CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ShinyHunters and Scattered Spider Collaboration

First reported
Last updated
4 unique sources, 22 articles

Summary

Hide ▲

The **Gainsight cyber-attack** has expanded significantly, with Salesforce initially identifying **three impacted customers** but later confirming a **larger, unspecified number of victims** by **November 21, 2025**. Meanwhile, the **Scattered Lapsus$ Hunters (SLSH) alliance** has launched a **new phishing campaign targeting Zendesk users**, deploying over **40 typosquatted domains** (e.g., *znedesk[.]com*) and **malicious helpdesk tickets** to harvest credentials and deploy remote access trojans (RATs). The group’s tactics mirror those used in the **August 2025 Salesforce attacks**, with **deceptive SSO portals** and **social engineering lures** aimed at support staff. **Discord** has already confirmed a breach via its Zendesk-based support system, exposing user data including **names, emails, billing details, and government-issued IDs**. Gainsight’s breach involved **unauthorized access via an AT&T IP address on November 8**, preceded by reconnaissance from **3.239.45[.]43 on October 23** and approximately **20 suspicious intrusions between November 16–23** using **VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a method tied to the **Salesloft Drift breach**. Salesforce revoked all access tokens associated with Gainsight applications, while third-party vendors like **Gong.io, Zendesk, and HubSpot** severed integrations as a precaution. HubSpot confirmed no compromise of its infrastructure. Forensic investigations by **Mandiant** and Salesforce revealed the attackers exploited **compromised multifactor credentials** for VPN and system access. Customers were advised to **rotate S3 keys, reset NXT passwords, and re-authorize integrations** while adopting **Google Threat Intelligence Group (GTIG) mitigations**. The SLSH alliance has also unveiled a new **ransomware-as-a-service (RaaS) platform, ShinySp1d3r**, featuring **advanced anti-forensic capabilities**, network propagation tools, and **AI-enhanced modifications** of the **HellCat ransomware**. The platform is administered by **Saif Al-Din Khader (aka Rey)**, a core SLSH member who claims cooperation with law enforcement since June 2025. The group has been linked to **51 cyberattacks in the past year**, combining RaaS with extortion-as-a-service (EaaS) and insider recruitment to maximize impact. This attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and shutdown claims, the threat persists, with **new victims emerging in critical sectors like rail transport (Almaviva/FS Italiane Group)** and now **Zendesk users**. Authorities, including the **FBI and U.K. NCA**, continue issuing alerts as the groups adapt tactics, leveraging **third-party IT providers, cloud-based CRM systems, and AI-enhanced tooling** to evade detection and scale operations.

Timeline

  1. 27.11.2025 11:30 1 articles · 23h ago

    Scattered Lapsus$ Hunters Launches Zendesk Phishing Campaign

    The **Scattered Lapsus$ Hunters (SLSH) alliance** has initiated a **new phishing campaign targeting Zendesk users**, deploying **over 40 typosquatted domains** (e.g., *znedesk[.]com*, *vpn-zendesk[.]com*) and **fraudulent helpdesk tickets** to harvest credentials and deploy **remote access trojans (RATs)**. The domains, registered via **NiceNic** with **US/UK registrant details** and **Cloudflare-masked nameservers**, mirror tactics used in the **August 2025 Salesforce campaign**, including **deceptive SSO portals** and **social engineering lures** aimed at support staff. ReliaQuest reports that **Discord** has already fallen victim, confirming a breach via its **Zendesk-based support system** that exposed user data, including **names, emails, billing information, IP addresses, and government-issued IDs**. The campaign underscores the group’s **expanding focus on high-value SaaS platforms** (Salesforce, Salesloft, Gainsight, and now Zendesk) to exploit **downstream customer data access**. While the activity aligns with SLSH’s modus operandi, ReliaQuest notes it could also be the work of a **copycat group** adopting similar phishing and credential-harvesting techniques. Organizations are urged to **monitor for typosquatted domains**, **audit helpdesk ticket submissions**, and **enhance endpoint protections** for support teams. This development follows the group’s **November 2025 unveiling of the ShinySp1d3r RaaS platform**, signaling a **multi-pronged escalation** in both **technical sophistication** and **target diversification**.

    Show sources
    Open in new tab
  2. 27.11.2025 09:03 1 articles · 1d ago

    ShinyHunters-Scattered Spider-LAPSUS$ Alliance Unveils ShinySp1d3r RaaS Platform

    The **ShinyHunters-Scattered Spider-LAPSUS$ (SLSH) alliance** has developed **ShinySp1d3r**, a new **ransomware-as-a-service (RaaS) platform** combining advanced technical features with extortion-as-a-service (EaaS) capabilities. The platform includes **anti-forensic measures** such as hooking the *EtwEventWrite* function to disable Windows Event Viewer logging, terminating processes to bypass file locks, and filling free drive space with random data to overwrite deleted files. ShinySp1d3r also supports **network propagation** via *deployViaSCM*, *deployViaWMI*, and *attemptGPODeployment* to encrypt open network shares and spread laterally. The platform is administered by **Saif Al-Din Khader (aka Rey)**, a core SLSH member and former BreachForums/HellCat ransomware administrator, who claims to have **cooperated with law enforcement since June 2025**. Rey describes ShinySp1d3r as a **rehashed version of HellCat ransomware modified with AI tools**. The SLSH alliance has been linked to **51 cyberattacks in the past year**, leveraging **insider recruitment, RaaS/EaaS hybrid models, and multi-vector monetization** to target organizations. Palo Alto Networks Unit 42 warns that the group’s **combined offerings and tactical adaptability** pose a formidable threat, particularly to **Salesforce-dependent enterprises and third-party IT providers**.

    Show sources
    Open in new tab
  3. 26.11.2025 14:05 3 articles · 1d ago

    Gainsight Attack Expands Salesforce Customer Impact with New IOCs

    The **Gainsight cyber-attack** has expanded significantly, with Salesforce initially identifying **three impacted customers** but later confirming a **larger, unspecified number of victims** by **November 21, 2025**. Gainsight CEO Chuck Ganapathi stated only a "handful" of customers had their data affected, though the full scope remains undisclosed. The breach began with **reconnaissance from IP 3.239.45[.]43 on October 23, 2025**, followed by **unauthorized access via an AT&T IP address on November 8** and approximately **20 suspicious intrusions between November 16–23** using **commercial VPNs (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a tactic linked to the **Salesloft Drift attack**. Salesforce **revoked all access and refresh tokens** for Gainsight applications, while **Google disabled OAuth clients** with callback URIs like *gainsightcloud[.]com*. Gainsight disabled read/write capabilities for **Customer Success (CS), Community (CC), Northpass, and Skilljar**, while isolating **Staircase** (confirmed unaffected). Third parties (**Gong.io, Zendesk, HubSpot**) severed integrations as a precaution, with HubSpot explicitly stating no evidence of compromise. Forensic analysis by **Mandiant** and Salesforce revealed attackers exploited **compromised multifactor credentials** for VPN and critical system access. Customers were advised to **rotate S3 keys, reset NXT passwords, and re-authorize integrations**, while adopting **Google Threat Intelligence Group (GTIG) mitigations** to counter the **ShinyHunters-Scattered Spider-LAPSUS$ collective’s evolving tactics**. The incident underscores the group’s persistent focus on **Salesforce ecosystems**, leveraging **third-party app vulnerabilities, OAuth token abuse, and VPN obfuscation** to maximize impact. **Meanwhile, the SLSH alliance has extended its targeting to Zendesk users**, deploying **typosquatted domains and malicious helpdesk tickets** to harvest credentials and deploy malware, as detailed in a concurrent campaign reported on **November 27, 2025**.

    Show sources
    Open in new tab
  4. 20.11.2025 20:54 1 articles · 7d ago

    Almaviva Breach Exposes 2.3TB of FS Italiane Group Data

    A threat actor breached **Almaviva**, the IT services provider for **FS Italiane Group (Italy’s national railway operator)**, stealing **2.3TB of data** and leaking it on a dark web forum. The compromised files include **internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and complete datasets from FS Group companies**, with evidence confirming the data is recent (Q3 2025). Almaviva publicly acknowledged the breach, stating its **security monitoring services detected and isolated the attack**, activated counter-response procedures, and ensured the protection of critical services. The company notified Italian authorities, including the **police, national cybersecurity agency (ACN), and data protection authority (Garante)**, and is conducting an investigation with government support. The **structure of the leaked data**—organized into compressed archives by department/company—mirrors the tactics of **ransomware groups and data brokers active in 2024–2025**, though no specific group has claimed responsibility. Almaviva, a global IT provider with **41,000+ employees and $1.4B in annual revenue**, serves FS Italiane Group, a **100% state-owned railway operator** with **$18B+ in annual revenue**, managing railway infrastructure, passenger/freight transport, and logistics chains. As of November 20, 2025, it remains unclear whether **passenger information was exposed** or if other Almaviva clients beyond FS Italiane Group were impacted. The breach underscores the **growing risk to critical infrastructure via third-party IT providers**, a tactic increasingly used by groups like **ShinyHunters and Scattered Spider**.

    Show sources
    Open in new tab
  5. 25.09.2025 14:48 2 articles · 2mo ago

    Scattered Spider Members Arrested in September 2025

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  6. 25.09.2025 14:48 2 articles · 2mo ago

    Noah Urban Sentenced for SIM-Swapping and Cybercrime Activities

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  7. 25.09.2025 14:48 2 articles · 2mo ago

    Ransomware Attack Disrupts European Airports

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  8. 24.09.2025 23:21 3 articles · 2mo ago

    Scattered Spider Member Surrenders in Las Vegas

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  9. 18.09.2025 17:37 4 articles · 2mo ago

    UK Arrests Scattered Spider Members Linked to Transport for London Hack

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  10. 15.09.2025 23:12 5 articles · 2mo ago

    Scattered Lapsus$ Hunters' Claims and Google's Response

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  11. 13.09.2025 12:04 6 articles · 2mo ago

    FBI Alert on UNC6040 and UNC6395 Targeting Salesforce Platforms

    The **Gainsight cyber-attack** has expanded to impact more Salesforce customers than initially disclosed, with notifications sent to all affected parties by **November 21, 2025**. The breach began with **unauthorized access via an AT&T IP address on November 8**, followed by approximately **20 suspicious intrusions** between November 16–23 using **commercial VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a method previously observed in the **Salesloft Drift attack**. Gainsight temporarily disabled read/write capabilities for products like **Customer Success (CS), Community (CC), and Northpass**, while isolating **Staircase** (confirmed unaffected due to separate infrastructure). Third-party vendors, including **Gong.io, Zendesk, and HubSpot**, also disabled Gainsight integrations as a precaution, though HubSpot reported no evidence of compromise. Forensic investigations by **Mandiant (Google Cloud’s incident response team)** and Salesforce revealed the attackers leveraged **compromised multifactor credentials** for VPN and critical system access. Gainsight advised customers to **rotate S3 keys, reset NXT passwords, and re-authorize integrations**, while recommending mitigation measures from the **Google Threat Intelligence Group (GTIG)** to counter the **ShinyHunters-Scattered Spider-LAPSUS$ collective’s evolving tactics**. The incident underscores the persistent threat to **Salesforce ecosystems**, with attackers exploiting **third-party app vulnerabilities** and **OAuth token abuse** to expand their reach.

    Show sources
    Open in new tab
  12. 10.09.2025 18:29 5 articles · 2mo ago

    Jaguar Land Rover Data Breach Confirmed

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  13. 25.08.2025 22:48 3 articles · 3mo ago

    Farmers Insurance Data Breach Details Revealed

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  14. 21.08.2025 09:45 1 articles · 3mo ago

    Scattered Spider Member Sentenced for Cybercrime Activities

    A 20-year-old member of Scattered Spider, Noah Michael Urban, was sentenced to ten years in prison and $13 million in restitution for wire fraud and aggravated identity theft. Urban was arrested in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023, resulting in the theft of at least $800,000 from five victims. Urban and his co-conspirators used SIM swapping attacks to hijack victims' cryptocurrency accounts and steal digital assets.

    Show sources
    Open in new tab
  15. 12.08.2025 19:20 15 articles · 3mo ago

    ShinyHunters and Scattered Spider Target Salesforce Customers

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  16. 12.08.2025 15:00 15 articles · 3mo ago

    ShinyHunters and Scattered Spider Collaboration Detected

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthorized Data Access via Gainsight-Linked OAuth Activity by Scattered Lapsus$ Hunters

Salesforce detected unusual activity involving Gainsight-published applications, leading to unauthorized access to customer data. The company revoked all active tokens and removed the apps from AppExchange. The activity is linked to the Scattered Lapsus$ Hunters group, which has claimed responsibility for similar attacks, including a previous breach involving Salesloft Drift. Gainsight has engaged Mandiant for a forensic investigation and disabled connections with Hubspot and Zendesk as a precaution. Organizations are advised to review and revoke tokens for unused or suspicious third-party applications connected to Salesforce.

Open in new tab

ShinyHunters Breach Affects Checkout.com Legacy Cloud Storage

Checkout.com, a global payment processing firm, disclosed a data breach involving a legacy cloud storage system compromised by the ShinyHunters threat group. The breach affected less than 25% of its current merchant base and included data from 2020 and earlier. The company refused to pay the ransom and instead plans to donate the amount to cybersecurity research at Carnegie Mellon University and the University of Oxford Cyber Security Center. The compromised data includes internal operational documents and onboarding materials. ShinyHunters is known for exploiting vulnerabilities and using social engineering tactics to extort large organizations.

Open in new tab

DoorDash Data Breach Exposed User Contact Information

DoorDash confirmed a data breach in October 2025 where an unauthorized third party accessed user contact information, including names, phone numbers, physical addresses, and email details. The breach was caused by a social engineering attack on a DoorDash employee. The company has taken steps to mitigate the breach, including shutting down unauthorized access, starting an investigation, and referring the matter to law enforcement. DoorDash has also deployed new security enhancements and provided additional training for employees. This is the third notable security incident suffered by DoorDash in the last six years, following breaches in 2019 and 2022. The breach notification emails primarily targeted DoorDash Canada users, but the incident may extend beyond Canada. Users have expressed concerns about the timing of the notifications and the handling of the incident, with some users threatening legal action against DoorDash.

Open in new tab

Scattered Spider, ShinyHunters, and LAPSUS$ Form Unified Cyber Extortion Collective

A new cyber extortion collective, Scattered LAPSUS$ Hunters (SLH), has emerged as a unified alliance combining Scattered Spider, ShinyHunters, and LAPSUS$. The group is leveraging the reputational capital of these three high-profile criminal brands to create a consolidated threat identity. SLH is using Telegram as a command hub and brand engine, cycling through public channels to maintain a persistent presence. The alliance aims to fill the void left by the collapse of BreachForums and attract displaced operators with an affiliate-driven extortion model. SLH has created 16 Telegram channels since August 8, 2025, and offers an extortion-as-a-service (EaaS) model. The group is part of a larger cybercriminal enterprise known as The Com and has associations with other threat clusters, including CryptoChameleon and Crimson Collective. SLH's activities blend financially motivated cybercrime and attention-driven hacktivism, with a mature grasp of perception and legitimacy within the cybercriminal ecosystem. The group has hinted at developing a custom ransomware family named Sh1nySp1d3r and is aligned with DragonForce, functioning as an affiliate to break into targets through social engineering techniques. Recently, the admin of SLH, Rey, a 16-year-old named Saif Al-Din Khader from Amman, Jordan, has been cooperating with law enforcement since June 2025. Rey has been involved in releasing SLSH's new ShinySp1d3r ransomware-as-a-service offering, which is a rehash of Hellcat ransomware modified with AI tools.

Open in new tab

MuddyWater Phishing Campaign Using Compromised Mailboxes

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

Open in new tab