ZeroFox Intelligence Flash Report - ShinyHunters' Campaign Against the Education Sector

Product Serial: F-2026-05-13a

TLP:CLEAR

In this Flash Report, ZeroFox researchers detail ShinyHunters' ongoing ransomware campaign against the education sector. This campaign has been been occurring since at least November 2024.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

ShinyHunters is very likely in the midst of an ongoing campaign of escalatory attacks. This campaign almost certainly includes intentional targeting of the education sector—most recently Canvas and Houghton Mifflin Harcourt.
The group’s targeting of the education sector is almost certainly due to the large amount of user, employee, and customer data housed by educational institutions and within learning management systems.
Data retrieved from the attack on Canvas is very likely to be used for further attacks against companies and institutions that use the learning management system for corporate and online training.
ShinyHunters is very likely employing escalatory tactics: using data stolen in one breach to attack the next organization in a ladder of escalation. Further attacks exploiting lax access token protocols—and empowered by sophisticated phishing attacks—will almost certainly occur in the coming weeks and months.