SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Illustration hooded cybercriminals typing shadowy servers cyber attacks cloud
#
MFA
#
Cloud Security
#
MarTech

ShinyHunters & Scattered Spider escalate attacks on Salesforce

Thu, 14th Aug 2025
Author image
By Shannon Williams, Journalist

Security firm ReliaQuest has reported a resurgence in activity from the cybercriminal group ShinyHunters, which has launched attacks against Salesforce and targeted major organisations including Google.

ReliaQuest's recent assessment has analysed domain registration patterns and infrastructure related to ShinyHunters, suggesting a potential collaborative relationship with the threat group Scattered Spider that may have started as early as July 2024.

High-profile campaigns

ShinyHunters has re-emerged following a year of relative inactivity, during which most operations had subsided after the arrest of several alleged members. The group, previously known for high-profile data breaches and credential theft campaigns, is now targeting high-profile companies across various sectors, including technology, finance, and retail. Their primary method of monetisation remains the sale of stolen data on underground forums.

The recent campaign is marked by the use of phishing domains and Salesforce credential harvesting pages, which indicate a refined approach compared to previous efforts. Reported evidence includes the emergence of a BreachForums user under the alias "Sp1d3rhunters" linked to both ShinyHunters and historical breaches, as well as overlapping characteristics in domain registrations.

Potential collaboration

ReliaQuest's analysis highlights significant similarities between ShinyHunters' recent tactics and those attributed to Scattered Spider. These include coordinated domain registrations themed around phishing campaigns, particularly relating to ticketing and Salesforce, and employing vishing and credential harvesting attacks mimicking IT support staff. These developments have prompted speculation about collaboration or sharing of resources and infrastructure between the two groups.

"This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group's previous credential theft and database exploitation. These campaigns have included hallmark Scattered Spider techniques: Highly targeted vishing campaigns, impersonating IT support staff to trick employees into authorising access to malicious 'connected apps'; Apps that often masquerade as legitimate tools (in this case, Salesforce), allowing attackers to steal sensitive business data; Okta-themed phishing pages to trick victims into entering credentials during vishing calls; VPN obfuscation using Mullvad VPN to perform data exfiltration (here, on victims' Salesforce instances). These tactics align closely with Scattered Spider's trademark methods and those of the broader collective, The Com, fuelling speculation about active collaboration between the groups."

The assessment further points out circumstantial evidence of an alliance, such as the overlapping presence of both groups in similar attack sectors and timeframes, and online cybercriminal forum activity that combine their names and tactics.

Additional support for the collaboration theory comes from reports by DataBreaches, which described a Telegram threat actor under the alias "Sp1d3rhunters," claiming that the groups "are the same" and "have always been the same." The same alias surfaced on BreachForums in May 2024, shortly before data from a significant breach was leaked, previously attributed to ShinyHunters.

Targeted sectors and methods

The investigation identified a series of phishing domains registered between June and July 2025, designed to impersonate well-known brands. Examples include domains such as ticket-lvmh[.]com, ticket-dior[.]com, and ticket-louisvuitton[.]com, which were registered just before reported breaches in the luxury sector.

ReliaQuest highlighted that the format and registration details of these domains closely matched those used in Scattered Spider campaigns, including the use of keywords like "okta," "helpdesk," and "sso" with specific formatting conventions and privacy services masking registrant identity. Many of these domains led to Okta-branded phishing pages or were associated with vishing campaigns leveraging fake Salesforce applications to facilitate data exfiltration.

Further investigation revealed more than 700 domains registered in 2025 matching these phishing patterns, with a notable shift since July 2025 from targeting professional and technical service organisations to a 12% increase in domains aimed at financial services, while targeting of technology firms fell by 5%.

The report also notes that the United States remains the most targeted country by substance and volume of impersonating domains, despite recent campaigns against UK-based organisations. In Q2 2025, ReliaQuest observed that 67% of all organisations named on ransomware leak sites were US companies, a trend mirrored in domain impersonation activity.

Recommendations for defence

ReliaQuest recommends organisations focus on mitigating tactics, techniques and procedures (TTPs) rather than attribution to specific groups. It suggests prioritising defences against phishing, vishing, and credential harvesting, while monitoring for newly registered domains that imitate company or SaaS provider branding.

"The most important takeaway is the clear effectiveness and adaptability of these tactics. Whether targeting luxury brands, financial institutions, or other high-profile organisations, these campaigns illustrate that no sector is immune to the risk of highly targeted social engineering attacks."

Additional best practices include hardening social engineering defences, restricting administrator permissions on services such as Salesforce, conducting regular staff awareness training, and mandating multi-factor authentication (MFA) for all users. The report advises routine scans for endpoints following MFA attacks and immediate disabling of compromised user accounts if suspicious activity is detected.

Ongoing risk and vigilance

Looking forward, domain registration patterns indicate that banks, financial services organisations, and technology service providers are most at risk, given the attackers' focus on high-value, monetisable data and access to large client ecosystems.

"Ultimately, the collaboration between ShinyHunters and Scattered Spider represents a high and evolving threat. Organisations should take immediate action to strengthen their defences, as the speed, scale, and adaptability of these campaigns continue to test the limits of traditional security operations."

The report concludes that as cyber threat actors continue to rotate infrastructure, adapt their behavioural patterns, and leverage social engineering, organisations across all sectors should enhance detection capabilities and maintain heightened awareness of impersonation threats, particularly those geared towards widely used cloud-based applications and services.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Barracuda unveils AI assistant to boost security team efficiency
More than a third of STEM professionals consider moving abroad
Check Point scores 99.59% in top firewall security report by NSS
Cloud breaches driven by identity failures & process flaws
Retailers hit by ransomware face higher USD $2 million demands

Top stories

Hexaware boosts cybersecurity with strategic CyberSolve acquisition
Business Software Alliance: AI could add USD $500 billion to India
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion
Ping Identity launches platform to secure & manage AI agents