An ongoing knowledge extortion marketing campaign focusing on Salesforce clients might quickly flip its consideration to monetary companies and know-how service suppliers, as ShinyHunters and Scattered Spider seem like working hand in hand, new findings present.
“This newest wave of ShinyHunters-attributed assaults reveals a dramatic shift in ways, shifting past the group’s earlier credential theft and database exploitation,” ReliaQuest stated in a report shared with The Hacker Information.
These embody the usage of adoption of ways that mirror these of Scattered Spider, resembling highly-targeted vishing (aka voice phishing) and social engineering assaults, leveraging apps that masquerade as respectable instruments, using Okta-themed phishing pages to trick victims into coming into credentials throughout vishing, and VPN obfuscation for knowledge exfiltration.
ShinyHunters, which first emerged in 2020, is a financially motivated menace group that has orchestrated a sequence of knowledge breaches focusing on main firms and monetizing them on cybercrime boards like RaidForums and BreachForums. Apparently, the ShinyHunters persona has been a key participant in these platforms each as a contributor and administrator.
“The ShinyHunters persona partnered with Baphomet to relaunch the second occasion of BreachForums (v2) in June 2023 and later launched the June 2025 occasion (v4) alone,” Sophos famous in a current report. “The interim model (v3) abruptly disappeared in April 2025, and the trigger is unclear.”
Whereas the relaunch of the discussion board was short-lived and the bulletin board went offline round June 9, the menace actor has since been linked to assaults focusing on Salesforce situations globally, a cluster of extortion-related exercise that Google is monitoring beneath the moniker UNC6240.
Coinciding with these developments was the arrest of 4 people suspected of working BreachForums, together with ShinyHunters, by French legislation enforcement authorities. Nonetheless, the menace actor instructed DataBreaches.Web that “France rushed to make FALSE, INACCURATE arrests,” elevating the likelihood that an “affiliate” member might have been caught.
And that is not all. On August 8, a brand new Telegram channel conflating ShinyHunters, Scattered Spider, and LAPSUS$ referred to as “scattered lapsu$ hunters” emerged, with the channel members additionally claiming to be creating a ransomware-as-a-service resolution referred to as ShinySp1d3r that they stated will rival LockBit and DragonForce. Three days later, the channel disappeared.
Each Scattered Spider and LAPSUS$ have ties to a broader, nebulous collective dubbed The Com, a infamous community of skilled English-speaking cybercriminals that is recognized to interact in a variety of malicious actions, together with SIM swapping, extortion, and bodily crime.
ReliaQuest stated it has recognized a coordinated set of ticket-themed phishing domains and Salesforce credential harvesting pages which can be seemingly created for related campaigns focusing on Salesforce which can be aimed toward high-profile corporations throughout varied business verticals.
These domains, the corporate stated, had been registered utilizing infrastructure sometimes related to phishing kits generally used to host single sign-on (SSO) login pages — an indicator of Scattered Spider’s assaults impersonating Okta sign-in pages.
Moreover, an evaluation of over 700 domains registered in 2025 that matched Scattered Spider phishing patterns has revealed that area registrations focusing on monetary corporations have elevated by 12% since July 2025, whereas focusing on of know-how companies has decreased by 5%, suggesting that banks, insurance coverage corporations and monetary companies might be subsequent in line.
The tactical overlaps apart, that the 2 teams could also be collaborating is borne out by the truth that they’ve focused the identical sectors (i.e., retail, insurance coverage, and aviation) across the similar time.
“Supporting this concept is proof resembling the looks of a BreachForums’ person with the alias ‘Sp1d3rHunters,’ who was linked to a previous ShinyHunters breach, in addition to overlapping area registration patterns,” researchers Kimberley Bromley and Ivan Righi stated, including the account was created in Might 2024.
“If these connections are respectable, they counsel that collaboration or overlap between ShinyHunters and Scattered Spider might have been ongoing for greater than a yr. The synchronized timing and related focusing on of those earlier assaults strongly assist the probability of coordinated efforts between the 2 teams.”
