An ongoing knowledge extortion marketing campaign concentrating on Salesforce clients might quickly flip its consideration to monetary companies and know-how service suppliers, as ShinyHunters and Scattered Spider look like working hand in hand, new findings present.
“This newest wave of ShinyHunters-attributed assaults reveals a dramatic shift in techniques, shifting past the group’s earlier credential theft and database exploitation,” ReliaQuest stated in a report shared with The Hacker Information.
These embody the usage of adoption of techniques that mirror these of Scattered Spider, reminiscent of highly-targeted vishing (aka voice phishing) and social engineering assaults, leveraging apps that masquerade as respectable instruments, using Okta-themed phishing pages to trick victims into coming into credentials throughout vishing, and VPN obfuscation for knowledge exfiltration.
ShinyHunters, which first emerged in 2020, is a financially motivated menace group that has orchestrated a collection of data breaches concentrating on main firms and monetizing them on cybercrime boards like RaidForums and BreachForums. Apparently, the ShinyHunters persona has been a key participant in these platforms each as a contributor and administrator.
“The ShinyHunters persona partnered with Baphomet to relaunch the second occasion of BreachForums (v2) in June 2023 and later launched the June 2025 occasion (v4) alone,” Sophos famous in a latest report. “The interim model (v3) abruptly disappeared in April 2025, and the trigger is unclear.”
Whereas the relaunch of the discussion board was short-lived and the bulletin board went offline round June 9, the menace actor has since been linked to assaults concentrating on Salesforce cases globally, a cluster of extortion-related exercise that Google is monitoring below the moniker UNC6240.
Coinciding with these developments was the arrest of 4 people suspected of operating BreachForums, together with ShinyHunters, by French regulation enforcement authorities. Nevertheless, the menace actor informed DataBreaches.Internet that “France rushed to make FALSE, INACCURATE arrests,” elevating the likelihood that an “affiliate” member might have been caught.
And that is not all. On August 8, a brand new Telegram channel conflating ShinyHunters, Scattered Spider, and LAPSUS$ known as “scattered lapsu$ hunters” emerged, with the channel members additionally claiming to be growing a ransomware-as-a-service resolution known as ShinySp1d3r that they stated will rival LockBit and DragonForce. Three days later, the channel disappeared.
Each Scattered Spider and LAPSUS$ have ties to a broader, nebulous collective dubbed The Com, a infamous community of skilled English-speaking cybercriminals that is identified to have interaction in a variety of malicious actions, together with SIM swapping, extortion, and bodily crime.
ReliaQuest stated it has recognized a coordinated set of ticket-themed phishing domains and Salesforce credential harvesting pages which are doubtless created for comparable campaigns concentrating on Salesforce which are geared toward high-profile corporations throughout varied business verticals.
These domains, the corporate stated, had been registered utilizing infrastructure usually related to phishing kits generally used to host single sign-on (SSO) login pages — a trademark of Scattered Spider’s assaults impersonating Okta sign-in pages.
Moreover, an evaluation of over 700 domains registered in 2025 that matched Scattered Spider phishing patterns has revealed that area registrations concentrating on monetary corporations have elevated by 12% since July 2025, whereas concentrating on of know-how companies has decreased by 5%, suggesting that banks, insurance coverage corporations and monetary companies could possibly be subsequent in line.
The tactical overlaps apart, that the 2 teams could also be collaborating is borne out by the truth that they’ve focused the identical sectors (i.e., retail, insurance coverage, and aviation) across the identical time.
“Supporting this principle is proof reminiscent of the looks of a BreachForums’ person with the alias ‘Sp1d3rHunters,’ who was linked to a previous ShinyHunters breach, in addition to overlapping area registration patterns,” researchers Kimberley Bromley and Ivan Righi stated, including the account was created in Might 2024.
“If these connections are respectable, they counsel that collaboration or overlap between ShinyHunters and Scattered Spider might have been ongoing for greater than a 12 months. The synchronized timing and comparable concentrating on of those earlier assaults strongly assist the probability of coordinated efforts between the 2 teams.”
