An ongoing information extortion marketing campaign focusing on Salesforce prospects could quickly flip its consideration to monetary providers and know-how service suppliers, as ShinyHunters and Scattered Spider look like working hand in hand, new findings present.
“This newest wave of ShinyHunters-attributed assaults reveals a dramatic shift in techniques, transferring past the group’s earlier credential theft and database exploitation,” ReliaQuest stated in a report shared with The Hacker Information.
These embody using adoption of techniques that mirror these of Scattered Spider, similar to highly-targeted vishing (aka voice phishing) and social engineering assaults, leveraging apps that masquerade as professional instruments, using Okta-themed phishing pages to trick victims into getting into credentials throughout vishing, and VPN obfuscation for information exfiltration.
ShinyHunters, which first emerged in 2020, is a financially motivated risk group that has orchestrated a collection of knowledge breaches focusing on main companies and monetizing them on cybercrime boards like RaidForums and BreachForums. Curiously, the ShinyHunters persona has been a key participant in these platforms each as a contributor and administrator.
“The ShinyHunters persona partnered with Baphomet to relaunch the second occasion of BreachForums (v2) in June 2023 and later launched the June 2025 occasion (v4) alone,” Sophos famous in a latest report. “The interim model (v3) abruptly disappeared in April 2025, and the trigger is unclear.”
Whereas the relaunch of the discussion board was short-lived and the bulletin board went offline round June 9, the risk actor has since been linked to assaults focusing on Salesforce cases globally, a cluster of extortion-related exercise that Google is monitoring beneath the moniker UNC6240.
Coinciding with these developments was the arrest of 4 people suspected of operating BreachForums, together with ShinyHunters, by French regulation enforcement authorities. Nonetheless, the risk actor advised DataBreaches.Web that “France rushed to make FALSE, INACCURATE arrests,” elevating the chance that an “affiliate” member could have been caught.
And that is not all. On August 8, a brand new Telegram channel conflating ShinyHunters, Scattered Spider, and LAPSUS$ referred to as “scattered lapsu$ hunters” emerged, with the channel members additionally claiming to be growing a ransomware-as-a-service resolution referred to as ShinySp1d3r that they stated will rival LockBit and DragonForce. Three days later, the channel disappeared.
Each Scattered Spider and LAPSUS$ have ties to a broader, nebulous collective dubbed The Com, a infamous community of skilled English-speaking cybercriminals that is identified to interact in a variety of malicious actions, together with SIM swapping, extortion, and bodily crime.
ReliaQuest stated it has recognized a coordinated set of ticket-themed phishing domains and Salesforce credential harvesting pages which can be possible created for comparable campaigns focusing on Salesforce which can be geared toward high-profile corporations throughout numerous trade verticals.
These domains, the corporate stated, had been registered utilizing infrastructure sometimes related to phishing kits generally used to host single sign-on (SSO) login pages — an indicator of Scattered Spider’s assaults impersonating Okta sign-in pages.
Moreover, an evaluation of over 700 domains registered in 2025 that matched Scattered Spider phishing patterns has revealed that area registrations focusing on monetary corporations have elevated by 12% since July 2025, whereas focusing on of know-how companies has decreased by 5%, suggesting that banks, insurance coverage corporations and monetary providers could possibly be subsequent in line.
The tactical overlaps apart, that the 2 teams could also be collaborating is borne out by the truth that they’ve focused the identical sectors (i.e., retail, insurance coverage, and aviation) across the identical time.
“Supporting this idea is proof similar to the looks of a BreachForums’ person with the alias ‘Sp1d3rHunters,’ who was linked to a previous ShinyHunters breach, in addition to overlapping area registration patterns,” researchers Kimberley Bromley and Ivan Righi stated, including the account was created in Might 2024.
“If these connections are professional, they counsel that collaboration or overlap between ShinyHunters and Scattered Spider could have been ongoing for greater than a yr. The synchronized timing and comparable focusing on of those earlier assaults strongly assist the chance of coordinated efforts between the 2 teams.”
