#shinysp1d3r — Public Fediverse posts on home.social

hasamba @[email protected] · 2025-11-27 · 07:36 UTC

🎯 Threat Intelligence
===================

Executive summary: The KrebsOnSecurity piece documents that the operator and public face of Scattered LAPSUS$ Hunters (SLSH), known as "Rey," has confirmed his real‑world identity after the reporter contacted his father. The article links SLSH activity to a May 2025 voice‑phishing campaign that induced victims to authorize a malicious application in Salesforce, and it details the group's expansion into an in‑house ransomware offering called ShinySp1d3r alongside ongoing insider recruitment.

Technical details:
• The actor set is described as an amalgam of Scattered Spider, LAPSUS$, and ShinyHunters operating across Telegram and Discord communities.
• Observed TTPs include voice phishing (vishing) social engineering to convince targets to connect a third‑party malicious app to corporate Salesforce instances, followed by data exfiltration and public extortion via a leak site.
• Historic tooling reuse includes encryptors from ALPHV/BlackCat, Qilin, RansomHub, and DragonForce; SLSH announced a proprietary RaaS named ShinySp1d3r.
• Publicly named alleged victims include Toyota, FedEx, Disney/Hulu, and UPS; reporting references a data leak portal threatening disclosure for roughly three dozen companies.

Attack Chain Analysis:
• Initial Access / Social Engineering: Voice phishing to employees or contractors to induce OAuth/third‑party app consent to Salesforce.
• Persistence / Access Expansion: Use of insider credentials or privileged API access obtained via the malicious app.
• Exfiltration: Extraction of Salesforce data and publication threats on a data leak site.
• Monetization: Ransom/extortion demands and recruiting of insiders for percentage payouts; parallel use of ransomware encryptors and a new RaaS offering.

Impact and contextual notes:
The article emphasizes operational scale (dozens of corporate targets) and evolution from affiliate use of existing ransomware to offering a proprietary RaaS. It also reports recruitment activity explicitly targeting insiders and a related personnel action at CrowdStrike involving alleged screenshot sharing (CrowdStrike stated no system compromise and referred the matter to law enforcement).

Detection / Mitigation (as reported):
The article does not publish specific detection rules or defensive playbooks; it focuses on observed operations, actor attribution, and public‑facing infrastructure and announcements.

Limitations / Open questions:
• The report does not disclose technical IoCs such as domains, hashes, or C2 indicators tied to the May 2025 campaign.
• Attribution to individuals beyond reported operational security lapses is based on the journalist’s outreach and corroboration; the article documents identity confirmation steps rather than law‑enforcement verdicts.

🔹 SLSH #ShinySp1d3r #Salesforce #ALPHV #BreachForums

🔗 Source: https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/

#breachforums #alphv #salesforce #shinysp1d3r