Blog
Cyber Threat Intelligence

Threat Actors to Watch: SafePay, FancyBear, and ShinyHunters

From a fast-scaling ransomware operator to a Russian state-sponsored espionage group now experimenting with LLM-powered malware, and a data extortion collective that has weathered arrests without slowing down, these three threat actors span the full spectrum of financially and geopolitically motivated cybercrime. CYJAX breaks down what each group does, why they matter, and what security teams should know.

July 9, 2026
12
min read
Shail Yadav
Marketing Executive
Table of contents
Share

Key takeaways

  • In June 2025, SafePay claimed 73 victims in a single month and was responsible for the Ingram Micro attack. This incident is estimated to have cost the company $136 million in revenue per day at its peak.
  • FancyBear, which is also known as APT28, compromised over 18,000 SOHO routers across over 120 countries in its FrostArmada campaign and has become the first publicly documented APT to integrate a large language model into operational malware.
  • ShinyHunters has continued operating at scale even after French authorities arrested four of its alleged members in June 2025, most recently claiming access to roughly 300 Oracle PeopleSoft instances.
  • All three groups rely heavily on identity and access abuse, from brute -forced VPNs to vished MFA prompts. This reinforces that credential hygiene remains one of the most consequential control gaps organisations face.
  • Distinguishing a credible, active threat from noise is what separates a security team that reacts in time from one that reacts late.

Understanding Threat Actor Intelligence

Cybercriminal and state-sponsored groups are increasingly operating like businesses, running affiliate networks, maintaining public leak sites, and adapting tooling as defences improve. Organised crime groups have also shown a willingness to blend techniques, as CYJAX has explored in its analysis of how organised crime groups use social media to commit fraud. Here, social engineering and impersonation feed directly into the kind of initial access seen in the groups below.

At the same time, the volume of alerts and indicators security teams are asked to triage keeps growing. This has made it harder to separate a genuinely active, capable threat actor from background noise. CYJAX has previously outlined how to cut through this in Red Flags in Threat Intelligence: How to Cut False Positives and Act on Real Threats. Knowing which groups are active, how they gain access, and what they tend to do next is what turns that triage process into something actionable.

Below, CYJAX profiles three active threat groups that organisations across multiple sectors and regions should be monitoring closely right now.

1. SafePay

Type: Ransomware | Motivation: Financial | Threat Level: Critical

Who The Group Is

SafePay is a financially motivated ransomware group that likely formed prior to August 2024, based on the earliest listings on its data-leak site (DLS). The group has targeted organisations of all sizes across the FMCG, construction, IT, education, retail, real estate, infrastructure, professional services, government, tourism, manufacturing, and healthcare sectors. Victims have been identified across the Americas, Europe, Middle East, and the Pacific. Unlike many established ransomware operations, SafePay has stated that it does not run a Ransomware-as-a-Service (RaaS) model and has no affiliates.

What It Does

SafePay gains initial access primarily by exploiting vulnerabilities, purchasing compromised credentials from initial access brokers, or conducting brute -force attacks against VPN and RDP services. Once inside, it deploys the QDoor backdoor and legitimate remote access tools such as ScreenConnect to maintain persistence. It then exfiltrates data using WinRAR, FileZilla, and Rclone before encrypting systems with a ransomware strain derived from leaked LockBit source code. Its most damaging attack to date was the July 2025 compromise of Ingram Micro, which triggered a multi-day outage across the company's global supply chain of over 160,000 customers. Notably, the group’s malware includes a kill switch that halts execution if it detects a Cyrillic keyboard layout. This technique is commonly associated with Russian-speaking threat actors.

Why It Matters

SafePay's attack frequency has escalated sharply, from infrequent listings throughout 2024 to claiming 29 victims in a single day in March 2025 and 73 victims across June 2025 alone. That tempo, combined with its willingness to target critical sectors like healthcare and government that many ransomware groups avoid, points to an opportunistic and highly capable operator. For security teams, the priority exposure points are internet-facing VPN gateways and firewall misconfigurations, which have repeatedly been the group's route into victim networks.

2. FancyBear (APT28)

Aliases: APT28, Sofacy, STRONTIUM, Sednit, Pawn Storm | Type: State-sponsored APT | Threat Level: Critical

Who The Group Is

FancyBear is a Russian state-sponsored advanced persistent threat (APT) group that has been active since at least 2008. It has conducted cyberespionage against government, military, energy, media, aerospace, and telecommunications targets on behalf of the Russian government’s interests. The group is linked to the 2016 Democratic National Committee breach and since 2022, has sharply increased its focus on Ukraine and NATO-aligned states. This has led FancyBear to extend its targeting to defence manufacturers in Bulgaria and Romania and government and military entities across Greece, Cameroon, Ecuador, Serbia, and Cyprus.

What It Does

FancyBear maintains an extensive, continually updated malware arsenal which includes CHOPSTICK, X-Agent, Zebrocy, BeardShell, and a custom UEFI rootkit named Lojax. The APT has used zero-day exploits such as the Follina vulnerability and a zero-day flaw in MDaemon webmail. In April 2026, a joint advisory from the UK’s NCSC, FBI, and NSA detailed the group's FrostArmada campaign, in which over 18,000 SOHO routers across at least 120 countries were compromised to harvest passwords and OAuth tokens via Adversary-in-the-Middle(AitM) attacks. FancyBear was linked to LAMEHUG in July 2025, a Python-based infostealer that queries a large language model (LLM) at runtime to generate reconnaissance and exfiltration commands. This marked the first publicly documented case of an LLM integrated into operational malware.

Why It Matters

FancyBear's combination of custom tooling, firmware-level persistence, and rapid infrastructure pivoting reflects a well-resourced, technically mature capability rather than reliance on off-the-shelf tools. The emergence of LAMEHUG signals a meaningful shift in tradecraft, where dynamic, model-generated commands reduce a defender's ability to rely on static signatures. For organisations connected to Ukraine, NATO member states, or critical infrastructure, sustained monitoring of this group's evolving toolkit is essential.

3. ShinyHunters

Aliases: ShinyCorp | Type: Data Extortion | Motivation: Financial | Threat Level: High

Who The Group Is

ShinyHunters is an English-language data broker group that likely formed in 2020. The group has been responsible for high-profile breaches at AT&T, Microsoft, Santander, and Ticketmaster. Between August and September 2025, ShinyHunters collaborated with ScatteredSpiderand LAPSUS$ to form Scattered Lapsus$ Hunters. However, the collective announced that it was "going dark" in September 2025. Despite the arrest of four alleged members by French authorities in June 2025, ShinyHunters remains active and its DLS lists 125 victims as of mid-2026.

What It Does

ShinyHunters primarily gains access through vishing and AitM attacks impersonating IT support, misconfigured cloud portals with elevated guest permissions, and OAuth supply-chain compromises. Its Salesforce-focused campaigns throughout late 2025 used compromised Salesloft Drift OAuth tokens to steal data from roughly 760 companies. In January 2026, the group was observed vishing SSO accounts at Okta, Microsoft Entra, and Google using Phishing-as-a-Service (PhaaS) kits. In June 2026, ShinyHunters targeted Oracle PeopleSoft environments and claimed to have accessed around 300 instances. The group claimed that it stole data from 100 organisations and exploited a flaw tracked as CVE-2026-35273.

Why It Matters

ShinyHunters' resilience after law enforcement action is a key point here: arrests disrupted the Scattered Lapsus$ Hunters collective but did not stop the group's core operation. Its consistent pivot across cloud platforms, from Salesforce to Oracle PeopleSoft, shows a group actively hunting for the next widely deployed enterprise application to exploit at scale. For organisations relying on SaaS and cloud CRM platforms, exposure increasingly sits with third-party OAuth grants and helpdesk verification processes rather than the core network perimeter.

Monitoring groups like these requires more than threat feeds and alerts. It requires knowing which group is active, its targets, and what your organisation looks like from its perspective. Book a demo with CYJAX to see how our analyst-led intelligence platform helps your team move from reactive to ready.

FAQs

Frequently asked questions

SafePay has explicitly stated it does not operate a RaaS model and has no affiliates, unlike many prolific ransomware groups. Despite this, it has achieved a high attack tempo, suggesting a small, highly skilled core team rather than a large affiliate network.

LAMEHUG generates reconnaissance and exfiltration commands dynamically by querying an LLM at runtime, rather than relying on hardcoded static commands. This makes the malware's behaviour harder to predict, signalling a broader shift in how threat actors may use AI to make malware more adaptive.

The June 2025 arrests targeted specific individuals allegedly affiliated with the group, but ShinyHunters' broader operational model, which is based on vishing, OAuth abuse, and cloud misconfigurations, does not depend on any single member. The group has continued to launch new campaigns against different platforms in the months since.

A kill switch is a built-in check that stops malware from executing under certain conditions, such as detecting a specific keyboard language. Some ransomware groups, often those with suspected links to Russian-speaking regions, use this to avoid encrypting systems in countries within the Commonwealth of Independent States (CIS) and to reduce the risk of domestic law enforcement attention.

Subscribe for weekly updates

Receive our latest cyber intelligence insights delivered directly to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Share
Get started

Get Started with CYJAX CTI

Empower Your Team. Strengthen Your Defences.CYJAX gives you the intelligence advantage: clear, validated insights that let your team act fast without being buried in noise.

Link Copied