The cybersecurity landscape witnessed a sophisticated and ongoing attack campaign throughout 2025 that has successfully compromised major corporations, including Google, Adidas, Louis Vuitton, and numerous other high-profile organizations. This comprehensive technical analysis reveals how the notorious cybercriminal group ShinyHunters, in apparent collaboration with Scattered Spider, has executed one of the most successful social engineering campaigns targeting Salesforce Customer Relationship Management (CRM) platforms. The campaign represents a significant evolution in attack sophistication, combining traditional voice phishing techniques with advanced OAuth abuse and API exploitation to achieve persistent access and large-scale data exfiltration across multiple industry sectors.

ShinyHunters emerged in 2020 as a financially motivated cybercriminal group initially focused on traditional credential theft and database exploitation. The group gained notoriety through high-profile data breaches affecting major platforms, including Tokopedia (91 million records), Microsoft GitHub (500GB of data), and AT&T (70+ million records). Beyond data theft operations, ShinyHunters established itself as a key player in the cybercriminal ecosystem by serving as administrators of popular hacking forums, including multiple incarnations of BreachForums. Following arrests of several alleged members in June 2024, ShinyHunters maintained relative inactivity until their dramatic resurgence in June 2025 with fundamentally transformed tactics, techniques, and procedures (TTPs). Google’s Threat Intelligence Group (GTIG) tracks the current campaign activities under the designations UNC6040 (initial compromise activities) and UNC6240 (extortion operations), though the operators consistently claim affiliation with the ShinyHunters brand.

Compelling circumstantial evidence suggests active collaboration between ShinyHunters and Scattered Spider, a sophisticated English-speaking cybercriminal collective known for social engineering expertise. This collaboration theory is supported by several key indicators: Tactical Convergence: The current ShinyHunters campaign demonstrates marked adoption of Scattered Spider’s signature techniques, including highly targeted voice phishing, domain impersonation patterns, and VPN obfuscation methods. Infrastructure Overlap: Domain registration analysis reveals shared infrastructure characteristics, including similar naming conventions (ticket-companyname[.]com), common registrars (GMO Internet), and Cloudflare-masked nameservers. Attribution Evidence: A BreachForums user with the portmanteau alias "Sp1d3rhunters" appeared in May 2024, claiming both groups "are the same" and "have always been the same," while subsequently leaking data previously attributed to ShinyHunters. Both groups demonstrate connections to "The Com," a loosely organized collective of English-speaking cybercriminals engaged in diverse illegal activities, including SIM swapping, account takeovers, cryptocurrency theft, and more extreme criminal activities.

The attack chain begins with sophisticated voice phishing campaigns targeting employees with appropriate Salesforce permissions. Attackers impersonate internal IT support personnel using several social engineering techniques: Reconnaissance Phase: Threat actors conduct extensive open-source intelligence gathering, harvesting employee contact information from LinkedIn, company directories, and public sources to identify high-value targets with Salesforce administrative privileges. Call Initiation: Attackers initiate calls using spoofed caller IDs, voice-altering software, and professional-sounding scripts claiming urgent Salesforce-related issues requiring immediate attention. Some campaigns employ automated phone systems with pre-recorded messages and interactive menus to gather additional reconnaissance before connecting to live operators. Trust Establishment: The social engineering approach exploits inherent trust relationships between employees and IT support, leveraging urgency and authority to bypass normal verification procedures.

The core technical exploit centers on manipulating Salesforce’s OAuth-based connected app authorization mechanism: Connected App Setup Manipulation: During vishing calls, attackers guide victims to Salesforce’s connected app authorization page (typically login.salesforce.com/setup/connect), instructing them to authorize what appears to be legitimate software. Malicious Application Deployment: The threat actors present modified versions of Salesforce’s legitimate Data Loader application, often rebranded with misleading names such as "My Ticket Portal" to align with social engineering pretexts. These applications request broad API permissions, including data export capabilities. 8-Digit Authorization Code: Victims enter attacker-provided 8-digit authorization codes, inadvertently granting persistent OAuth tokens with extensive API access permissions. This process bypasses multi-factor authentication requirements and establishes long-term access without triggering standard security alerts. Connected App ID: Analysis of Salesforce Event Monitoring logs revealed the malicious Connected App ID 889Kb100000KFJc associated with suspicious data exfiltration activities. This identifier represents unauthorized applications performing large-volume data queries across multiple victim organizations.

Once OAuth access is established, threat actors deploy sophisticated data extraction techniques: REST API Exploitation: Attackers utilize Salesforce’s legitimate REST API endpoint /services/data/v62.0/query to perform bulk SOQL (Salesforce Object Query Language) queries targeting high-value data objects. Automated Extraction Scripts: GTIG observed evolution from legitimate Data Loader applications to custom Python scripts performing similar functions but with enhanced automation capabilities. These scripts enable rapid, large-scale data extraction while mimicking legitimate API usage patterns. Data Volume and Targeting: Each extraction request typically retrieves approximately 2.3 MB of data, with attacks focusing on Contact objects containing 400+ fields per record. Attackers demonstrate a sophisticated understanding of Salesforce data structures, targeting customer databases, personally identifiable information (PII), and business intelligence. Traffic Obfuscation: All data exfiltration activities route through Mullvad VPN IP addresses and Tor networks to complicate attribution and evade detection. This multi-layered obfuscation approach significantly hampers incident response and forensic analysis efforts.

Following initial Salesforce compromise, attackers frequently attempt lateral movement to adjacent cloud platforms: Credential Harvesting: Using harvested credentials and OAuth tokens, threat actors access integrated platforms including Okta, Microsoft 365, and Meta Workplace. Cross-Platform Data Access: Attackers leverage single sign-on (SSO) relationships and shared authentication mechanisms to access SharePoint repositories, email systems, and additional data stores. Privilege Escalation: Through social engineering and credential manipulation, attackers may escalate access privileges within target organizations, potentially gaining administrative rights to additional systems.

The following table provides a detailed mapping of observed ShinyHunters TTPs to the MITRE ATT&CK framework: Tactic, Technique ID, Technique Name, Description, Observed Behavior. The table includes entries such as: Reconnaissance (T1589.001) - Gather Victim Identity Information: Credentials - Gathering target employee credentials and contact information for vishing campaigns - Researching target employees via LinkedIn, company directories; Initial Access (T1566.004) - Phishing: Spear Phishing Voice - Voice phishing calls impersonating IT support personnel to trick victims - Impersonating internal IT support with convincing social engineering; Execution (T1059.006) - Command and Scripting Interpreter: Python - Custom Python scripts replacing Salesforce Data Loader for automated exfiltration - Deploying custom Python scripts for automated bulk data extraction.

The following table provides Indicators of Compromise (IoCs): Email Address (shinycorp@tuta[.]com), Domain (dashboard-salesforce[.]com), Connected App ID (889Kb100000KFJc), User Agent (SalesforceDataLoader/*), API Endpoint (/services/data/v62.0/query), IP Range (Mullvad VPN IP Ranges). Security analysts should monitor for these indicators.

The campaign has affected organizations across multiple industry sectors, with confirmed and suspected victims spanning technology, luxury goods, aviation, insurance, and retail: Google (Technology, June 2025, Confirmed), Adidas (Retail/Fashion, July 2025, Media Reports), Louis Vuitton (Luxury Goods, July 2025, Media Reports), Dior (Luxury Goods, July 2025, Media Reports), Chanel (Luxury Goods, August 2025, Media Reports), Qantas Airways (Aviation, July 2025, Media Reports), Allianz Life (Insurance, July 2025, Media Reports), Cisco Systems (Technology, June 2025, Media Reports).

Google (June 2025): Google confirmed a compromise of a corporate Salesforce instance containing contact information for small and medium businesses. Approximately 2.55 million records were allegedly accessed, including business names, phone numbers, and sales notes. Google responded rapidly, terminating attacker access and completing customer notifications by August 8, 2025. LVMH Luxury Brands: Multiple LVMH subsidiaries were targeted, including Louis Vuitton, Dior, and Tiffany & Co. Domain registration evidence shows ticket-themed phishing infrastructure specifically targeting these brands between June 20-30, 2025, coinciding with reported data breaches. Aviation Sector: Qantas Airways reportedly paid 4 Bitcoin (~$400,000) to prevent data leakage, while Air France-KLM also suffered confirmed breaches. These attacks demonstrate the campaign’s effectiveness across international aviation companies with substantial customer databases.

The ShinyHunters campaign employs a delayed extortion model, with ransom demands occurring weeks or months after initial data theft. Key characteristics include: Ransom Amounts: Demands range from 4 Bitcoin (~$400,000) to 20 Bitcoin (~$2.3 million), with Google receiving the highest reported demand (though claimed as a joke by the attackers). Data Leak Site Preparation: GTIG warns that ShinyHunters may be preparing to escalate tactics by launching a dedicated data leak site (DLS) to increase pressure on victims.

Comprehensive analysis of malicious infrastructure reveals coordinated domain registration patterns supporting the attribution of this campaign to ShinyHunters in collaboration with Scattered Spider: Ticket-Themed Phishing Domains: ticket-lvmh[.]com, ticket-dior[.]com, ticket-louisvuitton[.]com (registered June 20-30, 2025), ticket-nike[.]com, ticket-audemarspiguet[.]com (registered June 2025), dashboard-salesforce[.]com (registered August 1, 2025, actively hosting phishing pages). Registry Characteristics: All identified malicious domains share common infrastructure indicators: Registrar: GMO Internet is consistently used across malicious infrastructure. Email Patterns: Temporary registrant addresses using mailshan[.]com domain. DNS Configuration: Cloudflare-masked nameservers to obscure true hosting infrastructure. Phishing Kits: Domains host Okta-branded phishing pages mimicking legitimate SSO portals.

Organizations must implement comprehensive Salesforce security hardening measures: Connected App Management: Restrict powerful permissions including "API Enabled" and "Manage Connected Apps" to essential administrative personnel only. Implement regular audits of authorized connected applications and remove unused or suspicious entries. IP Allowlisting: Enforce IP address restrictions for user profiles and connected app policies to prevent access from unexpected or non-corporate IP addresses. This measure specifically counters VPN-based obfuscation techniques observed in the campaign. Event Monitoring: Deploy Salesforce Shield with Transaction Security Policies to monitor large data downloads and unusual API activity patterns. Automated alerts should trigger on bulk Contact object queries exceeding normal usage baselines. OAuth Governance: Implement strict approval processes for connected app installations, potentially allowlisting known safe applications to prevent unauthorized OAuth grants.

Security operations centers should implement the following detection capabilities: Behavioral Analysis: Monitor for unusual REST API request volumes, particularly bulk queries to Contact objects returning consistent data sizes (~2.3MB). Establish baselines for normal API usage and alert on statistical anomalies. Network Traffic Analysis: Detect connections to Mullvad VPN IP ranges and Tor exit nodes originating from corporate networks. Correlation of VPN usage with Salesforce API activity should trigger immediate investigation. Social Engineering Indicators: Monitor for unusual 8-digit authorization codes in Salesforce logs and investigate OAuth app authorizations from unknown IP addresses. Domain Intelligence: Implement automated monitoring for newly registered domains following observed patterns (ticket-companyname[.]com, companyname-salesforce[.]com) to identify targeting infrastructure.

The ShinyHunters Salesforce attack campaign represents one of the most sophisticated and successful social engineering operations observed in recent years, successfully compromising dozens of high-profile organizations across multiple industries. The suspected collaboration between ShinyHunters and Scattered Spider has produced a hybrid threat actor with enhanced capabilities, combining traditional data theft expertise with advanced social engineering techniques. The campaign’s technical sophistication lies not in novel exploitation techniques but in the masterful combination of human psychology, legitimate platform features, and advanced obfuscation methods. By abusing OAuth mechanisms and exploiting trust relationships, the threat actors achieved persistent access to sensitive customer data across numerous organizations while evading traditional technical security controls. For cybersecurity professionals, this campaign underscores the critical importance of addressing human factors in security architectures. While technical controls remain essential, the most sophisticated defenses prove inadequate when users can be manipulated into authorizing malicious applications through convincing social engineering. Organizations must adopt comprehensive defense strategies combining restrictive OAuth governance, enhanced user education, behavioral monitoring, and incident response capabilities specifically designed to counter social engineering threats. The continued evolution of this campaign, potential law enforcement disruption efforts, and suspected expansion into ransomware operations will require sustained vigilance and adaptive security measures across all industry sectors.

A coordinated cyberattack campaign led by the threat group ShinyHunters, in apparent collaboration with Scattered Spider, has compromised major corporations including Google, Adidas, Louis Vuitton, and others through a sophisticated social engineering campaign targeting Salesforce CRM platforms. The attackers used voice phishing, domain impersonation, and OAuth abuse to gain persistent access, exfiltrate large volumes of customer data, and deploy automated scripts for data extraction. The campaign, which resumed in June 2025 after a period of inactivity, leveraged tactics such as targeted voice calls, spoofed caller IDs, and malicious connected apps to manipulate employees into granting broad API permissions. Data was exfiltrated via Mullvad VPN and Tor networks, with ransom demands ranging from 4 to 20 Bitcoin. The attack affected organizations across technology, luxury goods, aviation, insurance, and retail sectors. Google confirmed a breach involving 2.55 million records, while others like Qantas and Allianz Life reported data compromises. Security experts warn of potential data leak sites and emphasize the need for improved OAuth governance, behavioral monitoring, and user education to counter such threats.