SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Helix data extortion group linked to BlackFile, ShinyHunters

Helix data extortion group linked to BlackFile, ShinyHunters

Thu, 9th Jul 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

ReliaQuest has identified a previously unreported data extortion group known as Helix as part of a wider campaign against multiple targets.

Researchers said the group uses voice phishing, device code phishing and automated SharePoint data theft in a pattern seen across several incidents. The attacks relied on shared infrastructure, including a phishing domain with target-specific subdomains, pointing to an organised operation rather than isolated intrusions.

The findings place Helix in a crowded, fast-changing data extortion landscape where group names shift quickly but techniques remain consistent. ReliaQuest said overlaps in infrastructure, tradecraft and timing linked Helix to the BlackFile and ShinyHunters ecosystem, though it stopped short of full attribution.

The campaign appears to focus on identity systems rather than malware. In the cases examined, operators gained access by persuading staff to enter a device code, allowing attackers to capture a valid session token without directly asking for a password.

In at least one case, the caller allegedly spoofed a target employee's manager on caller ID and used knowledge of the company's reporting structure to make the approach credible. Targets tended to be high-visibility employees, including executives, whose accounts could provide broader access to company systems and stored information.

Once inside, the intruders typically registered a new MFA Authenticator app on the compromised account within minutes, according to the report. That gave them persistence through what appeared to be a legitimate user action, leaving few obvious traces beyond the new MFA registration itself.

Post-access behaviour was consistent across incidents even when the initial contact varied, ReliaQuest said. The sequence usually moved from manual discovery to automated collection, with operators first browsing content and later using scripted tools to enumerate and download SharePoint material in bulk.

One incident moved from access to mass exfiltration in less than an hour. Another unfolded over one to two days, while a third lasted more than a week and included email access from rotating residential IP addresses as well as data theft from Box before a later move to SharePoint.

Shared signs

A central part of the analysis was the reuse of infrastructure. ReliaQuest said Helix used the domain oskeysync[.]com for phishing, with subdomains tailored to each target organisation. The domain was registered through NICENIC, a registrar that has appeared in earlier campaigns tied to BlackFile, ShinyHunters and the wider Scattered Spider or The Com network.

ReliaQuest also pointed to hosting links. The IP address used for exfiltration, 179.43.185[.]230, sat on the same autonomous system and only four addresses away from an IP tied to a confirmed BlackFile operation, 179.43.185[.]226.

That proximity does not prove the same operators were involved, but it adds to the picture of a fragmented ecosystem in which personnel, methods and supporting infrastructure overlap. ReliaQuest said BlackFile's shutdown had already led to successor brands including Pink and Redact, and Helix may be another offshoot or a closely aligned actor using the same playbook.

Defenders should pay less attention to the branding of specific groups and more to recurring methods, ReliaQuest argued. The speed of fragmentation in the data extortion market means new names are appearing faster than many organisations can map them.

Identity route

The attacks also highlight a wider shift in extortion cases toward identity-based intrusion. Instead of deploying malware or creating obvious backdoors, the operators used valid sessions, legitimate MFA registration and normal cloud services to stay under the radar.

ReliaQuest said the residential proxies used for sign-ins were geo-matched to the target's city, reducing the chance of triggering impossible-travel alerts. In one case, more than 15 residential IP addresses were rotated against a single mailbox during the dwell period, blending the activity into ordinary login noise generated by VPNs and mobile networks.

Automated SharePoint collection then served as the clearest technical fingerprint. Researchers said enumeration came from 179.43.185[.]230 using the python-requests/2.28.1 user-agent and involved SharePoint searches designed to map all reachable content before downloading files in bulk.

Notably, that hosted IP was used only for exfiltration, not for initial access. The pattern suggests a deliberate separation between the sign-in stage, which used residential infrastructure to resemble a normal user, and the collection stage, which relied on a fixed system for scripted data theft.

Defensive steps

ReliaQuest said the single most effective defensive measure was to disable device code authentication, which it described as the confirmed entry method in the Helix intrusions. Where that is not possible, organisations should restrict the feature to a narrow group of managed devices and watch for unusual device code requests.

ReliaQuest also urged businesses to limit access to sensitive software-as-a-service applications such as SharePoint and Exchange to managed endpoints only. That would have blocked the use of unmanaged devices seen in the incidents reviewed, even after a session had been compromised.

Another recommendation was to block newly registered domains at the proxy or DNS layer. The phishing infrastructure tied to Helix was recently registered, and domain age filtering can catch the short-lived infrastructure often used in data extortion campaigns.

Standard response steps such as password resets, session revocation and account disabling generally worked when applied quickly enough, ReliaQuest said. In one case, however, the operator tested containment within 30 to 40 minutes of an account being disabled by attempting to re-register MFA and reset the password.

"The links between Helix and the established BlackFile and ShinyHunters ecosystems stop short of confirmed attribution. But the overlap in infrastructure, tradecraft, and timing is substantial enough that organizations already tracking those groups should treat Helix as an extension of the same data extortion campaigns they're defending against," ReliaQuest said.