Scattered LAPSUS$ Hunters (SLSH) resumed activity in November 2025, claiming new Salesforce-related data theft via a Gainsight breach, threatening deadlines and launching a ransomware-as-a-service offering called ShinySp1d3r. The actors also recruited insiders, posted screenshots and leak-site teasers on Telegram, and prompted affected vendors to revoke tokens and rotate S3 keys. #ShinySp1d3r #SLSH
Keypoints
- SLSH returned in mid-November 2025, posting on a new Telegram channel and announcing a dedicated leak site (DLS) with a November 24 deadline for victims.
- Salesforce revoked access and refresh tokens for Gainsight-published apps after detecting unusual activity and published IoCs; Salesforce says no platform vulnerability was found but unauthorized access via the app connection may have occurred.
- Bling Libra (aka ShinyHunters) claimed they accessed 285 additional Salesforce instances by abusing secrets from the Salesloft Drift supply chain compromise that led to stolen OAuth tokens from Gainsight.
- SLSH announced and demonstrated development of ShinySp1d3r ransomware (Windows; Linux and ESXi in development), including screenshots of an encryptor wallpaper and ransom note, and threatened mass deployment targeting New York.
- The group actively recruited insiders (including a confirmed case involving screenshots from a terminated CrowdStrike employee) and discussed paying insiders for access to corporate networks.
- Gainsight temporarily suspended connections to third-party SaaS (e.g., HubSpot, Zendesk) and advised customers to rotate S3 keys; Unit 42 and other researchers published related IoCs and analysis.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – SLSH leveraged a supply chain breach to obtain secrets and access: (‘supply chain attack targeting Salesloft Drift’).
- [T1550.004 ] Use of Valid Accounts: Cloud Accounts – Threat actors used stolen OAuth tokens to access customer Salesforce data via third-party app connections: (‘stolen OAuth tokens linked to the Salesloft Drift attack’).
- [T1078 ] Valid Accounts – Insider-sourced access was solicited and purchased to gain internal screenshots and potential network access: (‘they agreed to pay the insider $25,000 for access to CrowdStrike’s network’).
- [T1567 ] Exfiltration Over Web Service – Stolen data is being staged for public disclosure via a dedicated leak site and Telegram posts: (‘new dedicated leak site (DLS) with text reading “24 November 2025, stay tuned”’).
- [T1486 ] Data Encrypted for Impact – Deployment of ShinySp1d3r ransomware to encrypt systems and extort victims is explicitly threatened and demonstrated: (‘ShinySp1d3r ransomware … encryptor … ransom note’).
Indicators of Compromise
- [OAuth tokens ] Stolen authentication artifacts used to access SaaS data – stolen access and refresh OAuth tokens tied to Gainsight/Salesloft Drift (e.g., “stolen OAuth tokens linked to the Salesloft Drift attack”).
- [Cloud keys ] Credentials for cloud storage recommended for rotation – S3 keys called out by Gainsight for rotation as a precaution (e.g., “rotate their S3 keys”).
- [Screenshots / internal artifacts ] Evidence of insider access posted publicly – screenshots of internal systems shared by an employee and posted to Telegram (e.g., “screenshots of internal systems from CrowdStrike employee”).
- [Leak site / DLS ] Public data-exposure destinations used for extortion – announcement of a dedicated leak site with a deadline (e.g., “new dedicated leak site (DLS) with text reading ’24 November 2025, stay tuned’”).
- [Ransomware artifacts ] Visual and textual artifacts associated with ransomware activity – images of ShinySp1d3r wallpaper and ransom note published by Unit 42 (e.g., “Screenshot of ShinySp1d3r ransom note”).
Read more: https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/