "ShinyHunters Just Claimed ADT for 10 Million Records. Five Days After ShinyHunters Vercel — Methodology Disowned"

  • "Cisco Is Having the Worst Week in Cybersecurity History" / "Cisco Paid"

  • "Lynx Was In Our Feed 43 Days Before ACN Healthcare. Handala Was 28 Days Before Dubai Lost 6 Petabytes."

  • "43 Days Early on Lynx. 28 on Handala. The Quantified Ledger." — left-of-boom ledger frame including UNC6040


The actor is in our index by both names, both attribution path, both methodology, both campaign window. If your tooling needs the receipts, register and pull them.


The methodology, briefly



UNC6040 has standardized on a vishing-driven Salesforce-plus-Okta access path:


  • Identify a target's customer-support or IT help-desk function via LinkedIn or open-source enumeration

  • Voice-call (vish) the help desk impersonating an internal employee, using publicly-leaked PII and recent organizational context (often pulled from corporate communications, vendor announcements, or prior breaches)

  • Talk the help desk into resetting an internal credential or pushing a Duo/Okta accept

  • Pivot from the recovered identity into Salesforce — the central CRM where customer records live for most enterprise victims

  • Extract bulk customer data via Salesforce export tooling

  • Stage the data on infrastructure tagged in our IOC list

  • Publish on the leak site with a 72-hour ransom timer


The Salesforce-plus-Okta path is structural: any company with a Salesforce CRM and an Okta IdP and a help desk that humans staff is in scope. That is a category that includes a meaningful fraction of the Fortune 1000 plus most VC-funded SaaS midmarket. The cluster's dwell time per victim is short (days, not months), the engineering effort is low (no novel zero-day, no custom malware in the canonical scope, just social engineering and Salesforce export APIs), and the leverage is high.


Why the lead times look the way they do



We had the methodology indicator (Vercel-themed staging, prior ShinyHunters disclosure patterns) on April 19. ADT was hit on April 20, Inditex/Kemper/Amtrek on April 24. The lead time is small — one to five days — because the cluster moves fast through targets. The slow lead times come on actors who develop infrastructure quietly for months before activation; UNC6040 develops at speed and uses immediately.


The defensive implication is not "we should detect them earlier" — it is "we should harden the help-desk-call-back protocol so the identity-reset step requires more than a phone call." That is an organizational change that has to be made before the cluster finds the help desk. After the call has happened, the breach is in flight and detection is forensics, not prevention.


What our index gives you



Free-tier registration at https://analytics.dugganusa.com/stix/register gets an API key, 500 queries per day, and access to:


  • The full IOC list tagged actor=ShinyHunters (or actor=UNC6040, both work)

  • The breach lead-time ledger covering ADT, Inditex, Kemper, Amtrek, ACN Healthcare (Lynx), the Dubai government wiper (Handala), CVE-2026-33825 (Chaotic Eclipse) — what we had, when, and where

  • The methodology blog corpus searchable by query

  • The STIX 2.1 bundle filtered to the UNC6040 tag for direct ingest into your SIEM / Splunk / TAXII consumer


If you are inside a Fortune 1000 with Salesforce + Okta + a human-staffed help desk, the relevant action is: tabletop the vishing-and-callback scenario this quarter, before the cluster finds your number. Three-line summary in the call-back protocol — "we never reset credentials based on a single phone call without a manager-confirmed callback to the employee's known number on file" — defeats most of the attack surface. Write it. Train it. Drill it.


UNC6040 is one cluster among many running this playbook. They happen to be the most-named one this quarter. The pattern — vishing → IdP compromise → Salesforce export → leak site — is the actual threat. Other actors will pick up the same playbook because the economics work.


We are publishing the receipts because the corpus you are searching ought to land somewhere when you type the alias.





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

 
 
 
bottom of page