Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark."
Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. This is supported by an increase in lookalike domains potentially linked to the group that are geared towards the industry vertical, as well as a recently identified targeted intrusion against an unnamed U.S. banking organization.
"Scattered Spider gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management," the company said.
"From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network."
To achieve privilege escalation, the attackers reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection. There are also signs that Scattered Spider attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories.
Exit or Smokescreen?
The recent activity undercuts the group's claims that they were ceasing operations alongside 14 other criminal groups, such as LAPSUS$. Scattered Spider is the moniker assigned to a loose-knit hacking collective that's part of a broader online entity called The Com.
The group also shares a high degree of overlap with other cybercrime crews like ShinyHunters and LAPSUS$, so much so that the three clusters formed an overarching entity named "scattered LAPSUS$ hunters."
One of these clusters, notably ShinyHunters, has also engaged in extortion efforts after exfiltrating sensitive data from victims' Salesforce instances. In these cases, the activity took place months after the targets were compromised by another financially motivated hacking group tracked by Google-owned Mandiant as UNC6040.
The incident is a reminder not to be lulled into a false sense of security, ReliaQuest added, urging organizations to stay vigilant against the threat. As in the case of ransomware groups, there is no such thing as retirement, as it's very much possible for them to regroup or rebrand under a different alias in the future.
"The recent claim that Scattered Spider is retiring should be taken with a significant degree of skepticism," Karl Sigler, security research manager of SpiderLabs Threat Intelligence at Trustwave, a LevelBlue Company, said. "Rather than a true disbanding, this announcement likely signals a strategic move to distance the group from increasing law enforcement pressure."
Sigler also pointed out that the farewell letter should be viewed as a strategic retreat, allowing the group to reassess its practices, refine its tradecraft, and evade ongoing efforts to put a lid on its activities, not to mention complicate attribution efforts by making it harder to tie future incidents to the same core actors.
"It's plausible that something within the group's operational infrastructure has been compromised. Whether through a breached system, an exposed communication channel, or the arrest of lower-tier affiliates, something has likely triggered the group to go dark, at least temporarily. Historically, when cybercriminal groups face heightened scrutiny or suffer internal disruption, they often 'retire' in name only, opting instead to pause, regroup, and eventually re-emerge under a new identity."
Update
In a new analysis published on September 17, 2025, EclecticIQ said ShinyHunters is likely relying on members of Scattered Spider and The Com to facilitate voice phishing attacks using platforms such as Vapi and Bland AI that provide unauthorized access to single sign-on (SSO) platforms used by retail, airline, and telecom companies.
Specifically, ShinyHunters members have been found to abuse Bland AI to automate social engineering calls at scale, allowing them to tailor responses to victim's reactions during phone calls in real-time, and ensuring that the call remains convincing even in scenarios where the responds outside the scripted conversational pathways.
The voice call phishing attacks are carried out by individuals who are recruited by ShinyCorp (aka sp1d3rhunters), the mastermind behind ShinyHunters, through Telegram groups such as Sim Land (SL), an underground community operated by The Com members.
"Unlike static robot voice calls, the AI model dynamically generates voices and adjusts tone and responses to sustain credibility and manipulate the target," EclecticIQ said. "This combination of LLM-powered dialogue management and near-realistic synthetic voice allows ShinyHunters linked threat actors to run successful vishing operations at scale."
The access is then leveraged to siphon large volumes of customer data from compromised Salesforce applications for subsequent extortion efforts. According to the Dutch cybersecurity company, ShinyHunters has also impersonated Okta SSO login pages to steal credentials from high-value sectors including investment banking, luxury retail, travel, U.S. payment processing, and major e-commerce platforms.
On top of that, the extortion group has claimed to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens, per a report from Bleeping Computer. Google is tracking the activity associated with the Salesloft hack under the moniker UNC6395.
What's more, ShinyHunters is said to have obtained BrowserStack API keys created by engineering teams and used them to target enterprise development environments, as well as exploited an Oracle Access Manager vulnerability (CVE-2021-35587) in attacks targeting a national bank and a Japanese car manufacturer to gain access to the database and exfiltrate data.
"ShinyHunters is expanding its operations by combining AI-enabled voice phishing, supply chain compromises, and leveraging malicious insiders, such as employees or contractors, who can provide direct access to enterprise networks," security researcher Arda Büyükkaya said.
"ShinyHunters leader, ShinyCorp, is actively selling stolen datasets with ransomware affiliates and other e-crime actors, at prices exceeding $1 million per company."
