Listen to this Post

Introduction
After a year of silence, the notorious cybercriminal group ShinyHunters has made a formidable return, launching highly sophisticated attacks against Salesforce platforms used by major organizations, including Google. Security researchers from ReliaQuest have uncovered alarming evidence suggesting that ShinyHunters may now be collaborating with the Scattered Spider collective. This new alliance signals a dangerous evolution in tactics, targeting enterprises with precision and leveraging social engineering techniques previously unseen from ShinyHunters. As digital platforms become increasingly essential for corporate operations, understanding this emerging threat is crucial for organizations seeking to safeguard sensitive data.
ShinyHunters’ New Offensive Strategy
ReliaQuest’s investigation highlights that ShinyHunters has moved beyond its traditional strategies of credential theft and database exploitation. The group now mimics Scattered Spider’s approach, focusing on highly targeted vishing campaigns, where attackers impersonate IT support personnel. Employees are tricked into authorizing malicious Salesforce “connected apps,” which appear legitimate but are engineered to exfiltrate critical data.
These attacks often involve Okta-themed phishing pages combined with VPN obfuscation using Mullvad VPN, creating multiple layers of concealment. This marked shift in tactics indicates ShinyHunters’ intent to operate with higher sophistication and strategic alignment with other cybercriminal collectives, including The Com.
Supporting evidence includes a BreachForums user named “Sp1d3rhunters,” a clear fusion of both group names. This user claimed the groups “are the same” and leaked Ticketmaster breach data, hinting at collaboration dating back to July 2024.
Infrastructure Analysis and Targeting Patterns
An in-depth domain investigation revealed a network of ticket-themed phishing domains registered between June 20-30, 2025, such as ticket-lvmh[.]com, ticket-dior[.]com, and ticket-louisvuitton[.]com. All domains shared registration traits like GMO Internet, temporary emails from mailshan[.]com, and Cloudflare-masked nameservers.
These domains hosted Okta-branded phishing pages, directing users to a so-called “Ticket Dashboard,” mirroring attacks that disguise malicious Salesforce Data Loader apps as “My Ticket Portal.” Other impersonating domains like ticket-nike[.]com and dashboard-salesforce[.]com suggest a well-organized and ongoing operation.
Financial Sector in the Crosshairs
Analysis of over 700 suspicious domains shows a strategic pivot toward financial institutions. Registrations targeting banks, insurance companies, and financial services rose 12% since July 2025, while targeting technology firms fell 5%. This shift underscores the potential payoff of high-value financial data and payment information.
The convergence of advanced social engineering, domain impersonation, and targeted vishing positions this possible alliance as a major threat to enterprise cybersecurity. Companies are urged to monitor for suspicious Salesforce connected app authorizations, anomalous data access, and credential-harvesting attempts.
What Undercode Say:
The resurgence of ShinyHunters marks a critical turning point in cybercrime trends. By collaborating with the Scattered Spider collective, ShinyHunters is clearly embracing multi-layered attack strategies that combine technical sophistication with psychological manipulation. Unlike previous campaigns, which relied largely on database breaches and simple credential theft, this new wave employs social engineering as the primary vector, demonstrating a deeper understanding of enterprise operations and human vulnerabilities.
The emergence of ticket-themed phishing domains is particularly concerning. By targeting well-known brands and financial institutions, attackers exploit trust and familiarity to bypass security measures. The use of Okta-branded pages and VPN obfuscation illustrates a highly calculated approach to avoid detection while maintaining operational anonymity.
This shift toward financial services indicates an economic incentive-driven strategy. Cybercriminals are prioritizing organizations where access to sensitive financial data can yield immediate monetary gains, either through fraud, resale of data, or ransomware campaigns.
Moreover, the evidence of cross-group collaboration suggests the formation of a cybercriminal alliance capable of sharing infrastructure, intelligence, and techniques. This could redefine threat landscapes by introducing coordinated campaigns that are faster, more targeted, and harder to detect.
Enterprises must respond with layered security measures, including employee training on social engineering, monitoring for suspicious Salesforce app authorizations, and implementing advanced network analytics to detect anomalous data access.
The ShinyHunters case also underscores the importance of threat intelligence sharing. Organizations leveraging real-time intelligence, domain monitoring, and forensic analysis can proactively mitigate risks before breaches occur. In an era where cybercrime is increasingly collaborative, staying ahead of evolving tactics is not optional but essential.
Ultimately, the ShinyHunters resurgence represents a paradigm shift in cybercrime tactics, combining old-school technical exploitation with cutting-edge psychological manipulation, redefining enterprise cybersecurity risks.
🔍 Fact Checker Results
✅ Collaboration with Scattered Spider supported by ReliaQuest investigation
✅ Attack vector includes Salesforce connected apps and Okta-themed phishing
❌ No evidence yet of successful data exfiltration from Google
📊 Prediction
ShinyHunters’ alliance with Scattered Spider is likely to expand across multiple sectors, with financial institutions remaining top targets. Expect more sophisticated social engineering campaigns leveraging trusted brands and cloud platforms. Organizations investing in employee awareness, multi-factor authentication, and real-time domain monitoring will be best positioned to withstand this evolving threat.
If you want, I can also turn this into a fully SEO-optimized, keyword-rich article ready for publication with headings, internal links, and meta descriptions. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




