A surge in infrastructure deployment that mirrors the tactics of SLSH, a predatory alliance uniting three major threat actors: Scattered Spider, LAPSUS$, and ShinyHunters.
A sophisticated identity-theft campaign has emerged, targeting Single Sign-On (SSO) platforms particularly Okta across more than 100 high-value enterprises.
Unlike automated phishing campaigns, this operation is human-led. It relies on voice phishing (“vishing”) to bypass even hardened Multi-Factor Authentication (MFA) systems.
The attackers employ a “Live Phishing Panel” that allows operators to intercept credentials and MFA tokens in real-time during active login sessions, granting immediate persistent access to corporate environments.
The SLSH “Supergroup” Threat
Silent Push has identified a surge in infrastructure deployment that mirrors the TTPs (Tactics, Techniques, and Procedures) of SLSH.
This hybrid approach creates a formidable initial access strategy targeting enterprise identity providers.
The group’s sophistication lies not in automation but in human interaction attackers simultaneously manipulate live phishing pages while calling help desks and employees, adapting their approach to each victim’s specific login prompts.
SLSH emerged from “The Com” ecosystem by combining Scattered Spider advanced social engineering capabilities with LAPSUS$’s established extortion methodology.
Organizations across multiple sectors face active targeting. Technology companies, including Atlassian, Canva, Epic Games, HubSpot, and Zoom, face heightened risk, alongside financial institutions like Blackstone, RBC, and State Street.
The threat extends to healthcare (Biogen, Moderna), real estate (Simon Property Group, Zillow), and infrastructure sectors (AECOM, Halliburton). Silent Push detected active targeting or infrastructure preparation against these organizations within the past 30 days.
Conventional security awareness training proves insufficient against this threat vector. SLSH operators are highly persuasive and coordinated, combining technical capability with social engineering precision.
A single compromised SSO account becomes a “skeleton key” to the entire enterprise application ecosystem.
Attack Progression and Impact
Following LAPSUS$’s playbook, the group prioritizes rapid data exfiltration for extortion purposes.
After initial SSO compromise, attackers pivot to internal communications platforms Slack, Microsoft Teams to social-engineer administrators into granting higher privilege access.
Finally, they encrypt critical data and demand ransom for decryption keys, combining theft with operational disruption.
Organizations on the targeted list must implement urgent countermeasures. Alert support staff and employees about ongoing SLSH activities; vishing success depends on social manipulation, which employee awareness directly counters.
Conduct forensic audits of Okta and other SSO provider logs, specifically hunting for “New Device Enrolled” events immediately followed by logins from unfamiliar IP addresses a hallmark of this attack pattern.
Deploy pre-attack intelligence capabilities before vishing campaigns commence. Silent Push’s Indicators of Future Attack (IOFA) feeds operate at the DNS level to identify and block malicious lookalike domains before infrastructure goes operational.
This proactive approach prevents attackers from establishing command-and-control infrastructure.
Organizations should not wait for breach notifications to act. The window for prevention remains open, but closure is rapid once attacks begin targeting specific employees.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.