The financially motivated threat group ShinyHunters has returned with a sophisticated series of attacks targeting Salesforce instances across high-profile enterprises in industries like retail, aviation, and insurance, after a year of relative quiet following member arrests in June 2024.
ReliaQuest’s analysis reveals a coordinated infrastructure of ticket-themed phishing domains and credential-harvesting pages, such as ticket-lvmh[.]com and dashboard-salesforce[.]com, registered via GMO Internet with Cloudflare-masked nameservers and temporary registrant emails.
These domains host Okta-branded phishing lures mimicking legitimate tools like Salesforce Data Loader, rebranded as “My Ticket Portal,” to facilitate vishing campaigns where attackers impersonate IT support to authorize malicious connected apps.
This enables credential theft, API-enabled data exfiltration via Mullvad VPN obfuscation, and subsequent extortion.
Resurgence After Inactivity
The tactics mark a stark departure from ShinyHunters’ traditional focus on stealthy database exploitation and credential theft, aligning closely with Scattered Spider’s hallmark social engineering methods, including targeted vishing, MFA fatigue exploitation, and domain impersonation patterns like SSO-company[.]com.
Circumstantial evidence points to a potential alliance between ShinyHunters and Scattered Spider, possibly dating back to July 2024, as indicated by overlapping campaigns and shared infrastructure.
A BreachForums user alias “Sp1d3rhunters” a portmanteau of the groups’ names emerged in May 2024 and leaked Ticketmaster data previously attributed to ShinyHunters, while Telegram claims from the same alias assert the groups “are the same.”
Sector Targeting Insights
Domain registration patterns further corroborate this, with over 700 impersonating domains in 2025 mimicking Scattered Spider’s formats, shifting targets from professional, scientific, and technical services (PSTS) to a 12% increase in financial services since July, alongside sustained hits on technology providers.
The US remains the primary target, comprising the majority of these domains due to its concentration of high-value tech firms, echoing broader cybercrime trends like ransomware where 67% of Q2 2025 victims were US-based.
These domains, often short-lived and tied to phishing kits for SSO spoofing, suggest ongoing Salesforce campaigns, with keywords like “ticket,” “okta,” or “helpdesk” combined with company or SaaS names (e.g., company-salesforce[.]com) serving as early indicators.
This suspected collaboration, potentially under the broader “The Com” collective known for SIM-swapping, account takeovers, and cryptocurrency theft, amplifies the threat through hybridized TTPs that evade traditional defenses.
Organizations should prioritize behavioral detection over attribution, monitoring for anomalous API activity, enforcing IP allowlists, and restricting permissions like “Manage Connected Apps.”
ReliaQuest’s GreyMatter DRP enables rapid impersonating domain detection, while automated playbooks for session termination, password resets, host scans, and user disabling reduce mean time to contain (MTTC) from hours to minutes.
To mitigate, harden against social engineering via vishing simulations, mandate MFA with fatigue awareness training, and query domain intelligence for registrars like GMO Internet or privacy services such as PrivacyGuardian.
As ShinyHunters may soon publicize leaks on forums, financial and tech sectors face heightened risk, underscoring the need for proactive TTP-focused defenses against these adaptive, English-speaking adversaries exploiting human and SaaS vulnerabilities for data monetization and disruption.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
