The Golden Scale: 'Tis the Season for Unwanted Gifts
Summary:
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH) has rapidly intensified its activity following a brief hiatus, marked by the creation of a new Telegram channel and several significant events since mid-November 2025. Most notably, Salesforce issued a security advisory on November 20, 2025, confirming "unusual activity" involving tokens associated with Gainsight-published applications, leading to the temporary removal of these apps and revocation of tokens. Salesforce believes the activity did not stem from a platform vulnerability but may have enabled unauthorized access to certain customer data through the app's connection. Bling Libra (also known as ShinyHunters), a group affiliated with SLSH, claimed to have gained access to 285 additional Salesforce instances by breaching Gainsight. The group asserted that it achieved access to Gainsight using stolen OAuth tokens stolen in the August 2025 Salesloft Drift supply chain attack, which Gainsight had previously acknowledged on September 3rd, leading to the theft of a myriad of data, including names, business emails, and Gainsight product licensing information.
On November 24th, SLSH also revealed plans for a new DLS, setting a deadline for November 24, 2025, implying ransom demands for affected companies. Furthermore, on November 19th, the group reportedly developed a new RaaS program under active development dubbed "ShinySp1d3r," initially for Windows but with Linux and ESXi versions of the ransomware underway. SLSH even threatened to deploy ShinySp1d3r against New York City and the State of New York. The group continues to focus on insider threat recruitment, highlighted by the confirmation from CrowdStrike that a terminated employee had shared screenshots of internal systems with SLSH, reportedly for a $25,000 payment. SLSH is actively soliciting insiders across various industries, including retail and hospitality. Gainsight, in response to the attack, temporarily suspended connections to other SaaS platforms like HubSpot and Zendesk and advised customers to rotate S3 keys. The threat actors have boasted of a growing victim count, signaling "unwavering chaos" into 2026.
Security Officer Comments:
SLSH appears to have expedited its return, significantly evolving its operations by integrating the development of the ShinySp1d3r RaaS program alongside its existing extortion-as-a-service (EaaS) offerings and potent supply-chain attacks (like the recent Gainsight breach via Salesloft Drift). This convergence of multiple operational capabilities: direct data theft/extortion, RaaS, and calculated insider recruitment makes SLSH an even more formidable adversary capable of casting a multi-layered net against organizations. The timing of this surge, just before the critical holiday shopping season, is particularly dangerous for retailers. Organizations must prioritize collective defense via information sharing and implement strong, AI-driven security measures to meet this rising complexity.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH) has rapidly intensified its activity following a brief hiatus, marked by the creation of a new Telegram channel and several significant events since mid-November 2025. Most notably, Salesforce issued a security advisory on November 20, 2025, confirming "unusual activity" involving tokens associated with Gainsight-published applications, leading to the temporary removal of these apps and revocation of tokens. Salesforce believes the activity did not stem from a platform vulnerability but may have enabled unauthorized access to certain customer data through the app's connection. Bling Libra (also known as ShinyHunters), a group affiliated with SLSH, claimed to have gained access to 285 additional Salesforce instances by breaching Gainsight. The group asserted that it achieved access to Gainsight using stolen OAuth tokens stolen in the August 2025 Salesloft Drift supply chain attack, which Gainsight had previously acknowledged on September 3rd, leading to the theft of a myriad of data, including names, business emails, and Gainsight product licensing information.
On November 24th, SLSH also revealed plans for a new DLS, setting a deadline for November 24, 2025, implying ransom demands for affected companies. Furthermore, on November 19th, the group reportedly developed a new RaaS program under active development dubbed "ShinySp1d3r," initially for Windows but with Linux and ESXi versions of the ransomware underway. SLSH even threatened to deploy ShinySp1d3r against New York City and the State of New York. The group continues to focus on insider threat recruitment, highlighted by the confirmation from CrowdStrike that a terminated employee had shared screenshots of internal systems with SLSH, reportedly for a $25,000 payment. SLSH is actively soliciting insiders across various industries, including retail and hospitality. Gainsight, in response to the attack, temporarily suspended connections to other SaaS platforms like HubSpot and Zendesk and advised customers to rotate S3 keys. The threat actors have boasted of a growing victim count, signaling "unwavering chaos" into 2026.
Security Officer Comments:
SLSH appears to have expedited its return, significantly evolving its operations by integrating the development of the ShinySp1d3r RaaS program alongside its existing extortion-as-a-service (EaaS) offerings and potent supply-chain attacks (like the recent Gainsight breach via Salesloft Drift). This convergence of multiple operational capabilities: direct data theft/extortion, RaaS, and calculated insider recruitment makes SLSH an even more formidable adversary capable of casting a multi-layered net against organizations. The timing of this surge, just before the critical holiday shopping season, is particularly dangerous for retailers. Organizations must prioritize collective defense via information sharing and implement strong, AI-driven security measures to meet this rising complexity.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/