The notorious ShinyHunters cybercriminal group has emerged from a year-long hiatus with a sophisticated new wave of attacks targeting Salesforce platforms across major organizations, including high-profile victims like Google.<\/p>\n
This resurgence marks a significant tactical evolution for the financially motivated threat actors, who have traditionally focused on database exploitation and credential theft rather than the complex social engineering schemes now being employed.<\/p>\n
What makes this campaign particularly alarming is its striking resemblance to operations typically attributed to the Scattered Spider hacking collective.<\/p>\n
The convergence of tactics suggests a potential collaboration between these two formidable threat groups, raising concerns about an escalating landscape of coordinated cybercriminal activity.<\/p>\n
The attacks have specifically targeted organizations across retail, aviation, and insurance sectors, with victims spanning luxury brands and technology service providers.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj1xIQ08a_UlCzNigyywCjO3uHauDfzQrCCJ422k96AaqaUfF3LY2t8dmgHcwRQ1K9LgjHWvYfhu5hVBrvTNbKlTKJ-45A4EwLWQBN47TmA_oR0bXBUQXiXxAyuaQGWeQsJmcArA9P_LkGCJS-k16pwgfWEudl-wtuE5JwNqIZf3z1ie-yC1FRAu_Dulz4\/s16000\/ShinyHunters%2520first%2520gained%2520notoriety%2520by%2520advertising%252091%2520million%2520Tokopedia%2520user%2520records%2520for%2520sale%2520on%2520%25E2%2580%259CEmpire%2520Market%25E2%2580%259D%2520in%25202020%2520%28Source%2520-%2520Reliaquest%29.webp?ssl=1\")
ReliaQuest analysts identified<\/a> compelling evidence supporting this collaboration theory through comprehensive domain analysis and infrastructure investigation.<\/p>\n The research revealed coordinated ticket-themed phishing domains and Salesforce credential harvesting pages, indicating a systematic approach to victim targeting.<\/p>\n Most notably, investigators discovered the emergence of a BreachForums user with the alias \u201cSp1d3rhunters\u201d\u2014a clever combination of both group names\u2014who was linked to previous ShinyHunters breaches and appeared to leak Ticketmaster data in July 2024.<\/p>\n The technical sophistication of these attacks represents a significant departure from ShinyHunters\u2019 historical methods.<\/p>\n The group has adopted Scattered Spider<\/a>\u2018s signature techniques, including highly targeted vishing campaigns where attackers impersonate IT support staff to manipulate victims into authorizing malicious \u201cconnected apps.\u201d<\/p>\n These applications masquerade as legitimate Salesforce tools while enabling large-scale data exfiltration.<\/p>\n The campaign\u2019s infrastructure reveals meticulous planning and advanced evasion capabilities.<\/p>\n Investigators uncovered multiple malicious domains registered between June 20-30, 2025, following consistent naming patterns such as These domains shared common registry characteristics, including registration through GMO Internet using temporary email addresses like The attackers deployed sophisticated phishing kits hosting single sign-on (SSO) login pages, with domains like The malicious infrastructure leveraged VPN obfuscation through Mullvad VPN services to perform data exfiltration<\/a> from compromised Salesforce instances.<\/p>\n Particularly concerning is the rebranding of legitimate Salesforce \u201cData Loader\u201d applications as \u201cMy Ticket Portal\u201d during vishing campaigns, demonstrating the group\u2019s ability to weaponize familiar business tools against unsuspecting employees.<\/p>\n This tactical evolution, combined with the synchronized targeting patterns observed across both ShinyHunters and Scattered Spider operations, suggests that financial services and technology providers should prepare for intensified attacks in the coming months.<\/p>\n The post ShinyHunters Possibly Collaborates With Scattered Spider in Salesforce Attack Campaigns<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAdvanced Infrastructure and Evasion Techniques<\/strong><\/h2>\n
ticket-lvmh.com<\/code>, ticket-dior.com<\/code>, and ticket-louisvuitton.com<\/code>.<\/p>\nemail@mailshan.com<\/code> and Cloudflare-masked nameservers for additional obfuscation<\/a>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSJeIXKI-v30VGxHynUUL9wMPM2qIq0YXi1dhEpk7Rt6gaMFwWNFJ15jy0SmzOKm2-g60OSD3-ADHmoq78ra8SPapbhkVticnnDn5x9fDhAzfFbSxCrGehGZlEeQNFlFOltOcl_LCvfgA6sABhwkTUlsg16leE3OTezb11touJyULfMsSl8ju-z2LhBo0\/s16000\/Phishing%2520page%2520hosted%2520at%2520dashboard-salesforce%255B.%255Dcom%2520%28Source%2520-%2520Reliaquest%29.webp?ssl=1\")
dashboard-salesforce.com<\/code> actively serving Okta-branded credential harvesting interfaces.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgnr4tWc78P7fkj66V3U-p4K9OutDNQZFRqOGyOTBdEo_9avndEh2zHc3hpdXvjjvJ3mP79ldbxlwEkN3RTet-BT-9ZDOykbW3bzwVt8aFw6aFfmtv2YTaoUJUIjYyyyNVWYxuHItZRvombzVic8Wah14n9SCv06bslJKw-nPqJOa03wioDRGh2AZQVnHQ\/s16000\/Okta%2520phishing%2520page%2520hosted%2520at%2520ticket-dior%255B.%255Dcom%2520in%2520June%25202025%2520%28Source%2520-%2520Reliaquest%29.webp?ssl=1\")
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n