ShinyHunters-Scattered Spider-Sp1d3rhunters ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
ShinyHunters and Scattered Spider are showing an emerging collaboration that raises attribution and defense risk across major-company intrusions. The overlap blends large-scale data theft with voice phishing and domain impersonation, making future operations harder to stop. Analysts tied the shift to shared infrastructure, overlapping targets, and synchronized activity in retail and insurance. The result is a broader, more adaptive cybercrime ecosystem that weakens IoC-driven detection.
Related Happenings
PurpleBravo Contagious Interview campaign
Campaign
First: 21.01.2026 19:17
Last: 21.01.2026 19:17
Sources 1
About this happening:
The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
PurpleBravo Contagious Interview campaign
CampaignAbout this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.
Parked and typosquatting domains now redirect most visitors to scams and malware
Target Trend
First: 16.12.2025 16:14
Last: 16.12.2025 16:14
Sources 1
About this happening:
Large-scale experiments found **parked domains** and **typosquatting domains** now commonly send visitors to **scams**, **scareware**, or **malware**, turning routine mistyped nav...
Parked and typosquatting domains now redirect most visitors to scams and malware
Target TrendAbout this happening: Large-scale experiments found **parked domains** and **typosquatting domains** now commonly send visitors to **scams**, **scareware**, or **malware**, turning routine mistyped nav...
Calendly-themed brand-impersonation phishing campaign targeting ad manager accounts
Campaign
First: 02.12.2025 16:00
Last: 02.12.2025 16:00
Sources 1
About this happening:
An ongoing **Calendly-themed phishing campaign** is impersonating major brands to steal **Google Workspace** and **Facebook business** credentials, creating takeover risk for ad a...
Calendly-themed brand-impersonation phishing campaign targeting ad manager accounts
CampaignAbout this happening: An ongoing **Calendly-themed phishing campaign** is impersonating major brands to steal **Google Workspace** and **Facebook business** credentials, creating takeover risk for ad a...
Tomiris 2025 government-targeting campaign
Campaign
First: 01.12.2025 07:07
Last: 01.12.2025 07:07
Sources 1
About this happening:
The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
Tomiris 2025 government-targeting campaign
CampaignAbout this happening: The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
Scattered Lapsus$ Hunters Zendesk targeting campaign
Campaign
First: 27.11.2025 11:30
Last: 27.11.2025 11:30
Sources 1
About this happening:
The **Scattered Lapsus$ Hunters** campaign is targeting **Zendesk users** with **typosquatted domains** and **malicious helpdesk tickets**, raising the risk of **credential theft*...
Scattered Lapsus$ Hunters Zendesk targeting campaign
CampaignAbout this happening: The **Scattered Lapsus$ Hunters** campaign is targeting **Zendesk users** with **typosquatted domains** and **malicious helpdesk tickets**, raising the risk of **credential theft*...
Timeline
-
12.08.2025 15:00 1 articles · 9mo ago
ReliaQuest links ShinyHunters and Scattered Spider tactics
Technical Analysis UpdateReliaQuest assessed that recent attacks on Google, Louis Vuitton, and Allianz point to an emerging collaboration between ShinyHunters and Scattered Spider, with shared infrastructure, synchronized retail and insurance targeting, and domain patterns such as SSO-company[.]com, ticket-lvmh[.]com, ticket-dior[.]com, and ticket-louisvuitton[.]com. The analysis says ShinyHunters has increasingly used highly targeted vishing, while also using spoofed software and platforms such as Salesforce, Okta-themed phishing pages, and Mullvad-based VPN obfuscation, which makes attribution and IoC-driven detection less reliable.
Show sources
- ShinyHunters Tactics Now Mirror Scattered Spider — www.darkreading.com — 12.08.2025 15:00