Threat Spotlight: ShinyHunters Targets Salesforce Amid Clues of Scattered Spider Collaboration reliaquest.com/blog/thre…

In our original investigation posted on August 12, 2025, ReliaQuest predicted that the Scattered Spider hacking collective, linked to ShinyHunters, would soon shift their focus to the financial sector. This prediction was based on patterns observed in domains likely created to support phishing campaigns. ReliaQuest has now observed this targeting in action, marked by an increase in domains potentially linked to the group focusing on the finance sector, as well as a recently identified targeted intrusion against a US banking organization.

Scattered Spider gained initial access by socially engineering an executive’s account and resetting their password via Azure Active Directory Self-Service Password Management. From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network. To escalate privileges, the attacker reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection. Evidence also points to attempted data exfiltration from Snowflake, AWS, and other repositories, underscoring their intent to extract sensitive information.