CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

ShinyHunters and Scattered Spider Collaboration

First reported
Last updated
πŸ“° 3 unique sources, 8 articles

Summary

Hide β–²

ShinyHunters and Scattered Spider, two distinct cybercrime groups, have been collaborating in recent attacks on major companies. This partnership combines ShinyHunters' expertise in large-scale data theft with Scattered Spider's proficiency in social engineering. The collaboration, evident in shared tactics, infrastructure, and synchronized targeting, makes future campaigns harder to detect and mitigate. The groups have targeted companies like Google, Louis Vuitton, Allianz, Salesforce customers, and Workday, using tactics such as vishing, domain spoofing, credential misuse, and VPN obfuscation. This collaboration poses a significant threat to organizations, necessitating a shift in defensive strategies to focus on behavioral patterns and proactive detection measures. The collaboration has also expanded to include the development of a ransomware-as-a-service solution called ShinySp1d3r, and the groups have ties to a broader cybercriminal network known as The Com. Additionally, BreachForums, a cybercrime forum associated with ShinyHunters, has been turned into a honeypot by international law enforcement. The Allianz Life breach, part of this campaign, impacted 1.1 million individuals, with personal information stolen and leaked by ShinyHunters. Scattered Spider has also been involved in sophisticated social engineering attacks targeting high-profile organizations worldwide, and has recently shifted focus to the aviation and transportation industries. A 20-year-old member of Scattered Spider, Noah Michael Urban, was sentenced to ten years in prison for wire fraud and aggravated identity theft. Urban, also known by aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was ordered to pay $13 million in restitution. Urban was arrested in January 2024 for thefts totaling at least $800,000 from at least five victims. Urban and co-conspirators used SIM swapping attacks to hijack cryptocurrency accounts. The DoJ unsealed charges against Urban and four other Scattered Spider members in November 2023. Tyler Robert Buchanan, another member, was extradited from Spain to the U.S. in April 2025. Scattered Spider, ShinyHunters, and LAPSUS$ have formed a new cybercrime alliance associated with The Com. Scattered Spider uses tactics to generate urgency and fear, including timed leaks and countdown threats. Scattered Spider targets specific sectors and attacks multiple organizations within that vertical over a short span. Scattered Spider exploits weaknesses in security programs by targeting people through social engineering. The group Scattered Lapsus$ Hunters, a collaboration of ShinyHunters, Scattered Spider, and LAPSUS$, has claimed responsibility for accessing Google's Law Enforcement Request System (LERS) and the FBI's eCheck system. The group has targeted Salesforce data through social engineering and exploitation of exposed authentication tokens, impacting multiple high-profile companies. Google Threat Intelligence (Mandiant) has been actively tracking and disclosing the activities of the Scattered Lapsus$ Hunters group, which has taunted law enforcement and security researchers through various Telegram channels. Scattered Spider has resumed attacks on the financial sector despite claims of retirement. The group gained access to a U.S. banking organization by socially engineering an executive's account and resetting passwords via Azure Active Directory Self-Service Password Management. They accessed sensitive IT and security documents, moved laterally through Citrix and VPN environments, and compromised VMware ESXi infrastructure. The group attempted to exfiltrate data from Snowflake and AWS repositories, reset a Veeam service account password, and assigned Azure Global Administrator permissions. Scattered Spider's recent activity contradicts their claims of ceasing operations and is likely a strategic move to evade law enforcement pressure. The group may regroup or rebrand under a different alias in the future.

Timeline

  1. 17.09.2025 11:49 πŸ“° 1 articles Β· ⏱ 9h ago

    Scattered Spider Resurfaces With Financial Sector Attacks

    Scattered Spider has resumed attacks on the financial sector, targeting a U.S. banking organization through social engineering and exploiting Azure Active Directory. The group accessed sensitive IT and security documents, moved laterally through Citrix and VPN environments, and compromised VMware ESXi infrastructure. They attempted to exfiltrate data from Snowflake and AWS repositories, reset a Veeam service account password, and assigned Azure Global Administrator permissions. Scattered Spider's recent activity contradicts their claims of retirement, suggesting a strategic move to evade law enforcement pressure. The group may regroup or rebrand under a different alias in the future.

    Show sources
    Open in new tab
  2. 15.09.2025 23:12 πŸ“° 1 articles Β· ⏱ 1d ago

    Scattered Lapsus$ Hunters claims access to Google's LERS and FBI's eCheck system

    The group Scattered Lapsus$ Hunters has claimed responsibility for accessing Google's Law Enforcement Request System (LERS) and the FBI's eCheck system. The group has utilized social engineering scams to trick employees into connecting Salesforce's Data Loader tool to corporate Salesforce instances, allowing them to steal data and extort companies. They have also breached Salesloft's GitHub repository to find authentication tokens for further data theft attacks. The group has impacted numerous companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, Tiffany & Co, Cloudflare, Zscaler, Elastic, Proofpoint, JFrog, Rubrik, and Palo Alto Networks. Despite claiming to be retiring, cybersecurity researchers believe the group will continue conducting attacks quietly.

    Show sources
    Open in new tab
  3. 21.08.2025 11:34 πŸ“° 3 articles Β· ⏱ 27d ago

    Scattered Spider's Tactics and Targets Detailed

    Scattered Spider has resumed attacks on the financial sector, targeting a U.S. banking organization through social engineering and exploiting Azure Active Directory. The group accessed sensitive IT and security documents, moved laterally through Citrix and VPN environments, and compromised VMware ESXi infrastructure. They attempted to exfiltrate data from Snowflake and AWS repositories, reset a Veeam service account password, and assigned Azure Global Administrator permissions. Scattered Spider's recent activity contradicts their claims of retirement, suggesting a strategic move to evade law enforcement pressure. The group may regroup or rebrand under a different alias in the future.

    Show sources
    Open in new tab
  4. 21.08.2025 09:45 πŸ“° 2 articles Β· ⏱ 27d ago

    Scattered Spider Member Sentenced for Cybercrimes

    The article provides additional details on Urban's sentencing, including his arguments that the sentence was unjust and that another Scattered Spider member had hacked the judge during the case. The article also mentions that Urban received a 120-month prison sentence, despite prosecutors requesting only eight years, and will pay $13 million in restitution.

    Show sources
    Open in new tab
  5. 19.08.2025 10:17 πŸ“° 1 articles Β· ⏱ 29d ago

    Allianz Life Breach Details and Extortion Campaign

    The Allianz Life breach, part of the ongoing campaign by ShinyHunters and Scattered Spider, impacted 1.1 million individuals. The attackers gained access to a third-party cloud CRM system on July 16th, stealing personal information including email addresses, names, genders, dates of birth, phone numbers, and physical addresses. ShinyHunters leaked the databases stolen from Allianz Life's Salesforce instances, containing roughly 2.8 million data records. The attacks began at the start of the year, with threat actors tricking employees into linking a malicious OAuth app to their company's Salesforce instance. The extortion demands were signed as coming from ShinyHunters. The breach impacted multiple high-profile companies, including Google, Adidas, Qantas, Louis Vuitton, Dior, Tiffany & Co., Chanel, and Workday.

    Show sources
    Open in new tab
  6. 18.08.2025 20:00 πŸ“° 1 articles Β· ⏱ 1mo ago

    Workday Breach Linked to ShinyHunters Salesforce Attacks

    ShinyHunters compromised Workday's third-party CRM system using social engineering tactics. The attackers obtained business contact information but did not access customer data. Workday has implemented additional security measures to protect against future attacks.

    Show sources
    Open in new tab
  7. 12.08.2025 19:20 πŸ“° 3 articles Β· ⏱ 1mo ago

    ShinyHunters Adopts New Tactics and Expands Targeting

    The group Scattered Lapsus$ Hunters has utilized social engineering scams to trick employees into connecting Salesforce's Data Loader tool to corporate Salesforce instances, allowing them to steal data and extort companies. They have also breached Salesloft's GitHub repository to find authentication tokens for further data theft attacks. The group has impacted numerous companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, Tiffany & Co, Cloudflare, Zscaler, Elastic, Proofpoint, JFrog, Rubrik, and Palo Alto Networks.

    Show sources
    Open in new tab
  8. 12.08.2025 15:00 πŸ“° 6 articles Β· ⏱ 1mo ago

    ShinyHunters and Scattered Spider Collaboration Evident in Recent Attacks

    The group Scattered Lapsus$ Hunters, a collaboration of ShinyHunters, Scattered Spider, and LAPSUS$, has claimed responsibility for accessing Google's Law Enforcement Request System (LERS) and the FBI's eCheck system. The group has targeted Salesforce data through social engineering and exploitation of exposed authentication tokens, impacting multiple high-profile companies. The group has also taunted the FBI, Google, Mandiant, and security researchers through various Telegram channels.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

RaccoonO365 Phishing-as-a-Service Infrastructure Disrupted

Microsoft and Cloudflare disrupted the RaccoonO365 phishing-as-a-service (PhaaS) network, seizing 338 domains used by the threat group Storm-2246. The operation targeted over 5,000 Microsoft 365 credentials from 94 countries since July 2024. The group, led by Joshua Ogundipe, used Cloudflare services to protect phishing pages, making detection more challenging. The disruption began on September 2, 2025, and involved banning domains, placing warning pages, and terminating associated scripts. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals.

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

FinWise Bank insider breach impacts 689K American First Finance customers

FinWise Bank experienced a data breach on May 31, 2024, when a former employee accessed sensitive files after their employment ended. The breach affected 689,000 customers of American First Finance (AFF), a company that offers consumer financing products. The compromised data included full names and other personal information. FinWise has strengthened internal controls and is offering free credit monitoring services to affected individuals. The incident is facing multiple class-action lawsuits. The breach was discovered and investigated with the help of outside cybersecurity professionals. The exact methods used by the former employee to access the data remain undisclosed.

Open in new tab

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Open in new tab

Microsoft's RC4 Encryption Vulnerability Exploited in Black Basta Ransomware Attack on Ascension

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's cybersecurity practices, citing the company's support for RC4 encryption and insecure default settings that facilitated a ransomware attack on the Ascension healthcare network. The attack, attributed to the Black Basta ransomware group, compromised nearly 5.6 million individuals' personal and medical information. The breach occurred when a contractor's system was infected via a malicious link on Microsoft's Bing search engine. Attackers exploited insecure default settings and Kerberoasting techniques to gain elevated access to Ascension's network. Microsoft has acknowledged the vulnerabilities and plans to deprecate RC4 support in future updates. Wyden has criticized Microsoft for not clearly warning customers about the risks associated with RC4 encryption and for not taking decisive action to mitigate security risks.

Open in new tab