ShinyHunters (UNC6240) — one cluster, multiple reported tradecraft paths in one week

The week is a compact case study in how a single extortion cluster's reported activity spans very different initial-access tradecraft. The two firmly UNC6240-attributed events are the Oracle PeopleSoft zero-day behind the NAIC breach (GTIG/Mandiant attribution, § 1) and the April 2026 Instructure Canvas LMS breach, whose UK Cyber Monitoring Centre sector review landed 06-27 (160 UK universities, extortion, ransom paid). Alongside them, 404 Media's reconstruction (06-26) showed the Madison Square Garden intrusion began with a single vishing call into the company's identity platform — the operator phoned a low-level employee and talked them through authorising access; the 404 Media account documents the technique but names no actor, and the ShinyHunters link rests on the operators' own claims and the SSO-vishing TTP overlap Abnormal Security attributes to the cluster.

The cross-day pattern matters more than any single victim: a server-side zero-day, a SaaS-platform compromise and SSO-targeting vishing all appear under (or adjacent to) one extortion banner in one week, so defending against this cluster is not a single control. It is externally-reachable enterprise-app patching/hunting, third-party SaaS exposure management, and help-desk/identity-platform vishing resistance (callback verification, no MFA-reset-on-call) — all at once. (daily 06-26, daily 06-27, daily 06-28)