The infamous ShinyHunters cybercriminal group has emerged from a year-long hiatus with a complicated new wave of assaults focusing on Salesforce platforms throughout main organizations, together with high-profile victims like Google.
This resurgence marks a major tactical evolution for the financially motivated risk actors, who’ve historically targeted on database exploitation and credential theft reasonably than the complicated social engineering schemes now being employed.
What makes this marketing campaign notably alarming is its putting resemblance to operations usually attributed to the Scattered Spider hacking collective.
The convergence of ways suggests a possible collaboration between these two formidable risk teams, elevating issues about an escalating panorama of coordinated cybercriminal exercise.
The assaults have particularly focused organizations throughout retail, aviation, and insurance coverage sectors, with victims spanning luxurious manufacturers and expertise service suppliers.
ShinyHunters first gained notoriety by promoting 91 million Tokopedia person information on the market on “Empire Market” in 2020 (Supply – Reliaquest)
ReliaQuest analysts recognized compelling proof supporting this collaboration idea by means of complete area evaluation and infrastructure investigation.
The analysis revealed coordinated ticket-themed phishing domains and Salesforce credential harvesting pages, indicating a scientific strategy to sufferer focusing on.
Most notably, investigators found the emergence of a BreachForums person with the alias “Sp1d3rhunters”—a intelligent mixture of each group names—who was linked to earlier ShinyHunters breaches and appeared to leak Ticketmaster information in July 2024.
The technical sophistication of those assaults represents a major departure from ShinyHunters’ historic strategies.
The group has adopted Scattered Spider‘s signature methods, together with extremely focused vishing campaigns the place attackers impersonate IT assist employees to control victims into authorizing malicious “linked apps.”
These functions masquerade as respectable Salesforce instruments whereas enabling large-scale information exfiltration.
Superior Infrastructure and Evasion Strategies
The marketing campaign’s infrastructure reveals meticulous planning and superior evasion capabilities.
Investigators uncovered a number of malicious domains registered between June 20-30, 2025, following constant naming patterns similar to ticket-lvmh.com, ticket-dior.com, and ticket-louisvuitton.com.
These domains shared frequent registry traits, together with registration by means of GMO Web utilizing momentary e-mail addresses like [email protected] and Cloudflare-masked nameservers for added obfuscation.
Okta phishing web page hosted at ticket-dior[.]com in June 2025 (Supply – Reliaquest)
The attackers deployed subtle phishing kits internet hosting single sign-on (SSO) login pages, with domains like dashboard-salesforce.com actively serving Okta-branded credential harvesting interfaces.
Phishing web page hosted at dashboard-salesforce[.]com (Supply – Reliaquest)
The malicious infrastructure leveraged VPN obfuscation by means of Mullvad VPN providers to carry out information exfiltration from compromised Salesforce cases.
Notably regarding is the rebranding of respectable Salesforce “Information Loader” functions as “My Ticket Portal” throughout vishing campaigns, demonstrating the group’s capacity to weaponize acquainted enterprise instruments towards unsuspecting staff.
This tactical evolution, mixed with the synchronized focusing on patterns noticed throughout each ShinyHunters and Scattered Spider operations, means that monetary providers and expertise suppliers ought to put together for intensified assaults within the coming months.
Enhance your SOC and assist your group defend your online business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
