Researchers Firm Up ShinyHunters, Scattered Spider Link

A recent report by ReliaQuest researchers Kimberley Bromley and Ivan Righi has shed light on a potential collaboration between the ShinyHunters hacking collective and the Scattered Spider gang, two groups previously linked to the cyber crime network known as The Com.

The researchers argue that there is now ample evidence suggesting a deliberate partnership between the two operations, despite some of it being highly circumstantial. This evidence includes a dramatic shift in ShinyHunters' tactics, which have moved beyond their previous modus operandi of credential theft and database exploitation to include hallmark Scattered Spider techniques.

These tactics, as described by Bromley and Righi, include the adoption of highly-targeted voice phishing campaigns that impersonate IT support staff to trick victims into connecting malicious apps, such as Salesforce Data Loader. They also use Okta-themed phishing pages to trick their victims into entering their credentials, and leverage the legitimate Mullvad virtual private network (VPN) service to perform data exfiltration.

"These tactics align closely with Scattered Spider's trademark methods and those of the broader collective, The Com, fueling speculation about active collaboration between the groups," wrote Bromley and Righi. They also note that both groups appear to be targeting similar verticals – retail, insurance, and aviation – during the same rough timeline.

Furthermore, the researchers point out that the two groups seem to be taking a similar approach in the naming conventions they used when registering their domains. This has led Bromley and Righi to warn that financial services companies should now be on high alert due to the recent emergence of an individual persona associated with ShinyHunters, known as Sp1d3rhunters.

This account, which first popped up on the BreachForums data leak service in 2024, has allegedly claimed that ShinyHunters and Scattered Spider are the same, and moreover always have been. "If these connections are legitimate, they suggest that collaboration or overlap between ShinyHunters and Scattered Spider may have been ongoing for more than a year," said the researchers.

Bromley and Righi caution that while it's possible to spend months dissecting the clues that suggest ShinyHunters and Scattered Spider are working together, defenders should not lose sight of the broader significance of the ongoing attacks – that they are successful not because of who orchestrated them, but because of how they were executed.

"Threat actors constantly rotate infrastructure, change names, and adapt their TTPs to evade detection and maximise impact," they said. "As a result, tracking the behavioral patterns and evolving TTPs behind these campaigns is far more valuable than focusing solely on indicators of compromise (IOCs) or attribution.

"For security leaders, understanding this fluid and persistent threat landscape is critical to anticipating future attacks and making informed decisions about security strategy and resource allocation," they warned. They also note that the cyber attack campaigns are likely to continue regardless of whether the two groups are working together, or are one and the same, adding that others may also attempt to emulate the success of the high-profile attacks by adopting similar tactics.

"These recent campaigns showcase the effectiveness of a new wave of English-speaking threat actors highly skilled in social engineering," they said. With this new information, security leaders must stay vigilant and adapt their strategies to counter the evolving threat landscape.