The ongoing data terr campaign targeting Salesforce customers could quickly turn attention to financial and technology service providers as Shinyhunters and Spicider appear to be working hand in hand.
“The wave of attacks that contributed to this latest Shina Hunter reveals dramatic changes in tactics and moves beyond the group’s previous qualification theft and database exploitation,” he said in a report shared with Hacker News.
These include using tactics that reflect scattered spider tactics, such as highly targeted viscing (aka voice phishing) and social engineering attacks, using apps that disguise themselves as legitimate tools, and using OKTA-themed phishing pages to recruit victims and enter their credentials during vising, which are used by VPNs.
First introduced in 2020, Shinyhunters is a financially motivated threat group that coordinated a series of data breaches targeting large corporations and monetized them at cybercrime forums such as Raidforums and Breachforums. Interestingly, Shinyhunters personas were key participants in these platforms as contributors and administrators.
“Shinyhunters persona partnered with Baphomet to restart the second instance of Breachforums (V2) in June 2023, and later only started the June 2025 instance (V4),” Sophos said in a recent report. “The provisional version (V3) suddenly disappeared in April 2025, but the cause is unknown.”
The forum renewal is short-lived, and the Breaking News Committee went offline around June 9th, but the threat actors are linked to an attack targeting Salesforce instances, a cluster of activities related to the horror that Google is tracking under Monica UNC6240.
In line with these developments, the arrests were the arrests of four individuals suspected of carrying out violation forms, including Shiny Hunter by French law enforcement. However, the threatening actor told Databreaches.net that “France has rushed to bring about false and inaccurate arrests,” increasing the likelihood that members of the Associate have been caught.
And that’s not all. On August 8, a new telegram channel emerged that integrates Shiny Hunter, Scattered Spiders, and Rapsu-$, known as “Scattered Lapsu-$Hunter,” with channel members claiming they are also developing a service solution as ransomware called shinysp1d3r, which is comparable to their Rockbit and Dragon Force rivals. Three days later, the channel disappeared.
Both the scattered Spiders and Rapusus $ are linked to the broader, ambiguous collective com, a notorious network of experienced English-speaking cybercriminals known to engage in a wide range of malicious activities, including Sim exchanges, coercions, and physical crimes.
ReliaQuest said he has identified a coordinated set of ticket-themed phishing domains and Salesforce qualification harvesting pages that are likely to be created for similar campaigns targeting well-known farmers across a variety of industries.
According to the company, these domains were registered using infrastructure that is usually associated with phishing kits commonly used to host single sign-on (SSO) login pages.
Furthermore, an analysis of over 700 domains registered in 2025 that match the scattered spider phishing patterns revealed that domain registrations targeting financial companies have increased by 12% since July 2025, but the targeting of technology companies has declined by 5%, suggesting that banks, insurance companies and financial services could be in the next line.
Aside from the tactical overlap of the two groups possibly working together, this is supported by the fact that they target the same sector (i.e. retail, insurance, aviation) almost simultaneously.
“Supporting this theory is evidence such as the appearance of users of violation forms with the alias “SP1D3RHunters.” He not only links to past ShinyHunters infringements, but overlaps with domain registration patterns.
“If these connections are legal, it suggests that collaboration or overlap between Shinyhunter and the scattered spider could continue for more than a year. Targeting similar to the synchronization timing of these previous attacks strongly supports the possibility of coordinated efforts between the two groups.”
Source link
