3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
shinyenigma

shinyenigma

ID: 9baaa36288fc31fde8aad3fce380f16a02666
Cybercrime Cybercriminal Malware Dev
Threat types: Malware
Unknown
Updated: 2026-04-10
Created: 2026-03-30
Progress: 86% Completeness: 84% Freshness: 90%
Operation zone:
Aliases Limited alias preview
altshiny shienigma Sh****** Sh*********
Showing 2 of 4 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

shinyenigma is an online handle associated with the promotion, sale, and likely maintenance of the Telegram-controlled Windows malware family Millenium RAT. Public evidence links the handle to GitHub repositories, a dedicated clearweb site, Telegram-based contact, and adjacent contact channels. The actor is best modeled as a malware-vendor persona rather than a conventional intrusion set.


Technique Technique name Tactics Evidence
T1588.001 Malware TA0042
  • 2026-03-30 — The actor-linked GitHub repository and clearweb product page publicly advertise Millenium RAT for acquisition and use, supporting capability obtainment and distribution. · ref
  • 2026-03-30 — The actor-controlled site advertises pricing and a purchase contact for the malware family. · ref
T1102.002 Bidirectional Communication TA0011
  • 2023-11-03 — Public reporting states the malware uses Telegram for remote command execution and data transmission. · ref
  • 2025-01-24 — CloudSEK reported Telegram-based command-and-control infrastructure in the linked alias ecosystem. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2023-11-03 — Public reporting describes data exfiltration over the malware’s Telegram control channel. · ref
  • 2025-01-24 — CloudSEK documented exfiltration of browser credentials via Telegram-linked workflows in the related alias ecosystem. · ref
T1555 Credentials from Password Stores TA0006
  • 2023-11-03 — CYFIRMA described browser data theft and credential harvesting functionality in Millenium RAT. · ref
  • 2024-03-01 — BankInfoSecurity referenced Millennium-RAT as a Windows-targeting info stealer within the broader stolen-credential economy. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2026-03-30 — The actor-controlled site explicitly advertises keylogger capability in the command set. · ref
  • 2023-11-03 — Public analysis listed keystroke logging among the malware’s capabilities. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2023-11-03 — Public analysis described autostart behavior to reconnect after reboot, consistent with registry or startup persistence. · ref
  • 2026-03-30 — The actor-controlled site advertises Auto-StartUp as a configurable feature. · ref
T1497 Virtualization/Sandbox Evasion TA0005 TA0007
  • 2023-11-03 — CYFIRMA documented virtual machine and sandbox detection logic in the malware. · ref
  • 2026-03-30 — The actor-controlled site advertises Anti-VM and anti-debug features. · ref
T1622 Debugger Evasion TA0005 TA0007
  • 2023-11-03 — Public analysis described anti-debugging measures in Millenium RAT. · ref
  • 2026-03-30 — The actor-controlled site advertises anti-debug as a feature. · ref
T1059.001 PowerShell TA0002
  • 2026-03-30 — The actor-controlled site advertises remote PowerShell/CMD command execution. · ref
  • 2023-11-03 — Public analysis described remote command execution via Telegram platform integration. · ref
T1005 Data from Local System TA0009
  • 2026-03-30 — The product page advertises file and folder copy, delete, download, upload, and listing capabilities. · ref
  • 2025-12-14 — Public sandbox analysis tagged the family as RAT and stealer with file-related behaviors. INFERENCE (confidence: medium): these functions support local data collection before exfiltration. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T04:06:03+00:00
shinyenigma — malware vendor / operator handle linked to Millenium RAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Cybercrime / Malware development and distribution - Origin: Unknown

Author: iQBlack CTI Team


Executive Summary

shinyenigma is an online handle assessed to be closely associated with the development, promotion, sales, and support ecosystem of Millenium RAT, a Telegram-controlled Windows remote access trojan and stealer. Publicly available evidence ties the handle to GitHub repositories, a dedicated clearweb marketing site, Telegram-based contact and sales workflows, and ancillary contact points on Matrix/Element and Signal. Confidence is medium for the handle-to-malware linkage and low for any real-world identity or geography attribution.


Unlike a conventional intrusion set with well-documented victim campaigns, shinyenigma is better modeled as a persona/operator-vendor node inside a malware commercialization ecosystem. The actor’s visible footprint emphasizes builder distribution, feature marketing, versioning, support channels, and low-friction access for buyers rather than publicized extortion operations or mature intrusion reporting. This makes the actor operationally relevant even when direct victim reporting is comparatively thin.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — shinyenigma

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — shinyenigma / Millenium RAT ecosystem


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T04:10:01+00:00

IOC Appendix — shinyenigma

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T04:10:22+00:00

OSINT Library — shinyenigma


2023-11-03 — CYFIRMA — “Unveiling a New Threat The Millenium RAT”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/6
Address Verification SOCMINT
t.me/shi******** Restricted Not integrated
Address Verification SOCMINT
shi******************* Restricted Not integrated
sig******************** Restricted Not integrated
Address Verification SOCMINT
github.com/shi****** Restricted Not integrated
github.com/Shi***************** Restricted Not integrated
github.com/alt***** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
VBS binder Free Preview
VBS binder