Weeks after claiming it had shut down operations, the ShadowByt3$ threat group has resurfaced with a new alleged victim, claiming it breached Abbott through the company’s LabCentral portal and stole approximately 690 MB of internal technical documentation.
The post marks the group’s first publicly observed activity since announcing its retirement in June. At the time, ShadowByt3$ claimed it was ending operations permanently and warned that any future use of its name would not be associated with the original operators. BreachNews covered that announcement here.
LabCentral access claimed
According to the forum post, the threat actor claims access was obtained through Abbott’s LabCentral technical library using a compromised account belonging to one of the company’s partners. The actor alleges approximately 690 MB of documentation was exfiltrated and says Abbott has 48 hours to make contact before the material is released.
The post is accompanied by screenshots appearing to show Abbott’s LabCentral technical library as well as a file tree listing the alleged contents of the archive. While the screenshots are consistent with the actor’s claims, they do not independently verify that unauthorized access or data theft occurred.
The screenshots below allegedly show access to Abbott’s LabCentral technical library.
Technical documentation allegedly stolen
Unlike many recent extortion claims involving customer databases, the alleged compromise appears to focus on proprietary technical documentation supporting Abbott’s laboratory diagnostics platforms.
According to the threat actor, the archive includes regulatory documentation, manufacturing certificates, operation manuals, assay packages, calibration files, software documentation, product requirement archives, and other technical materials associated with Abbott’s Alinity, ARCHITECT, and AlinIQ product lines.
The supplied file tree appears consistent with those categories, listing hundreds of PDFs, ISO images, ZIP archives, calibration packages, and assay-specific documentation spanning multiple laboratory systems.
The actor also claims to possess a file containing credentials associated with the alleged compromise, although BreachNews has not verified that claim or the contents of the purported file.
Group resumes previous tactics
The post also advertises insider recruitment, offering to split proceeds with employees willing to provide corporate access. ShadowByt3$ repeatedly promoted similar recruitment offers throughout its previous extortion campaign before announcing its retirement.
The group’s sudden return raises questions about whether the earlier retirement announcement represented a genuine shutdown or simply a temporary pause in operations. Retirement announcements from cybercriminal groups frequently precede rebranding efforts or the resumption of activity under the same or a different identity.
Awaiting response
BreachNews contacted Abbott for comment regarding the alleged compromise and the authenticity of the materials described in the post.
Abbott had not issued any public statement regarding the alleged incident at the time of publication.











