EclecticIQ analysts assess with high confidence that ShinyHunters is expanding its operations by combining AI-enabled voice phishing, supply chain compromises, and leveraging malicious insiders, such as employees or contractors, who can provide direct access to enterprise networks.
ShinyHunters is very likely relying on members of Scattered Spider and The Com to conduct voice phishing attacks that provide unauthorized access to single sign-on (SSO) platforms used by retail, airline, and telecom companies.
The group uses this access to exfiltrate large volumes of customer data and extort victim organizations.
Analysts observed that ShinyHunters leader, ShinyCorp, is actively selling stolen datasets with ransomware affiliates and other eCrime actors, at prices exceeding $1 million per company.
EclecticIQ analysts observed that the ‘shinysp1d3r’ ransomware-as-a-service (RaaS) network is currently in development, with features designed to encrypt VMware ESXi environments.
Analysts assess with medium confidence that once operational, ShinyHunters will likely leverage this service to expand its victim base, attract new affiliates, and broaden its extortion capabilities.
ShinyHunters targets high-privilege engineering accounts on Git version control, BrowserStack, JFrog, and cloud project management platforms to infiltrate CI/CD pipelines.
Analysts assess with high confidence that this access is very likely intended to enable supply chain attacks, a favored tactic of ShinyHunters that allows threat actors to compromise thousands of enterprise systems through a single access point in the software supply chain.
On August 31, 2025, the Telegram channel “scattered LAPSUS$ hunters 4.0,” operated by ShinyHunters, posted a recruitment message offering financial rewards to employees in finance, insurance, aviation, telecoms, and other sectors in exchange for providing access to Okta, Microsoft SSO, Citrix VPN, or Git platforms.
This reliance on trusted insiders highlights a significant risk of bypassing enterprise defenses through legitimate channels.
AI-Driven Voice Phishing at Scale
ShinyHunters affiliates have escalated voice phishing (vishing) operations using VoIP services including Twilio, Google Voice, and 3CX.
The group also leverages legitimate AI-powered platforms such as Vapi and Bland to automate social engineering calls.
Bland’s large language model (LLM) generates dynamic conversational pathways tailored in real time to victim responses, while configurable voice styles mimic regional accents and genders, enhancing credibility.
Analysts assess with high confidence that Scattered Spider members conduct most voice call phishing, but ShinyHunters outsources additional vishing capacity to ‘call center’ dashboards and P1 Telegram bots that automate template-driven attacks.
This blend of AI dialogue management and near-realistic synthetic voice allows ShinyHunters affiliates to conduct vishing campaigns at unprecedented scale.
Compromised Salesforce CRM dashboards enable bulk exfiltration and lateral movement into Okta, Microsoft 365, and Amazon S3.
In recent campaigns against airline and retail sectors, ShinyHunters exfiltrated datasets up to 26 GB of user accounts, 16 GB of contact records, 5.5 GB of email logs, and more.
The group uses LimeWire file-sharing to leak data samples, pressuring victims to pay seven-digit extortion demands. Analysts identified that ShinyCorp sells stolen airline data for up to $1 million per company via Telegram and qTox channels.
EclecticIQ analysts observed development of ‘shinysp1d3r,’ a RaaS platform engineered to encrypt VMware ESXi environments.
The service aims to target virtualization hosts, enabling affiliates to deploy ransomware directly against hypervisor infrastructures.
Once operational, this RaaS could drastically increase ShinyHunters’ ransomware reach and complicate enterprise recovery processes.
Analysts assess with medium confidence that this development is intended to recruit new affiliates and broaden extortion outputs by targeting high-value virtualization environments.
Mitigations
EclecticIQ analysts recommend organizations enforce strict access controls and monitoring across SSO-integrated applications, audit mass export permissions, and apply least privilege principles.
Hardening SSO platforms such as Salesforce, Okta, and Microsoft 365 through Just-In-Time access and IP-based restrictions is essential.
Monitoring and anomaly detection using SIEM and SOAR tools should flag large data exports and unusual MFA events.
Employee training must include AI-driven vishing simulations, internal verification challenges for high-risk requests, and awareness of MFA fatigue risks.
Insider threat scenarios should be integrated into threat models, coupled with honeypot deployments to detect suspicious internal activity.
As ShinyHunters continues to innovate with AI-enabled social engineering, supply chain compromises, and specialized RaaS offerings like ‘shinysp1d3r’, organizations must adopt a layered defense posture, combining technical controls with robust human-centric security measures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
