Satine Sentinel: May 29, 2026

Last week left the developer toolchain on fire and Iranian actors logged into gas station monitors through the front door. This week, the same ShinyHunters ecosystem that has been draining enterprise SaaS environments all year turned a single vishing call into 4.9 million exposed Spectrum customer records — and then published them when Charter wouldn’t negotiate. The FBI issued a rare FLASH alert warning that an extortion crew is now sending operatives physically into law firm offices, posing as IT support, and walking out with USB drives full of privileged data. And Symantec published research confirming that Iran’s MuddyWater intelligence service spent Q1 2026 abusing security vendors’ own signed binaries to hide espionage implants across nine countries — including inside a SentinelOne executable.

This week: the ShinyHunters identity-to-Salesforce playbook confirmed on a major US telecom, a Russia-linked extortion group that has moved social engineering from phone calls to physical office access, and an Iranian state APT that is using your EDR vendor’s signed binary as its cover story.

Update: OpFauxSign — Fox Tempest’s Downstream Ransomware Operators Still Active Post-Takedown

The Fox Tempest infrastructure Microsoft dismantled on May 19 — covered last week — is down. The ransomware operators who used it are not. Rhysida, Akira, INC, Qilin, BlackByte, and Vanilla Tempest all used Fox Tempest-signed malware in real-world intrusions, and none of those groups have been disrupted by the takedown of the signing service itself. The practical implication: Fox Tempest adapted in real time as Microsoft disabled fraudulent accounts and revoked certificates in the months before the court filing, migrating by February 2026 to networks of third-party virtual machines to reduce friction for customers. Groups with that operational flexibility will find or build alternative signing pipelines. The certificate revocation resolves the specific certificates issued; it does not resolve the underlying problem that Azure Artifact Signing’s identity verification was successfully frauded at scale using synthetic identities. The takedown is a meaningful disruption, not a solved problem.

No new victim disclosures or post-takedown exploitation reports emerged this week. This update closes the loop from last week’s Sentinel: the infrastructure is gone, the affiliated ransomware operators remain active, and organizations that patched their execution controls last week should keep them patched.

Charter/Spectrum — ShinyHunters Vishing-to-Salesforce, 4.9 Million Records Published

What happened:

Charter Communications confirmed a cybersecurity incident on May 23, 2026, after the ShinyHunters extortion group claimed responsibility and threatened to release data unless a ransom was paid by May 27. The incident reportedly began on April 1 when attackers used a vishing technique to trick an employee into surrendering access to a company account; ShinyHunters claimed to have compromised a Microsoft Entra account and then leveraged that access to reach Charter’s Salesforce environment, where customer data was stored. Charter declined to negotiate. ShinyHunters published the data on May 28-29. Have I Been Pwned confirmed exposure of the personal details of 4.9 million customers, including names, email addresses, phone numbers, and physical addresses, plus a subset of roughly 85,000 records from an internal employee directory containing job titles.

Technical details that matter:

Why critical institutions should care:

This is the ShinyHunters playbook fully documented: one vishing call to one employee, one compromised Entra account, one Salesforce export, 4.9 million records. The blast radius from a single compromised SSO account depends entirely on what SaaS integrations sit behind it. Most large organizations have connected Salesforce, Workday, ServiceNow, or similar platforms to their identity provider with broad data access and minimal egress controls — because nobody configured Salesforce to alert on bulk data exports at 3 AM. For telecoms, utilities, and healthcare organizations whose Salesforce environments contain customer PII, CPNI, or patient data, the question is whether a successful Entra credential compromise could replicate this result in your environment. If the answer is yes without additional controls triggering, the architecture is the problem.

Key sources:

Silent Ransom Group — FBI FLASH Alert: Extortion Crew Now Walking Into Law Firm Offices

What happened:

The FBI issued a FLASH alert on May 26 warning that the Silent Ransom Group — a Russia-linked extortion gang targeting U.S. law firms since 2023 — has escalated to physically walking operatives into law firm offices under the guise of IT support. The gang has already had data from more than 38 firms published on its public leak site, with researchers saying the total attack count exceeds 100, and activity surging sharply in early 2026. The closed group, which likely operates from Russia and emerged in 2022 after Conti disbanded, conducts data theft and extortion without deploying ransomware encryption, with researchers noting that Silent Ransom Group was the first group to specifically and systematically target U.S. law firms, tailoring operations around what causes maximum pain in that sector: the theft and threatened disclosure of privileged client data.

Technical details that matter:

Why critical institutions should care:

The physical component breaks the threat model of network-perimeter defense completely. Once an operative is seated at a workstation inside your building, network segmentation, firewall rules, and remote access controls are largely irrelevant. Healthcare organizations are explicitly named as secondary targets alongside law firms — the data SRG wants is anything that creates maximum reputational or regulatory exposure if published: privileged communications, patient records, case files, M&A data. The defensive implication is uncomfortable: your physical access procedures — reception desk ID verification, escort policies, how your staff responds to someone claiming to be from IT — are now a direct line item in your cyber defense posture. The group’s understanding of what causes maximum pain specifically in sectors where data confidentiality is legally and reputationally critical suggests deliberate sector targeting rather than opportunistic access.

Key sources:

MuddyWater Q1 2026 Campaign — Iran’s MOIS Uses SentinelOne’s Own Binary to Hide Espionage Implants

What happened:

Symantec and Carbon Black’s Threat Hunter Team disclosed on May 26 that the Iranian APT group MuddyWater compromised at least nine organizations across nine countries on four continents in Q1 2026, targeting industrial and electronics manufacturing, education, government bodies, financial services, and professional services. Among the confirmed victims was a major South Korean electronics manufacturer where attackers maintained unauthorized access for approximately a week beginning February 20, 2026; also targeted were an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial services provider. MuddyWater is widely assessed as operating under Iran’s Ministry of Intelligence and Security (MOIS).

Technical details that matter:

Why critical institutions should care:

MuddyWater selected SentinelOne’s own signed binary specifically because EDR products extend elevated trust to tools they recognize as their own ecosystem. This is a trust inversion: the security tool becomes the evasion mechanism. SAM hive theft in the victim environment means harvested domain credentials — the kind that enable lateral movement through enterprise networks well after the initial intrusion is nominally contained. The campaign targeted industrial manufacturing, airports, and financial services across four continents: these are not opportunistic targets. For any organization that views itself as a potential target of Iranian state intelligence — defense contractors, semiconductor supply chain, energy, government contractors, financial institutions with Middle East exposure — this campaign confirms that MuddyWater has meaningfully upgraded its ability to operate quietly inside enterprise environments. Behavioral detection that flags unusual DLL loading patterns is more reliable than binary trust based on certificate validity or vendor name.

Key sources:

The Pattern This Week

Last week, adversaries bypassed evidence generation. This week, three separate threat actors targeted the systems defenders use to decide who to trust: a phone call from a number that looked like IT, a USB drive carried in by someone wearing a badge, a binary signed by your security vendor.

The ShinyHunters vishing operation did not break Charter’s network. It broke one employee’s confidence that the call was suspicious. The Silent Ransom Group did not defeat physical security. It sent someone who looked like they belonged. MuddyWater did not exploit a SentinelOne vulnerability. It loaded a malicious DLL next to SentinelOne’s own signed executable and relied on the trust that executable carries.

The defender’s problem is not a lack of controls. It is that the controls in place — identity verification, code signing trust, security vendor binary whitelisting — were used as the attack surface, not bypassed around it. When the mechanism of trust is the intrusion vector, detection requires behavioral context that goes one layer deeper than the trust signal itself: not just “is this binary signed” but “is this binary doing what signed binaries of this type should do.”

See you next week.

What Your Business Can Do This Week

These three incidents describe different attack categories — identity compromise, physical social engineering, and state-sponsored espionage — but they share a common defensive gap: controls that stop at the trust signal rather than validating the behavior behind it. Here is what each incident tells you to do now.

1. Map every SaaS integration behind your SSO provider and audit bulk export permissions in Salesforce.

The Charter breach was one vishing call away from a 4.9 million record export because a single Entra account had a path to Salesforce data with no egress controls in place. Start by pulling the full list of SaaS applications connected to your identity provider and identifying which ones contain customer PII, financial records, or operational data. For each, answer two questions: can a single compromised account trigger a bulk data export, and would that export generate an alert? For Salesforce specifically, review your Event Monitoring configuration. Salesforce logs bulk API queries and mass data exports, but Event Monitoring is not enabled by default on all license tiers and is frequently left unconfigured. If you cannot answer within 24 hours which user accounts have the permissions required to export your entire customer database, that is the gap ShinyHunters is exploiting across hundreds of organizations right now.

2. Run a tabletop exercise this week specifically for the scenario: someone calls your front desk claiming to be from IT.

The Silent Ransom Group’s physical intrusion technique works because most organizations have never tested what their staff actually does when someone calls claiming to be IT support, or when a person shows up at reception with a plausible story and asks to be walked to a workstation. The FBI FLASH alert is explicit: SRG operatives are doing this right now at law firms, and healthcare and financial organizations are named secondary targets. The tabletop does not need to be elaborate. Walk through three scenarios with your front desk and administrative staff: a phone call asking an employee to install remote access software, a visitor claiming to be a vendor IT technician, and an email with a callback number. Identify at what point in each scenario your staff would stop and verify, and whether the verification path they would use actually works. Most organizations will discover the verification path is “call the IT helpdesk number” — which is exactly the number SRG spoofs.

3. Review your EDR behavioral rules for DLL sideloading patterns, specifically from vendor-signed binaries.

MuddyWater’s use of SentinelOne’s own sentinelmemoryscanner.exe as a DLL sideloading host is a direct challenge to detection logic that trusts binaries based on their signature. Most EDR platforms have tuning options that reduce alert verbosity on their own binaries and other security vendor executables — reasonable in isolation, exploitable in practice. Pull the configuration for your EDR’s trusted binary exceptions and verify whether any rules suppress behavioral alerts for DLL loading events originating from security tool executables. Then check whether your detection rules would alert on an unexpected DLL being loaded alongside fmapp.exe or sentinelmemoryscanner.exe in a process context where those binaries should not be running. If your answer is “I don’t know,” your threat hunting team should check for those sideloading patterns in your environment now, not after attribution confirms you were a target.

4. Verify your vishing response procedure covers Salesforce and cloud data exports, not just endpoint actions.

The standard phishing and vishing training most organizations run focuses on: do not click links, do not install software, do not give your password. The ShinyHunters playbook skips all of that. The attacker wants the employee to log into a system they are already authorized to use and export data they are already permitted to access. Your security awareness training likely does not cover the scenario “someone calls asking you to run a Salesforce report and email them the results” or “someone asks you to share a Salesforce list view externally.” It should. The authentication was not broken. The authorization was not exceeded. The social engineering convinced a legitimate user to perform a legitimate action that produced an illegitimate outcome. That gap lives in awareness training and in your data loss prevention rules, not in your firewall.

Final CTA Section
GET STARTED

Ready to Strengthen Your Defenses?

Whether you need to test your security posture, respond to an active incident, or prepare your team for the worst: we’re ready to help.

Schedule Consultation
📧 [email protected]
📍 Based in Atlanta | Serving Nationwide

Discover more from Satine Technologies

Subscribe now to keep reading and get access to the full archive.

Continue reading