Investigation Links ShinyHunters to Broad Vishing Campaign Targeting Over 100 Organizations

A security firm tracing suspicious domains and operational fingerprints reports a coordinated phishing and vishing operation that focused on at least 100 organisations over about a month, spanning technology, finance, healthcare, energy and other sectors. Investigators observed infrastructure intended to impersonate corporate services and intercept employee credentials; the attackers relied heavily on telephone-based social engineering to pressure account owners into bypassing protections. The technical core of the campaign was browser-resident scripts and specialised phishing toolkits that permitted operators to steer active authentication sessions while engaging the victim by voice, increasing the likelihood that push prompts would be approved or one-time codes disclosed. Researchers linked portions of the activity to a public-facing leak group known for publishing stolen data and attribute parts of the operation to a hybrid collective formed from prior extortion and access-for-sale groups. Several well-known companies were identified as targets; some later reported records released by the actors, though not every claimed intrusion has been independently corroborated by forensic teams. Platform vendors and identity providers have flagged similar attack chains before, noting that bespoke phishing kits now automate credential capture and session orchestration. Complicating the picture, investigators also pointed to a contemporaneous but separate disclosure of an unsecured infostealer cache containing an estimated 149 million username/password pairs exfiltrated from compromised endpoints. That dataset—spanning consumer email, social media, streaming services and many cryptocurrency-related accounts—underscores how device-level compromise supplies attackers with the raw material for credential stuffing and makes social-engineering lures more convincing. Analysts warn the two trends are complementary: endpoint-derived credential caches feed bulk and targeted attacks, while live vishing and session manipulation convert contextual knowledge into immediate account takeover. Because some data releases remain publicly accessible, response efforts are strained by the need to remediate both compromised sessions and broad re-use of credentials across services. The incident shifts the emphasis for defenders from focusing solely on anomalous logins to integrating telephony-fraud signals, endpoint telemetry and transaction-level fraud detection into authentication monitoring. Organisations that rely on federated identity and SSO are particularly exposed, since a successful real-time orchestration attack can grant wide downstream access; defenders are urged to prioritise hardware-backed MFA, endpoint hygiene, session revocation, and proactive scanning for exposed credentials in underground markets.