Threat Research

Dark Web Profile: Scattered Lapsus$ Hunters

SocRadar
Dark Web Profile: Scattered Lapsus$ Hunters

Scattered Lapsus$ Hunters — an alliance of Scattered Spider, LAPSUS$, and ShinyHunters — carried out coordinated social‑engineering intrusions into Salesforce environments of numerous major companies in mid‑2025, stealing data from at least 91 organizations without exploiting Salesforce vulnerabilities. The group scaled vishing and OAuth abuse (often via trojanized Data Loader apps and credential‑theft malware), leaked extortion demands on Telegram, and targeted high‑value sectors including technology, luxury retail, aviation, and insurance. #ScatteredSpider #ShinyHunters

Keypoints

  • Attackers claimed data theft from 91 organizations, including Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas, Air France–KLM, Allianz, Cisco, and Pandora.
  • The campaign was run by a new alliance called Scattered Lapsus$ Hunters combining Scattered Spider, LAPSUS$, and ShinyHunters and coordinated via Telegram channels.
  • No Salesforce platform vulnerabilities were exploited; intrusions relied on social engineering — primarily vishing and OAuth-connected app abuse — to obtain long‑lived API access.
  • Initial access techniques included vishing, SIM‑swapping, MFA fatigue, voice‑phishing with AI voice agents, trojanized Data Loader apps, and credential‑theft/infostealer malware to harvest session cookies and passwords.
  • The alliance publicly leaked data and extorted victims (e.g., demanding 20 BTC from Salesforce CEO), and also promoted a potential RaaS named “shinysp1d3r.”
  • Defensive recommendations emphasize phishing‑resistant MFA (hardware/FIDO2), banning approval of OAuth apps from unsolicited links, admin approval for connected apps, least‑privilege, logging/alerting on OAuth grants, and rapid token revocation.
  • The FBI attributed activity to UNC6040 (ShinyHunters-linked) and UNC6395 (Scattered Spider overlap) and warned about recruitment and amplification via “The Com” cybercrime ecosystem.

MITRE Techniques

  • [T1589] Gather Victim Identity Information – Used social engineering and vishing to collect credentials and account details from employees (“call employees or contractors… persuade the target to reset Multi‑Factor Authentication (MFA) tokens, install remote‑management tools, or navigate to a /setup/connect page in Salesforce to authorize a malicious app”).
  • [T1193] Spearphishing Voice (Vishing) – Actors used voice‑phishing and AI‑driven voice agents to automate realistic calls and scale vishing (“AI‑driven voice agents allow them to automate calls, tailor responses… producing realistic accents, scaling vishing to thousands of targets”).
  • [T1110] Brute Force / Password Guessing – Credential harvesting and use of stolen passwords and session cookies via infostealer malware (“infostealers harvest session cookies and passwords… exploit session cookies collected by infostealer malware to hijack authenticated sessions”).
  • [T1114] Email Collection – Exfiltration of customer records and contact lists from compromised CRM dashboards (“exfiltrate data from compromised CRM dashboards, such as customer records, flight logs and chat transcripts”).
  • [T1550] Use of Valid Accounts – Abuse of issued OAuth tokens and authorized connected apps to gain programmatic access that bypasses MFA (“authorizes a malicious OAuth app, often a trojanized Data Loader, giving the attackers API access to query and export records”).
  • [T1608] Stage Capabilities – Deployment of trojanized tools (trojanized Data Loader) to provide backdoor programmatic access to CRM systems (“trojanized Data Loader… the victim must enter a code to authorize a Data Loader controlled by the threat actor”).
  • [T1531] Account Discovery – Abuse of CRM dashboards and outbound call features to identify additional targets and facilitate follow‑on vishing (“using the same dashboards’ outbound call features for further vishing”).
  • [T1491] Exploit Public‑Facing Application – Exploitation of misconfigurations/known vulnerabilities in third‑party components (e.g., Oracle Access Manager) to expand foothold (“exploiting simple misconfigurations or known vulnerabilities (e.g., in Oracle Access Manager) further expands their foothold”).

Indicators of Compromise

  • [Organization Names] Targeted victims – Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas, Air France–KLM, Allianz, Cisco, Pandora.
  • [Threat Actor IDs] Attributed clusters – UNC6040 (ShinyHunters), UNC6395 (Scattered Spider overlap).
  • [Tool/Artifact Names] Trojanized tools and services – trojanized Data Loader (malicious connected app), “shinysp1d3r” RaaS reference.
  • [Tactics/Channels] Communication and leak channels – Telegram channels including “The Comm Leaks” and Scattered Lapsus$ Hunters channel (example: posted extortion demand for 20 BTC to Salesforce CEO Marc Benioff).
  • [Malware/Capability] Credential‑theft artifacts – infostealer‑collected session cookies and passwords (examples summarized as “session cookie theft” and “password harvesting”).

Read more: https://socradar.io/dark-web-profile-scattered-lapsus-hunters/