{ "id": "14fc27b2-0d57-44d8-95e2-91f52602ec6f", "created_at": "2026-04-06T01:30:56.446797Z", "updated_at": "2026-04-10T03:34:59.480249Z", "deleted_at": null, "sha1_hash": "3fb1115a7bd00e1e213f20c9012114a863ba6aaa", "title": "Threat Spotlight: ShinyHunters Targets Salesforce Amid Clues of Scattered Spider Collaboration", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1750041, "plain_text": "Threat Spotlight: ShinyHunters Targets Salesforce Amid Clues of\r\nScattered Spider Collaboration\r\nBy ReliaQuest Threat Research Team 15 September 2025\r\nPublished: 2025-09-15 · Archived: 2026-04-06 00:44:34 UTC\r\nEditor's note: This blog was originally published August 12.\r\nKey Points \r\nAfter a year of inactivity, “ShinyHunters” has resurfaced with a wave of attacks on Salesforce, targeting high-profile companies across various sectors. \r\nReliaQuest has identified a coordinated set of ticket-themed phishing domains and Salesforce credential\r\nharvesting pages, likely created for similar campaigns. \r\nThis resurgence has sparked speculation about collaboration between ShinyHunters and “Scattered Spider,”\r\npotentially dating back to July 2024. \r\nSupporting this theory is evidence such as the appearance of a “BreachForums” user with the alias\r\n“Sp1d3rhunters,” who was linked to a past ShinyHunters breach, as well as overlapping domain registration\r\npatterns. \r\nDomain analysis suggests that financial services and technology service providers are likely next targets for\r\nthese attacks. \r\nTo defend against such campaigns, prioritize mitigating tactics—such as phishing, vishing, and credential\r\nharvesting, as threat actors continue to share tools and infrastructure across campaigns. \r\nThe “ShinyHunters” threat group has reportedly launched a new wave of attacks targeting Salesforce, hitting\r\nmajor organizations like Google. What’s particularly intriguing about this campaign is not only its scale and\r\nimpact, but its resemblance to previous operations attributed to the “Scattered Spider” hacking collective. These\r\nsimilarities raise compelling questions about whether the groups are collaborating or sharing tactics and resources\r\n—a connection that could reshape how we view these adversarial groups.  \r\nTo investigate this potential collaboration and reveal insights into future targeting, ReliaQuest conducted an in-depth analysis of domain registration patterns and infrastructure potentially linked to ShinyHunters over the past\r\ntwo months. By comparing tactics seen in this Salesforce campaign to recent Scattered Spider operations, this\r\nreport provides actionable intelligence that enables organizations to defend against evolving threats, regardless of\r\nattribution. \r\nRead on to learn: \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 1 of 13\n\nHow ShinyHunters’ tactics have shifted to mirror those of Scattered Spider. \r\nKey findings from ReliaQuest’s discovery of ticket-themed and Salesforce-focused phishing\r\ninfrastructure. \r\nHow to monitor for domain impersonation threats tied to these campaigns. \r\nWhy financial services organizations and technology service providers are likely the next targets of similar\r\noperations. \r\nWho’s Who: What You Need to Know About the Key Players \r\nBefore we dive into the details of our investigation, let’s set the stage with a quick overview of the groups\r\ninvolved. \r\nShinyHunters: The Data Breach Actors \r\nShinyHunters is a financially motivated threat group that gained notoriety in 2020 through a series of large-scale\r\ndata breaches and extortion campaigns targeting major global brands (see Figure 1). The group’s operations\r\nrevolve around monetizing stolen data via underground forums. ShinyHunters built a reputation for assertive self-promotion and direct engagement with the cybersecurity community, which was solidified when members acted as\r\nadministrators of the popular cybercriminal platform “BreachForums.” Traditionally, ShinyHunters favored\r\nstealthy, persistent attacks focused on credential theft and database exploitation over more overt tactics like\r\nvishing. Aside for an alleged attack on education software PowerSchool in December 2024, ShinyHunters\r\nremained largely quiet between June 2024 and June 2025, following the arrests of four of its members. \r\nFigure 1: ShinyHunters first gained notoriety by advertising 91 million Tokopedia user records for sale on\r\n“Empire Market” in 2020 \r\nScattered Spider: The Masters of Social Engineering \r\nScattered Spider is a financially driven cybercriminal group linked to the broader hacking collective \"The\r\nCommunity\" (aka The Com). Initially known for SIM-swapping operations, the group has advanced to executing\r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 2 of 13\n\ncomplex social engineering schemes. Fluent in English, its members manipulate help-desk systems and\r\nimpersonate employees to infiltrate organizations. Scattered Spider is also well known for registering\r\nimpersonating domains (e.g., companyname-okta[.]com) to facilitate phishing attacks. The group primarily targets\r\nhigh-value sectors like retail trade, technology, and finance—as well as companies with the resources to pay hefty\r\nransoms or valuable data that can be used as leverage in negotiations. \r\nThe Com: Disparate Sub-Groups, Mixed Motivations \r\nSuspected to include both Scattered Spider and ShinyHunters members, The Com is a sprawling network of\r\ndisparate sub-groups and cliques that engage in account takeover activity, SIM-swapping, cryptocurrency\r\ntheft, swotting, and sextortion. Some sub-groups have even engaged in more extreme activities like “violence for\r\nhire” and coercing individuals into self-harm. The Com is likely predominantly made up of technically savvy\r\nEnglish-speaking teenagers and young adults, capable of diverse techniques to compromise complex hybrid\r\nenvironments and motivated by making money, humiliating their foes, and causing as much disruption as\r\npossible.   \r\nAre ShinyHunters and Scattered Spider Joining Forces? \r\nThere’s plenty of circumstantial evidence indicating a deliberate partnership between ShinyHunters and Scattered\r\nSpider. \r\nShinyHunters Adopts Scattered Spider’s Signature Moves \r\nThis latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group’s\r\nprevious credential theft and database exploitation. These campaigns have included hallmark Scattered Spider\r\ntechniques: \r\nHighly targeted vishing campaigns, impersonating IT support staff to trick employees into authorizing\r\naccess to malicious “connected apps” \r\nApps that often masquerade as legitimate tools (in this case, Salesforce), allowing attackers to steal\r\nsensitive business data \r\nOkta-themed phishing pages to trick victims into entering credentials during vishing calls \r\nVPN obfuscation using Mullvad VPN to perform data exfiltration (here, on victims’ Salesforce instances) \r\nThese tactics align closely with Scattered Spider’s trademark methods and those of the broader collective,\r\nThe Com, fueling speculation about active collaboration between the groups.  \r\nClaims of Collaboration in Interviews and Forum Activity  \r\nRecent reports further support the theory of an alliance between these groups. Cybersecurity news outlet\r\nDataBreaches revealed that a threat actor on Telegram using the alias “Sp1d3rhunters,” who reportedly has ties\r\nto ShinyHunters, claimed that the two groups “are the same” and “have always been the same.” \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 3 of 13\n\nThis Sp1d3rhunters alias, cleverly combining the two groups’ names, also appeared on BreachForums under an\r\naccount created in May 2024. Two months later, the account leaked data connected to the Ticketmaster breach—a\r\ndata leak previously advertised by ShinyHunters (see Figure 2).  \r\nIf these connections are legitimate, they suggest that collaboration or overlap between ShinyHunters and\r\nScattered Spider may have been ongoing for more than a year. \r\nFigure 2: Sp1d3rHunters’ first appearance on BreachForums in July 2024 \r\nSimultaneous Campaigns Across Sectors \r\nAdding further weight to the collaboration theory, ShinyHunters and Scattered Spider have been targeting the\r\nsame sectors during overlapping timeframes.  \r\nApril–May 2025: Retail trade\r\nJune–July: Insurance\r\nJune–August: Aviation\r\nPreviously, ShinyHunters operated sporadically, often focusing on one target at a time. Even though recent\r\ncampaigns linked to ShinyHunters have targeted organizations across various sectors—including retail trade and\r\naviation—the synchronized timing and similar targeting of these previous attacks strongly support the\r\nlikelihood of coordinated efforts between the two groups.\r\nDomain Registration Patterns Signal ShinyHunters Targeting \r\nAs ShinyHunters used Okta phishing pages in these latest campaigns—a tell-tale Scattered Spider move—we\r\ninvestigated malicious infrastructure likely linked to ShinyHunters or similar threat actor activity to uncover\r\nfurther evidence of possible collaboration and indications of the group’s next moves.\r\nInfrastructure Connection\r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 4 of 13\n\nSimilar Domain Formats \r\nOur previous research revealed that Scattered Spider frequently registered domains with keywords like “okta,”\r\n“helpdesk,” and “sso,” often formatted with hyphens (e.g., SSO-company[.]com).   \r\nIn June 2025, we discovered a small cluster of domains targeting high-profile organizations—including alleged\r\nShinyHunters victims—that followed a very similar format: \r\nticket-lvmh[.]com \r\nticket-dior[.]com \r\nticket-louisvuitton[.]com \r\nAll these domains were registered between June 20 and June 30, 2025, just before Louis Vuitton reportedly\r\nbecame aware of a data breach on July 2, 2025. At this time, Louis Vuitton has not confirmed that ShinyHunters\r\nwas responsible for the attacks. However, some media reports have suggested a possible link between\r\nShinyHunters and the incident.\r\nCommon Registry Characteristics \r\nAs well as similar formats (e.g., ticket-companyname[.]com), these domains also shared registry details with each\r\nother, evidencing their connection: \r\nRegistration through GMO Internet \r\nTemporary registrant email addresses (e.g., email[at]mailshan[.]com) \r\nCloudflare-masked nameservers \r\nThese domains were registered using infrastructure associated with phishing kits commonly used to host\r\nsingle sign-on (SSO) login pages—a calling card of Scattered Spider’s previous SSO-themed attacks\r\nspoofing brands like Okta.  \r\nRecurring Domain Themes \r\nIn addition to being connected with SSO-linked phishing kits via registrar details, these ticket-themed domains all\r\nled to Okta-branded phishing pages (see Figure 3) purporting to provide access to a “Ticket Dashboard.” This\r\nmatches tactics described in other research reports, where attackers rebranded a malicious version of the\r\nSalesforce “Data Loader” application under the name “My Ticket Portal” during vishing campaigns. They then\r\nused this pretext to convince victims to authorize malicious connected apps and enable large-scale Salesforce data\r\nexfiltration. \r\nGiven the timing, naming conventions, and domain themes, we assess with medium confidence that these\r\ndomains contributed to the most recent widespread attacks targeting Salesforce instances.\r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 5 of 13\n\nFigure 3: Okta phishing page hosted at ticket-dior[.]com in June 2025 \r\nFurther investigation revealed other impersonating domains using the same infrastructure and naming\r\nconventions, including: \r\nticket-nike[.]com—registered on June 26, 2025 \r\nticket-audemarspiguet[.]com—registered on June 20, 2025 (see Figure 4) \r\nBoth domains matched the exact registry information as the previously mentioned ticket-themed domains,\r\nsuggesting they were part of the same campaign.  \r\nThese findings highlight the critical need for organizations to track impersonating domain threats, as these\r\ncan serve as crucial early indicators of attacks by ShinyHunters, Scattered Spider, and similar threat\r\ngroups.  \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 6 of 13\n\nFigure 4: Phishing page hosted at ticket-audemarspiguet[.]com\r\nDomain Registrations Reveal Further Patterns \r\nNewly Registered Salesforce Domains Suggest Ongoing Campaign \r\nThe second part of our investigation zeroed in on Salesforce-themed phishing domains, due to ShinyHunters\r\nrepeatedly targeting this platform.  \r\nWe uncovered multiple domains registered in 2025 that used the naming conventions “companyname-my-salesforce[.]com” and “keyword-salesforce[.]com”—patterns consistent with targeted Salesforce phishing\r\ncampaigns.  \r\nNotably, “dashboard-salesforce[.]com” was registered on August 1, 2025 and was actively hosting a phishing\r\npage at the time of our investigation (see Figure 5). \r\nThese domains are significant: \r\nThe structure of the domains matches Scattered Spider’s typical domain registration patterns (for example,\r\nSSO-company[.]com), which could be linked to ShinyHunters or other threat actors using similar tactics,\r\ntechniques, and procedures (TTPs).\r\nIt is realistically possible that ShinyHunters registered similar domains as part of their current Salesforce\r\nattacks. \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 7 of 13\n\nThe recency of the domain registration dates indicates that campaigns targeting Salesforce are likely\r\nongoing, so organizations should remain vigilant.  \r\nFigure 5: Phishing page hosted at dashboard-salesforce[.]com \r\nAdditional Impersonating Domain Findings \r\nIn a broader investigation, we identified over 700 domains registered in 2025 that matched Scattered Spider\r\nphishing patterns (e.g., company-okta[.]com).  \r\nTargeting Shifts from PSTS to Finance \r\nEarly in 2025, professional, scientific, and technical services (PSTS) organizations accounted for the largest\r\nshare of these targets (see Figure 6).  \r\nHowever, since July 2025, domain registrations targeting financial companies have increased by 12%, while\r\ntargeting of technology firms has decreased by 5%.  \r\nThis shift suggests that financially motivated groups like ShinyHunters are now prioritizing banks, insurance\r\ncompanies, and financial services, though technology and professional services remain at high risk due to the\r\nvalue of the data and access they provide.  \r\nNo Respite for Technology Firms \r\nWe also expect cloud and technology providers such as Salesforce and Okta to continue to be targeted, as these\r\nplatforms are widely used by high-profile organizations and often contain valuable business data.  \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 8 of 13\n\nFigure 6: Most targeted sectors in impersonating domains in 2025 \r\nUS Continues to Top Impersonating Domain Creation Tables \r\nDespite recent reports of attacks by Scattered Spider focusing on organizations in the UK in 2025, the US\r\ncontinues to be the most targeted country by impersonating domains, by a wide margin (see Figure 7).  \r\nFigure 7: Most targeted countries in impersonating domains in 2025 \r\nThis number is likely due to the high concentration of technology companies operating in the US, many of which\r\nserve as third parties for organizations worldwide and are frequent targets for threat actors.  \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 9 of 13\n\nThis is a trend that we observed in cybercrime across multiple different cyber threats, such as ransomware, data\r\nextortion, and other cybercriminal activity. For example, in Q2 2025, we discovered that 67% of all organizations\r\nnamed on ransomware leak sites were US companies.  \r\nThe recent surge in impersonating domain registrations mimicking high-profile brands showcases a persistent and\r\nevolving threat to organizations across all sectors and geographies.  \r\nThe most important takeaway is the clear effectiveness and adaptability of these tactics. Whether targeting luxury\r\nbrands, financial institutions, or other high-profile organizations, these campaigns illustrate that no sector is\r\nimmune to the risk of highly targeted social engineering attacks.  \r\nStep Up Your Defenses Against TTPs, Not Groups \r\nSecurity researchers could spend months dissecting the clues indicating that these groups are working together,\r\nbut enterprises should not lose sight of the broader significance: These attacks succeed not because of who\r\nconducted them, but because of how they’re executed.  \r\nThreat actors constantly rotate infrastructure, change names, and adapt their TTPs to evade detection and\r\nmaximize impact. As a result, tracking the behavioral patterns and evolving TTPs behind these campaigns is far\r\nmore valuable than focusing solely on indicators of compromise (IOCs) or attribution. For security leaders,\r\nunderstanding this fluid and persistent threat landscape is critical to anticipating future attacks and making\r\ninformed decisions about security strategy and resource allocation. \r\nReliaQuest’s Approach \r\nReliaQuest empowers its customers with advanced detection and response capabilities to identify threats related to\r\nthe TTPs outlined in this report and respond quickly and effectively. \r\nReliaQuest GreyMatter DRP: Monitoring for impersonating domains is crucial. As these domains are often\r\nregistered for short-lived campaigns—sometimes becoming inactive within days or even hours—fast detection\r\nand response are essential. The GreyMatter Digital Risk Protection (DRP) solution provides early visibility into\r\ndomain registrations that mimic your brand or key partners. This enables security teams to act quickly, preventing\r\nthese domains from being used to harvest credentials or launch further attacks. \r\nDetection Rules: ReliaQuest’s tailored detection rules, built on the latest threat intelligence and research, help\r\norganizations identify suspicious activity resembling Scattered Spider’s tactics within their environment: \r\nOrganizations can drastically reduce their mean time to contain (MTTC) threats—from hours to just minutes—and\r\nminimize the impact of social engineering campaigns by deploying detection rules alongside these corresponding\r\nGreyMatter Automated Response Playbooks: \r\nTop of Form \r\nBottom of Form  \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 10 of 13\n\nTerminate Sessions and Reset Passwords: Immediately cut off attacker access to compromised accounts\r\nby ending active sessions and forcing credential resets. This is crucial when infostealers or suspicious MFA\r\nactivity are detected. \r\nInitiate Host Scan: Initiate a comprehensive scan of affected endpoints following a successful MFA attack\r\nto identify signs of compromise, malware, or unauthorized changes. This enables rapid containment and\r\nremediation. \r\nDisable User: Immediately disable compromised user or service accounts to block attacker movement\r\nafter successful phishing or MFA bypass attempts. \r\nYour Action Plan \r\nTo protect your organization from the latest tactics by ShinyHunters and Scattered Spider, follow these proactive\r\nsteps: \r\nHarden Against Social Engineering: Implement strong internal processes to verify sensitive requests,\r\nparticularly those involving access changes or data exports. Conduct regular vishing and phishing\r\nsimulations for help-desk and privileged users to help them recognize and stop social engineering attempts\r\nearly. \r\nFortify Salesforce Access and Data Controls: Restrict powerful permissions like “API Enabled” and\r\n“Manage Connected Apps” to trusted administrators only. Enforce IP allowlists for user profiles and\r\nconnected apps, and deploy automated monitoring (e.g., Salesforce Shield) to detect and block anomalous\r\ndownloads or suspicious API activity. \r\nBuild a Resilient Security Culture: Mandate MFA for all users and regularly train employees to\r\nrecognize MFA fatigue, phishing, and other SaaS-targeted threats. Foster vigilance through ongoing\r\nawareness campaigns and scenario-based tabletop exercises. \r\nTo expand detection and identify additional malicious domains, consider the following pivoting strategies: \r\nSearch for domains using one of the following keywords: “ticket,” “tickets,” “ticketportal,” “okta,”\r\n“sso,” “helpdesk,” or “servicedesk,” and combine with:   \r\nCompany names (e.g., company-ticket[.]com). \r\nSaaS brands like ServiceNow, Microsoft, Google, Okta, Zendesk, or Salesforce (e.g., company-salesforce[.]com). \r\nQuery domain intelligence sources for domains registered with:   \r\nGMO Internet, NiceNIC, NameSilo, Hosting Concepts B.V., Prokbun, or PDR Ltd., in the past\r\nseven days.  \r\nPrivacyGuardian, Super Privacy Service LTD c/o Dynadot, Domains By Proxy, Withheld for\r\nPrivacy ehf, or Whois Privacy Protection Service.  \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 11 of 13\n\nKey Takeaways and What’s Next \r\nShinyHunters’ Attack Sophistication Grows \r\nShinyHunters’ recent campaigns highlight the escalating threat posed by collaboration between advanced,\r\nEnglish-speaking threat groups.  \r\nWhat’s more, the coordinated use of vishing and domain impersonation marks a clear increase in both\r\nsophistication and impact for ShinyHunters.  \r\nAt this time, the group has not made any public announcements regarding its latest activity; however, it’s likely\r\nthat ShinyHunters will begin naming and leaking victims from its recent attacks on cybercriminal forums or a\r\ndedicated data-leak site in the coming days or weeks. Targeted organizations should remain highly alert for\r\nmentions by ShinyHunters on criminal forums. \r\nDomain Registrations Suggest Finance and Technology at Risk  \r\nLooking ahead, our analysis of domain registration patterns and targeting trends suggests that banks, financial\r\nservices organizations, and technology service providers are at heightened risk.  \r\nThe prevalence of phishing domains mimicking high-value brands and SaaS platforms indicates that attackers are\r\nprioritizing organizations with monetizable data or those providing access to large client environments. While\r\nluxury brands and technology firms have borne the brunt of recent attacks, the opportunistic nature of these\r\ncampaigns means that no sector should consider itself immune.  \r\nFocus on Techniques, Not Names \r\nFor defenders, the key lesson is that successful security strategies must center on TTPs—not just actor\r\nattribution.  \r\nRegardless of whether the collaboration between these groups is genuine or the names they use are legitimate,\r\nthese recent campaigns showcase the effectiveness of a new wave of English-speaking threat actors highly skilled\r\nin social engineering. Many threat actors are now emulating the success of Scattered Spider and related groups—\r\nregistering fake corporate login pages, setting up impersonating domains, and launching sophisticated social\r\nengineering attacks. These TTPs pose a significant threat to organizations, as their focus on exploiting the human\r\nelement increases the likelihood of successful attacks, data loss, and extortion. \r\nAs threat groups rotate infrastructure, change aliases, and borrow from each other’s playbooks, focusing on\r\nbehavioral patterns and proactive detection is essential. Organizations should monitor for impersonating domains\r\nlike those discussed in this report, harden defenses around widely used SaaS applications such as Salesforce, and\r\nstrengthen the human element through ongoing employee education and simulation. \r\nUltimately, the collaboration between ShinyHunters and Scattered Spider represents a high and evolving threat.\r\nOrganizations should take immediate action to strengthen their defenses, as the speed, scale, and adaptability of\r\nthese campaigns continue to test the limits of traditional security operations. \r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 12 of 13\n\nSource: https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nhttps://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/" ], "report_names": [ "threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439056, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3fb1115a7bd00e1e213f20c9012114a863ba6aaa.pdf", "text": "https://archive.orkl.eu/3fb1115a7bd00e1e213f20c9012114a863ba6aaa.txt", "img": "https://archive.orkl.eu/3fb1115a7bd00e1e213f20c9012114a863ba6aaa.jpg" } }