BURSTThe notorious ShinyHunters cybercriminal group has emerged from a year-long hiatus with a sophisticated new wave of attacks targeting Salesforce platforms across major organizations, including high-profile victims like Google.
This resurgence marks a significant tactical evolution for the financially motivated threat actors, who have traditionally focused on database exploitation and credential theft rather than the complex social engineering schemes now being employed.
What makes this campaign particularly alarming is its striking resemblance to operations typically attributed to the Scattered Spider hacking collective.
The convergence of tactics suggests a potential collaboration between these two formidable threat groups, raising concerns about an escalating landscape of coordinated cybercriminal activity.
The attacks have specifically targeted organizations across retail, aviation, and insurance sectors, with victims spanning luxury brands and technology service providers.
.webp)
ReliaQuest analysts identified compelling evidence supporting this collaboration theory through comprehensive domain analysis and infrastructure investigation.
The research revealed coordinated ticket-themed phishing domains and Salesforce credential harvesting pages, indicating a systematic approach to victim targeting.
Most notably, investigators discovered the emergence of a BreachForums user with the alias “Sp1d3rhunters”—a clever combination of both group names—who was linked to previous ShinyHunters breaches and appeared to leak Ticketmaster data in July 2024.
The technical sophistication of these attacks represents a significant departure from ShinyHunters’ historical methods.
The group has adopted Scattered Spider‘s signature techniques, including highly targeted vishing campaigns where attackers impersonate IT support staff to manipulate victims into authorizing malicious “connected apps.”
These applications masquerade as legitimate Salesforce tools while enabling large-scale data exfiltration.
Advanced Infrastructure and Evasion Techniques
The campaign’s infrastructure reveals meticulous planning and advanced evasion capabilities.
Investigators uncovered multiple malicious domains registered between June 20-30, 2025, following consistent naming patterns such as ticket-lvmh.com, ticket-dior.com, and ticket-louisvuitton.com.
These domains shared common registry characteristics, including registration through GMO Internet using temporary email addresses like email@mailshan.com and Cloudflare-masked nameservers for additional obfuscation.
.webp)
The attackers deployed sophisticated phishing kits hosting single sign-on (SSO) login pages, with domains like dashboard-salesforce.com actively serving Okta-branded credential harvesting interfaces.
.webp)
The malicious infrastructure leveraged VPN obfuscation through Mullvad VPN services to perform data exfiltration from compromised Salesforce instances.
Particularly concerning is the rebranding of legitimate Salesforce “Data Loader” applications as “My Ticket Portal” during vishing campaigns, demonstrating the group’s ability to weaponize familiar business tools against unsuspecting employees.
This tactical evolution, combined with the synchronized targeting patterns observed across both ShinyHunters and Scattered Spider operations, suggests that financial services and technology providers should prepare for intensified attacks in the coming months.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post ShinyHunters Possibly Collaborates With Scattered Spider in Salesforce Attack Campaigns appeared first on Cyber Security News.