ShinyHunters resurfaced with coordinated Salesforce-targeting campaigns using ticket-themed phishing domains and Okta-branded credential harvesting pages, sparking speculation of collaboration with Scattered Spider. Domain registration patterns and shared infrastructure point to likely next targets in financial services and technology providers. #ShinyHunters #ScatteredSpider #Salesforce
Keypoints
- ShinyHunters returned after ~1 year of inactivity with large-scale attacks targeting Salesforce instances of high-profile companies.
- ReliaQuest identified coordinated ticket-themed phishing domains and Salesforce credential-harvesting pages linked by similar registrar and nameserver patterns.
- Evidence suggesting collaboration with Scattered Spider includes shared TTPs (vishing, Okta-themed phishing), a BreachForums/Telegram alias “Sp1d3rhunters,” and overlapping domain formats.
- Domain registrations (e.g., ticket-company[.]com, company-my-salesforce[.]com) were clustered in June–August 2025, with some actively hosting phishing pages like ticket-dior[.]com and dashboard-salesforce[.]com.
- Analysis of 2025 impersonating domains shows a shift toward financial sector targeting (+12% since July 2025) while technology targeting slightly decreased.
- Attack techniques include vishing to authorize malicious connected apps, Okta-branded phishing during calls, and VPN use (Mullvad) for exfiltration from Salesforce.
- Defensive recommendations emphasize monitoring impersonating domains, hardening Salesforce permissions, enforcing MFA, phishing/vishing simulations, and focusing on TTP-based detection.
MITRE Techniques
- [T1598] Phishing – Use of ticket-themed and Okta-branded phishing pages to harvest Salesforce/Okta credentials (“Okta-themed phishing pages to trick victims into entering credentials during vishing calls”).
- [T1204] User Execution – Vishing campaigns impersonating IT support to convince users to authorize malicious connected apps (“Highly targeted vishing campaigns, impersonating IT support staff to trick employees into authorizing access to malicious ‘connected apps’”).
- [T1190] Exploit Public-Facing Application – Malicious connected apps and rebranded Salesforce Data Loader used to exfiltrate data from Salesforce (“rebranded a malicious version of the Salesforce ‘Data Loader’ application under the name ‘My Ticket Portal’ … to convince victims to authorize malicious connected apps and enable large-scale Salesforce data exfiltration”).
- [T1041] Exfiltration Over C2 Channel – Use of Mullvad VPN to obfuscate traffic during data exfiltration from victims’ Salesforce instances (“VPN obfuscation using Mullvad VPN to perform data exfiltration (here, on victims’ Salesforce instances)”).
- [T1583] Acquire Infrastructure – Registration of impersonating domains (ticket-company[.]com, company-salesforce[.]com) and use of privacy-masked registrant details to host phishing infrastructure (“domains were registered… Registration through GMO Internet, Temporary registrant email addresses… Cloudflare-masked nameservers”).
Indicators of Compromise
- [Domain ] Ticket-themed phishing domains used to host Okta/Salesforce phishing pages – ticket-dior[.]com, ticket-audemarspiguet[.]com (and ticket-nike[.]com).
- [Domain ] Salesforce-themed phishing domains actively hosting pages – dashboard-salesforce[.]com, companyname-my-salesforce[.]com pattern.
- [Registrant/Infrastructure ] Shared registrar and privacy services indicating linked infrastructure – GMO Internet registrar, Cloudflare-masked nameservers, registrant emails like email[at]mailshan[.]com.
- [VPN ] Obfuscation tool used during exfiltration – Mullvad VPN (used to hide exfiltration from Salesforce instances).