Aug 12, 2025Ravie LakshmananCybercrime / Monetary Safety
An ongoing information extortion marketing campaign focusing on Salesforce prospects could quickly flip its consideration to monetary providers and know-how service suppliers, as ShinyHunters and Scattered Spider look like working hand in hand, new findings present.
“This newest wave of ShinyHunters-attributed assaults reveals a dramatic shift in techniques, shifting past the group’s earlier credential theft and database exploitation,” ReliaQuest mentioned in a report shared with The Hacker Information.
These embrace using adoption of techniques that mirror these of Scattered Spider, corresponding to highly-targeted vishing (aka voice phishing) and social engineering assaults, leveraging apps that masquerade as reputable instruments, using Okta-themed phishing pages to trick victims into coming into credentials throughout vishing, and VPN obfuscation for information exfiltration.
ShinyHunters, which first emerged in 2020, is a financially motivated menace group that has orchestrated a collection of information breaches focusing on main companies and monetizing them on cybercrime boards like RaidForums and BreachForums. Curiously, the ShinyHunters persona has been a key participant in these platforms each as a contributor and administrator.
“The ShinyHunters persona partnered with Baphomet to relaunch the second occasion of BreachForums (v2) in June 2023 and later launched the June 2025 occasion (v4) alone,” Sophos famous in a current report. “The interim model (v3) abruptly disappeared in April 2025, and the trigger is unclear.”
Whereas the relaunch of the discussion board was short-lived and the bulletin board went offline round June 9, the menace actor has since been linked to assaults focusing on Salesforce situations globally, a cluster of extortion-related exercise that Google is monitoring below the moniker UNC6240.
Coinciding with these developments was the arrest of 4 people suspected of operating BreachForums, together with ShinyHunters, by French legislation enforcement authorities. Nonetheless, the menace actor advised DataBreaches.Internet that “France rushed to make FALSE, INACCURATE arrests,” elevating the likelihood that an “affiliate” member could have been caught.
And that is not all. On August 8, a brand new Telegram channel conflating ShinyHunters, Scattered Spider, and LAPSUS$ known as “scattered lapsu$ hunters” emerged, with the channel members additionally claiming to be growing a ransomware-as-a-service answer known as ShinySp1d3r that they mentioned will rival LockBit and DragonForce. Three days later, the channel disappeared.
Each Scattered Spider and LAPSUS$ have ties to a broader, nebulous collective dubbed The Com, a infamous community of skilled English-speaking cybercriminals that is identified to have interaction in a variety of malicious actions, together with SIM swapping, extortion, and bodily crime.
ReliaQuest mentioned it has recognized a coordinated set of ticket-themed phishing domains and Salesforce credential harvesting pages which might be seemingly created for related campaigns focusing on Salesforce which might be aimed toward high-profile corporations throughout varied business verticals.
These domains, the corporate mentioned, have been registered utilizing infrastructure sometimes related to phishing kits generally used to host single sign-on (SSO) login pages — an indicator of Scattered Spider’s assaults impersonating Okta sign-in pages.
Moreover, an evaluation of over 700 domains registered in 2025 that matched Scattered Spider phishing patterns has revealed that area registrations focusing on monetary corporations have elevated by 12% since July 2025, whereas focusing on of know-how companies has decreased by 5%, suggesting that banks, insurance coverage corporations and monetary providers might be subsequent in line.
The tactical overlaps apart, that the 2 teams could also be collaborating is borne out by the truth that they’ve focused the identical sectors (i.e., retail, insurance coverage, and aviation) across the similar time.
“Supporting this concept is proof corresponding to the looks of a BreachForums’ consumer with the alias ‘Sp1d3rHunters,’ who was linked to a previous ShinyHunters breach, in addition to overlapping area registration patterns,” researchers Kimberley Bromley and Ivan Righi mentioned, including the account was created in Could 2024.
“If these connections are reputable, they counsel that collaboration or overlap between ShinyHunters and Scattered Spider could have been ongoing for greater than a yr. The synchronized timing and related focusing on of those earlier assaults strongly help the chance of coordinated efforts between the 2 teams.”
