Cybercrime Groups ShinyHunters and Scattered Spider Unite for Targeted Extortion Campaign Against Businesses

August 12, 2025
Cybercrime / Financial Security

A continuing data extortion initiative targeting Salesforce clients may soon expand its focus to encompass financial services and tech providers, as recent findings suggest collaboration between ShinyHunters and Scattered Spider. “This latest series of attacks attributed to ShinyHunters indicates a significant tactical shift, moving past their prior methods of credential theft and database exploitation,” reports ReliaQuest to The Hacker News. Their new approach incorporates strategies akin to those used by Scattered Spider, including highly-targeted vishing (voice phishing) and social engineering tactics, the use of applications that pose as legitimate tools, and Okta-themed phishing pages to deceive victims into revealing credentials during vishing attempts, alongside VPN obfuscation for data exfiltration. ShinyHunters, which first emerged in 2020, is a financially motivated group that has executed numerous data breaches targeting major corporations.

Cybercrime Alliances: ShinyHunters and Scattered Spider Collaborate in Targeted Extortion Campaigns

August 12, 2025
Cybercrime / Financial Security

Recent developments reveal an alarming partnership in the cybercrime landscape, as the notorious groups ShinyHunters and Scattered Spider are joining forces to escalate extortion attacks specifically targeting businesses, including Salesforce customers. This collaboration signifies a significant evolution in the tactics employed by ShinyHunters, previously known for credential theft and database exploitation. According to a report by ReliaQuest, the shift in strategy indicates a new level of sophistication as the group integrates methods reminiscent of Scattered Spider’s operations.

The joint campaign appears poised to extend beyond its current focus on Salesforce clientele, with financial services and technology service providers potentially becoming the next targets. The collaboration has notably incorporated advanced techniques such as vishing—voice phishing—which employs social engineering tactics that exploit trust. The attackers are reportedly using counterfeit applications that mimic legitimate services to deceive victims. Moreover, they have integrated Okta-themed phishing pages designed to surreptitiously capture user credentials during these vishing calls, further enhancing their effectiveness.

This partnership underscores a worrying trend where cybercriminals are leveraging more refined approaches that blur the lines between traditional hacking methods and psychological manipulation. By adopting VPN obfuscation tactics, the groups aim to mask their data exfiltration processes, complicating detection efforts for organizations seeking to safeguard their sensitive information.

ShinyHunters, which emerged onto the cybercrime scene in 2020, is predominantly driven by financial motivations and has previously executed numerous high-profile data breaches targeting prominent organizations. The group’s adaptations could signify a wider shift in how extortion attacks are being executed across sectors.

Cybersecurity experts emphasize that organizations must remain vigilant against these emerging threats, especially as this collaboration is likely to yield even more sophisticated attacks. Drawing from the MITRE ATT&CK framework, potential adversary tactics employed in these attacks may include initial access through vishing, employing persistence techniques via compromised credentials, and privilege escalation to gain further access to sensitive systems.

The broadening scope of victim targeting—from Salesforce users to financial and tech service providers—raises immediate concerns for business owners regarding their cybersecurity posture. With such consortia evolving in the cybercrime ecosystem, organizations must enhance their defenses by educating employees about social engineering risks and investing in robust security measures to thwart these complex attacks.

As these threats continue to develop, the collaboration between ShinyHunters and Scattered Spider exemplifies the necessity for proactive cybersecurity strategies. Companies are urged to stay informed about the latest cyber threats and implement comprehensive protective measures to mitigate the risk of falling victim to such collaborative extortion campaigns.

Source link

Related Posts

Charon Ransomware Targets Middle East Industries with Advanced Evasion Techniques

Aug 13, 2025
Endpoint Security / Cybercrime

Cybersecurity researchers have unveiled a new campaign featuring an undocumented ransomware variant named Charon, targeting the public sector and aviation industry in the Middle East. According to Trend Micro, the attackers employed tactics reminiscent of advanced persistent threat (APT) groups, including DLL side-loading and process injection, successfully evading endpoint detection and response (EDR) systems. The use of DLL side-loading parallels techniques associated with the China-linked hacking group Earth Baxia, which has previously targeted government entities in Taiwan and the Asia-Pacific region to deploy a backdoor known as EAGLEDOOR, following the exploitation of a now-patched vulnerability in OSGeo GeoServer GeoTools. “The attack chain utilized a legitimate browser-related file, Edge.exe (originally cookie_exporter.exe), to sideload a…”

Zoom and Xerox Release Urgent Security Updates to Address Privilege Escalation and RCE Vulnerabilities

Aug 13, 2025
Vulnerability / Software Security

Zoom and Xerox have released critical security updates for Zoom Clients on Windows and FreeFlow Core, addressing significant vulnerabilities that could enable privilege escalation and remote code execution (RCE). The flaw in Zoom Clients for Windows, designated as CVE-2025-49457 (CVSS score: 9.6), involves an untrusted search path that may allow an unauthenticated user to escalate privileges via network access.

According to a security bulletin issued by Zoom, the issue was identified by its Offensive Security team and affects the following products:

  • Zoom Workplace for Windows versions prior to 6.3.10
  • Zoom Workplace VDI for Windows versions prior to 6.3.10 (excluding 6.1.16 and 6.2.12)
  • Zoom Rooms for Windows versions prior to 6.3.10
  • Zoom Rooms Controller for Windows versions prior to 6.3.10
  • Zoom Meeting SDK for Windows versions prior to 6.3.10

This disclosure follows the identification of multiple vulnerabilities in critical software platforms.

New PS1Bot Malware Campaign Utilizes Malvertising for Multi-Stage In-Memory Attacks

Aug 13, 2025
Malvertising / Cryptocurrency

Cybersecurity experts have identified a new malvertising campaign aimed at deploying a multi-stage malware framework known as PS1Bot. Researchers Edmund Brumaghin and Jordyn Dunk from Cisco Talos explained that “PS1Bot features a modular architecture, incorporating various modules for malicious activities such as information theft, keylogging, reconnaissance, and creating persistent access to compromised systems.” The design emphasizes stealth, leaving minimal traces on infected machines and using in-memory execution techniques to run subsequent modules without writing them to disk. Since early 2025, campaigns distributing this PowerShell and C# malware have actively exploited malvertising to propagate, executing modules in-memory to reduce forensic footprints.

CISA Adds Two Vulnerabilities in N-able N-central to Its Known Exploited Vulnerabilities Catalog

Aug 14, 2025 | Vulnerability / Network Security

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included two security flaws affecting N-able N-central in its Known Exploited Vulnerabilities (KEV) catalog, due to evidence of active exploitation. N-able N-central is a Remote Monitoring and Management (RMM) platform tailored for Managed Service Providers (MSPs) to effectively manage and safeguard their clients’ Windows, Apple, and Linux endpoints from a centralized platform.

The identified vulnerabilities are as follows:

  • CVE-2025-8875 (CVSS score: N/A): An insecure deserialization vulnerability that may allow for command execution.
  • CVE-2025-8876 (CVSS score: N/A): A command injection vulnerability resulting from improper sanitization of user input.

Both issues have been resolved in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able is also advising customers to ensure multi-factor authentication (MFA) is enabled, particularly for admin accounts.