Threat Actors to Watch: SafePay, FancyBear, and ShinyHunters
From a fast-scaling ransomware operator to a Russian state-sponsored espionage group now experimenting with LLM-powered malware, and a data extortion collective that has weathered arrests without slowing down, these three threat actors span the full spectrum of financially and geopolitically motivated cybercrime. CYJAX breaks down what each group does, why they matter, and what security teams should know.

Key takeaways
- In June 2025, SafePay claimed 73 victims in a single month and was responsible for the Ingram Micro attack. This incident is estimated to have cost the company $136 million in revenue per day at its peak.
- FancyBear, which is also known as APT28, compromised over 18,000 SOHO routers across over 120 countries in its FrostArmada campaign and has become the first publicly documented APT to integrate a large language model into operational malware.
- ShinyHunters has continued operating at scale even after French authorities arrested four of its alleged members in June 2025, most recently claiming access to roughly 300 Oracle PeopleSoft instances.
- All three groups rely heavily on identity and access abuse, from brute -forced VPNs to vished MFA prompts. This reinforces that credential hygiene remains one of the most consequential control gaps organisations face.
- Distinguishing a credible, active threat from noise is what separates a security team that reacts in time from one that reacts late.
Understanding Threat Actor Intelligence
Cybercriminal and state-sponsored groups are increasingly operating like businesses, running affiliate networks, maintaining public leak sites, and adapting tooling as defences improve. Organised crime groups have also shown a willingness to blend techniques, as CYJAX has explored in its analysis of how organised crime groups use social media to commit fraud. Here, social engineering and impersonation feed directly into the kind of initial access seen in the groups below.
At the same time, the volume of alerts and indicators security teams are asked to triage keeps growing. This has made it harder to separate a genuinely active, capable threat actor from background noise. CYJAX has previously outlined how to cut through this in Red Flags in Threat Intelligence: How to Cut False Positives and Act on Real Threats. Knowing which groups are active, how they gain access, and what they tend to do next is what turns that triage process into something actionable.
Below, CYJAX profiles three active threat groups that organisations across multiple sectors and regions should be monitoring closely right now.
1. SafePay
Type: Ransomware | Motivation: Financial | Threat Level: Critical
Who The Group Is
SafePay is a financially motivated ransomware group that likely formed prior to August 2024, based on the earliest listings on its data-leak site (DLS). The group has targeted organisations of all sizes across the FMCG, construction, IT, education, retail, real estate, infrastructure, professional services, government, tourism, manufacturing, and healthcare sectors. Victims have been identified across the Americas, Europe, Middle East, and the Pacific. Unlike many established ransomware operations, SafePay has stated that it does not run a Ransomware-as-a-Service (RaaS) model and has no affiliates.
What It Does
SafePay gains initial access primarily by exploiting vulnerabilities, purchasing compromised credentials from initial access brokers, or conducting brute -force attacks against VPN and RDP services. Once inside, it deploys the QDoor backdoor and legitimate remote access tools such as ScreenConnect to maintain persistence. It then exfiltrates data using WinRAR, FileZilla, and Rclone before encrypting systems with a ransomware strain derived from leaked LockBit source code. Its most damaging attack to date was the July 2025 compromise of Ingram Micro, which triggered a multi-day outage across the company's global supply chain of over 160,000 customers. Notably, the group’s malware includes a kill switch that halts execution if it detects a Cyrillic keyboard layout. This technique is commonly associated with Russian-speaking threat actors.
Why It Matters
SafePay's attack frequency has escalated sharply, from infrequent listings throughout 2024 to claiming 29 victims in a single day in March 2025 and 73 victims across June 2025 alone. That tempo, combined with its willingness to target critical sectors like healthcare and government that many ransomware groups avoid, points to an opportunistic and highly capable operator. For security teams, the priority exposure points are internet-facing VPN gateways and firewall misconfigurations, which have repeatedly been the group's route into victim networks.
2. FancyBear (APT28)
Aliases: APT28, Sofacy, STRONTIUM, Sednit, Pawn Storm | Type: State-sponsored APT | Threat Level: Critical
Who The Group Is
FancyBear is a Russian state-sponsored advanced persistent threat (APT) group that has been active since at least 2008. It has conducted cyberespionage against government, military, energy, media, aerospace, and telecommunications targets on behalf of the Russian government’s interests. The group is linked to the 2016 Democratic National Committee breach and since 2022, has sharply increased its focus on Ukraine and NATO-aligned states. This has led FancyBear to extend its targeting to defence manufacturers in Bulgaria and Romania and government and military entities across Greece, Cameroon, Ecuador, Serbia, and Cyprus.
What It Does
FancyBear maintains an extensive, continually updated malware arsenal which includes CHOPSTICK, X-Agent, Zebrocy, BeardShell, and a custom UEFI rootkit named Lojax. The APT has used zero-day exploits such as the Follina vulnerability and a zero-day flaw in MDaemon webmail. In April 2026, a joint advisory from the UK’s NCSC, FBI, and NSA detailed the group's FrostArmada campaign, in which over 18,000 SOHO routers across at least 120 countries were compromised to harvest passwords and OAuth tokens via Adversary-in-the-Middle(AitM) attacks. FancyBear was linked to LAMEHUG in July 2025, a Python-based infostealer that queries a large language model (LLM) at runtime to generate reconnaissance and exfiltration commands. This marked the first publicly documented case of an LLM integrated into operational malware.
Why It Matters
FancyBear's combination of custom tooling, firmware-level persistence, and rapid infrastructure pivoting reflects a well-resourced, technically mature capability rather than reliance on off-the-shelf tools. The emergence of LAMEHUG signals a meaningful shift in tradecraft, where dynamic, model-generated commands reduce a defender's ability to rely on static signatures. For organisations connected to Ukraine, NATO member states, or critical infrastructure, sustained monitoring of this group's evolving toolkit is essential.
3. ShinyHunters
Aliases: ShinyCorp | Type: Data Extortion | Motivation: Financial | Threat Level: High
Who The Group Is
ShinyHunters is an English-language data broker group that likely formed in 2020. The group has been responsible for high-profile breaches at AT&T, Microsoft, Santander, and Ticketmaster. Between August and September 2025, ShinyHunters collaborated with ScatteredSpiderand LAPSUS$ to form Scattered Lapsus$ Hunters. However, the collective announced that it was "going dark" in September 2025. Despite the arrest of four alleged members by French authorities in June 2025, ShinyHunters remains active and its DLS lists 125 victims as of mid-2026.
What It Does
ShinyHunters primarily gains access through vishing and AitM attacks impersonating IT support, misconfigured cloud portals with elevated guest permissions, and OAuth supply-chain compromises. Its Salesforce-focused campaigns throughout late 2025 used compromised Salesloft Drift OAuth tokens to steal data from roughly 760 companies. In January 2026, the group was observed vishing SSO accounts at Okta, Microsoft Entra, and Google using Phishing-as-a-Service (PhaaS) kits. In June 2026, ShinyHunters targeted Oracle PeopleSoft environments and claimed to have accessed around 300 instances. The group claimed that it stole data from 100 organisations and exploited a flaw tracked as CVE-2026-35273.
Why It Matters
ShinyHunters' resilience after law enforcement action is a key point here: arrests disrupted the Scattered Lapsus$ Hunters collective but did not stop the group's core operation. Its consistent pivot across cloud platforms, from Salesforce to Oracle PeopleSoft, shows a group actively hunting for the next widely deployed enterprise application to exploit at scale. For organisations relying on SaaS and cloud CRM platforms, exposure increasingly sits with third-party OAuth grants and helpdesk verification processes rather than the core network perimeter.
Monitoring groups like these requires more than threat feeds and alerts. It requires knowing which group is active, its targets, and what your organisation looks like from its perspective. Book a demo with CYJAX to see how our analyst-led intelligence platform helps your team move from reactive to ready.
Get Started with CYJAX CTI
Empower Your Team. Strengthen Your Defences.CYJAX gives you the intelligence advantage: clear, validated insights that let your team act fast without being buried in noise.




