CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ShinyHunters and Scattered Spider Collaboration

First reported
Last updated
5 unique sources, 27 articles

Summary

Hide ▲

**SloppyLemming (Outrider Tiger/Fishing Elephant)**, an **India-linked APT group**, has escalated its cyber-espionage operations in **2025–2026**, targeting **Pakistani and Bangladeshi government entities, nuclear regulatory bodies, defense logistics, telecommunications, energy utilities, and financial institutions**. The group has evolved from relying on **off-the-shelf tools (Cobalt Strike, Havoc)** to deploying **custom Rust-based malware**, including a **dual-payload approach**: the **BurrowShell backdoor** (with file manipulation, remote shell, SOCKS proxy, and RC4-encrypted C2 traffic masquerading as Windows Update) and a **Rust keylogger** (with port scanning and network enumeration). Their **C2 infrastructure has expanded eightfold**, from **13 Cloudflare Workers domains in 2024 to 112 in 2025**, leveraging **serverless and edge-hosted services** to evade detection and improve scalability. SloppyLemming employs **spear-phishing campaigns** with **PDF lures and macro-enabled Excel documents**, leading to **ClickOnce application manifests** that deploy malicious loaders via **DLL side-loading**. Despite advancements in tooling, the group’s **operational security remains inconsistent**, with researchers identifying **open directories on C2 servers** that exposed their activities. The group operates within a **broader India-aligned ecosystem**, including **TA397 (Bitter), TA399 (Sidewinder), and TA395 (Frantic Tiger)**, with evidence of **shared resourcing and coordinated tasking**, though it remains distinct from other India-nexus actors like **Dropping Elephant and Mysterious Elephant**, which focus on **diplomatic and military targets**. This campaign underscores the **growing regionalization of cyber-espionage in South Asia**, driven by **geopolitical tensions and strategic competition**. *Meanwhile, unrelated but concurrent threat activity involves the **ShinyHunters and Scattered Spider collaboration (SLSH)**, which continues to target **Salesforce, Zendesk, and SaaS platforms** with **vishing, extortion, and RaaS (ShinySp1d3r)**, demonstrating a **multi-pronged expansion in both technical sophistication and psychological warfare*.

Timeline

  1. 31.01.2026 09:58 3 articles · 1mo ago

    ShinyHunters Expands Vishing and SaaS Extortion Tactics in January 2026

    In **January 2026**, Mandiant and **Allison Nixon (Unit 221B)** documented a **new wave of vishing and credential-harvesting attacks** by **ShinyHunters and associated clusters (UNC6661, UNC6671, UNC6240)**, targeting **SaaS platforms** (Okta, SharePoint, OneDrive) and **cryptocurrency firms** for extortion. Attackers **impersonated IT staff**, directing employees to **fake credential-harvesting sites** to steal **SSO credentials and MFA codes**, then **registered their own MFA devices** to maintain persistent access. UNC6661 sent phishing emails from compromised accounts, deleting them post-delivery to evade detection, while UNC6671 used **PowerShell scripts** to exfiltrate data from SharePoint/OneDrive after gaining access via **victim-branded harvesting pages**. The groups differ in **domain registrars (NICENIC for UNC6661, Tucows for UNC6671)** and extortion email patterns, suggesting **multiple but interlinked threat actors**. **New insights from Unit 221B** reveal SLSH’s extortion model **mirrors violent sextortion schemes**, where victims are **harassed via swatting, DDoS, and threats of physical violence**—including against **executives’ families**—while the group **manipulates media coverage** to amplify pressure. Nixon warns that **negotiation incentivizes further harassment** and provides SLSH with intelligence on data value for future fraud, advising victims to **refuse payment** and treat extortion demands as a **separate issue from harassment**. The campaign highlights the group’s **escalation from technical intrusion to psychological coercion**, with **no guarantee of data deletion** post-payment. Google’s mitigation recommendations—**phishing-resistant MFA (FIDO2/passkeys), egress restrictions, and help desk verification reforms**—remain critical as SLSH continues to **exploit SaaS vulnerabilities** and **third-party trust relationships**. **February 2026 Update:** SLH is now **recruiting women for vishing attacks**, offering **$500–$1,000 per call** to IT help desks, alongside pre-written scripts. This tactical shift aims to **bypass traditional attacker profiles** by diversifying voices, increasing impersonation success rates. The group also **creates virtual machines post-access** for reconnaissance (e.g., Active Directory enumeration) and **exploits the Microsoft Graph API** to target Azure cloud resources, demonstrating a **deepening focus on identity and cloud infrastructure weaknesses**.

    Show sources
    Open in new tab
  2. 15.12.2025 23:27 2 articles · 2mo ago

    ShinyHunters Extorts PornHub via Mixpanel Analytics Breach

    On **November 8, 2025**, ShinyHunters compromised **Mixpanel**, a third-party analytics vendor, via an **SMS phishing (smishing) attack**, stealing **94GB of data** containing **201,211,943 records** of **PornHub Premium members’ historical search, watch, and download activity** from 2021 or earlier. The stolen data includes **email addresses, activity types (watched, downloaded, searched), video URLs, video names, associated keywords, locations, and timestamps**—highly sensitive information the group is now using to **extort Mixpanel customers**, including PornHub. ShinyHunters sent extortion emails beginning with **"We are ShinyHunters"**, demanding ransom payments to prevent public disclosure of the data. PornHub confirmed the breach impacted **select Premium users** but clarified that **no passwords, payment details, or financial information were exposed**, as the compromise originated from Mixpanel’s systems. **Mixpanel disputed the claim**, stating the data was last accessed by a legitimate PornHub employee account in 2023 and that there is **no evidence it was stolen during their November 2025 security incident**. This discrepancy raises questions about the data's origin, including potential **earlier breaches or insider involvement**. The incident marks a **significant expansion of ShinyHunters’ targeting**, moving beyond **Salesforce and CRM platforms** to exploit **analytics vendors** and **consumer-facing services**, further demonstrating the group's ability to **leverage third-party providers for high-impact extortion campaigns**.

    Show sources
    Open in new tab
  3. 27.11.2025 11:30 1 articles · 3mo ago

    Scattered Lapsus$ Hunters Launches Zendesk Phishing Campaign

    The **Scattered Lapsus$ Hunters (SLSH) alliance** has initiated a **new phishing campaign targeting Zendesk users**, deploying **over 40 typosquatted domains** (e.g., *znedesk[.]com*, *vpn-zendesk[.]com*) and **fraudulent helpdesk tickets** to harvest credentials and deploy **remote access trojans (RATs)**. The domains, registered via **NiceNic** with **US/UK registrant details** and **Cloudflare-masked nameservers**, mirror tactics used in the **August 2025 Salesforce campaign**, including **deceptive SSO portals** and **social engineering lures** aimed at support staff. ReliaQuest reports that **Discord** has already fallen victim, confirming a breach via its **Zendesk-based support system** that exposed user data, including **names, emails, billing information, IP addresses, and government-issued IDs**. The campaign underscores the group’s **expanding focus on high-value SaaS platforms** (Salesforce, Salesloft, Gainsight, and now Zendesk) to exploit **downstream customer data access**. While the activity aligns with SLSH’s modus operandi, ReliaQuest notes it could also be the work of a **copycat group** adopting similar phishing and credential-harvesting techniques. Organizations are urged to **monitor for typosquatted domains**, **audit helpdesk ticket submissions**, and **enhance endpoint protections** for support teams. This development follows the group’s **November 2025 unveiling of the ShinySp1d3r RaaS platform**, signaling a **multi-pronged escalation** in both **technical sophistication** and **target diversification**.

    Show sources
    Open in new tab
  4. 27.11.2025 09:03 1 articles · 3mo ago

    ShinyHunters-Scattered Spider-LAPSUS$ Alliance Unveils ShinySp1d3r RaaS Platform

    The **ShinyHunters-Scattered Spider-LAPSUS$ (SLSH) alliance** has developed **ShinySp1d3r**, a new **ransomware-as-a-service (RaaS) platform** combining advanced technical features with extortion-as-a-service (EaaS) capabilities. The platform includes **anti-forensic measures** such as hooking the *EtwEventWrite* function to disable Windows Event Viewer logging, terminating processes to bypass file locks, and filling free drive space with random data to overwrite deleted files. ShinySp1d3r also supports **network propagation** via *deployViaSCM*, *deployViaWMI*, and *attemptGPODeployment* to encrypt open network shares and spread laterally. The platform is administered by **Saif Al-Din Khader (aka Rey)**, a core SLSH member and former BreachForums/HellCat ransomware administrator, who claims to have **cooperated with law enforcement since June 2025**. Rey describes ShinySp1d3r as a **rehashed version of HellCat ransomware modified with AI tools**. The SLSH alliance has been linked to **51 cyberattacks in the past year**, leveraging **insider recruitment, RaaS/EaaS hybrid models, and multi-vector monetization** to target organizations. Palo Alto Networks Unit 42 warns that the group’s **combined offerings and tactical adaptability** pose a formidable threat, particularly to **Salesforce-dependent enterprises and third-party IT providers**.

    Show sources
    Open in new tab
  5. 26.11.2025 14:05 3 articles · 3mo ago

    Gainsight Attack Expands Salesforce Customer Impact with New IOCs

    The **Gainsight cyber-attack** has expanded significantly, with Salesforce initially identifying **three impacted customers** but later confirming a **larger, unspecified number of victims** by **November 21, 2025**. Gainsight CEO Chuck Ganapathi stated only a "handful" of customers had their data affected, though the full scope remains undisclosed. The breach began with **reconnaissance from IP 3.239.45[.]43 on October 23, 2025**, followed by **unauthorized access via an AT&T IP address on November 8** and approximately **20 suspicious intrusions between November 16–23** using **commercial VPNs (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a tactic linked to the **Salesloft Drift attack**. Salesforce **revoked all access and refresh tokens** for Gainsight applications, while **Google disabled OAuth clients** with callback URIs like *gainsightcloud[.]com*. Gainsight disabled read/write capabilities for **Customer Success (CS), Community (CC), Northpass, and Skilljar**, while isolating **Staircase** (confirmed unaffected). Third parties (**Gong.io, Zendesk, HubSpot**) severed integrations as a precaution, with HubSpot explicitly stating no evidence of compromise. Forensic analysis by **Mandiant** and Salesforce revealed attackers exploited **compromised multifactor credentials** for VPN and critical system access. Customers were advised to **rotate S3 keys, reset NXT passwords, and re-authorize integrations**, while adopting **Google Threat Intelligence Group (GTIG) mitigations** to counter the **ShinyHunters-Scattered Spider-LAPSUS$ collective’s evolving tactics**. The incident underscores the group’s persistent focus on **Salesforce ecosystems**, leveraging **third-party app vulnerabilities, OAuth token abuse, and VPN obfuscation** to maximize impact. **Meanwhile, the SLSH alliance has extended its targeting to Zendesk users**, deploying **typosquatted domains and malicious helpdesk tickets** to harvest credentials and deploy malware, as detailed in a concurrent campaign reported on **November 27, 2025**.

    Show sources
    Open in new tab
  6. 20.11.2025 20:54 1 articles · 3mo ago

    Almaviva Breach Exposes 2.3TB of FS Italiane Group Data

    A threat actor breached **Almaviva**, the IT services provider for **FS Italiane Group (Italy’s national railway operator)**, stealing **2.3TB of data** and leaking it on a dark web forum. The compromised files include **internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and complete datasets from FS Group companies**, with evidence confirming the data is recent (Q3 2025). Almaviva publicly acknowledged the breach, stating its **security monitoring services detected and isolated the attack**, activated counter-response procedures, and ensured the protection of critical services. The company notified Italian authorities, including the **police, national cybersecurity agency (ACN), and data protection authority (Garante)**, and is conducting an investigation with government support. The **structure of the leaked data**—organized into compressed archives by department/company—mirrors the tactics of **ransomware groups and data brokers active in 2024–2025**, though no specific group has claimed responsibility. Almaviva, a global IT provider with **41,000+ employees and $1.4B in annual revenue**, serves FS Italiane Group, a **100% state-owned railway operator** with **$18B+ in annual revenue**, managing railway infrastructure, passenger/freight transport, and logistics chains. As of November 20, 2025, it remains unclear whether **passenger information was exposed** or if other Almaviva clients beyond FS Italiane Group were impacted. The breach underscores the **growing risk to critical infrastructure via third-party IT providers**, a tactic increasingly used by groups like **ShinyHunters and Scattered Spider**.

    Show sources
    Open in new tab
  7. 25.09.2025 14:48 2 articles · 5mo ago

    Scattered Spider Members Arrested in September 2025

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  8. 25.09.2025 14:48 2 articles · 5mo ago

    Noah Urban Sentenced for SIM-Swapping and Cybercrime Activities

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  9. 25.09.2025 14:48 2 articles · 5mo ago

    Ransomware Attack Disrupts European Airports

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  10. 24.09.2025 23:21 3 articles · 5mo ago

    Scattered Spider Member Surrenders in Las Vegas

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  11. 18.09.2025 17:37 4 articles · 5mo ago

    UK Arrests Scattered Spider Members Linked to Transport for London Hack

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  12. 15.09.2025 23:12 5 articles · 5mo ago

    Scattered Lapsus$ Hunters' Claims and Google's Response

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  13. 13.09.2025 12:04 6 articles · 5mo ago

    FBI Alert on UNC6040 and UNC6395 Targeting Salesforce Platforms

    The **Gainsight cyber-attack** has expanded to impact more Salesforce customers than initially disclosed, with notifications sent to all affected parties by **November 21, 2025**. The breach began with **unauthorized access via an AT&T IP address on November 8**, followed by approximately **20 suspicious intrusions** between November 16–23 using **commercial VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a method previously observed in the **Salesloft Drift attack**. Gainsight temporarily disabled read/write capabilities for products like **Customer Success (CS), Community (CC), and Northpass**, while isolating **Staircase** (confirmed unaffected due to separate infrastructure). Third-party vendors, including **Gong.io, Zendesk, and HubSpot**, also disabled Gainsight integrations as a precaution, though HubSpot reported no evidence of compromise. Forensic investigations by **Mandiant (Google Cloud’s incident response team)** and Salesforce revealed the attackers leveraged **compromised multifactor credentials** for VPN and critical system access. Gainsight advised customers to **rotate S3 keys, reset NXT passwords, and re-authorize integrations**, while recommending mitigation measures from the **Google Threat Intelligence Group (GTIG)** to counter the **ShinyHunters-Scattered Spider-LAPSUS$ collective’s evolving tactics**. The incident underscores the persistent threat to **Salesforce ecosystems**, with attackers exploiting **third-party app vulnerabilities** and **OAuth token abuse** to expand their reach.

    Show sources
    Open in new tab
  14. 10.09.2025 18:29 5 articles · 5mo ago

    Jaguar Land Rover Data Breach Confirmed

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  15. 25.08.2025 22:48 3 articles · 6mo ago

    Farmers Insurance Data Breach Details Revealed

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  16. 21.08.2025 09:45 1 articles · 6mo ago

    Scattered Spider Member Sentenced for Cybercrime Activities

    A 20-year-old member of Scattered Spider, Noah Michael Urban, was sentenced to ten years in prison and $13 million in restitution for wire fraud and aggravated identity theft. Urban was arrested in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023, resulting in the theft of at least $800,000 from five victims. Urban and his co-conspirators used SIM swapping attacks to hijack victims' cryptocurrency accounts and steal digital assets.

    Show sources
    Open in new tab
  17. 12.08.2025 19:20 15 articles · 6mo ago

    ShinyHunters and Scattered Spider Target Salesforce Customers

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  18. 12.08.2025 15:00 15 articles · 6mo ago

    ShinyHunters and Scattered Spider Collaboration Detected

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Global Law Enforcement Disrupts 'The Com' Cybercrime Collective

A coordinated international operation, Project Compass, has arrested 30 members of 'The Com,' a cybercrime group linked to ransomware attacks, extortion, violent activities, and the production of child sexual exploitation material (CSAM). The group, primarily composed of young individuals, has targeted high-profile entities and engaged in phishing, vishing, and SIM swapping. Project Compass, led by Europol's European Counter Terrorism Centre, involves multiple countries and aims to disrupt the group's operations and safeguard victims. The Com has been connected to Russian cybercriminal gangs and has expanded its activities to include physical violence, extremist links, and the exploitation of minors. The group operates with a decentralized structure, making it particularly difficult to disrupt. Europol splits The Com into three distinct groups of activity: cyber activity, offline activity, and extortion/sextortion activity.

Open in new tab

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asian Espionage Campaigns

Amaranth-Dragon, a China-linked threat actor, has conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool. The attackers leveraged the vulnerability within days of its disclosure in August 2025 and used the Havoc Framework as the Command and Control (C&C) platform.

Open in new tab

454,000+ Malicious Open Source Packages Discovered in 2026

Researchers reported a surge in malicious open source packages, with 454,648 new malicious packages discovered in 2026. These packages are increasingly used in sustained, industrialized campaigns, often state-sponsored, targeting developer machines and CI/CD pipelines. The threat landscape includes repository abuse, potentially unwanted apps, and multi-stage attacks involving host information exfiltration, droppers, and backdoors. Additionally, AI-assisted development is exacerbating the risk by recommending non-existent versions and failing to check for malicious indicators.

Open in new tab

World Leaks Ransomware Group Exfiltrates 1.4TB of Nike Data

The World Leaks ransomware group has claimed responsibility for a data breach affecting Nike, posting a 1.4TB cache of stolen internal data. The leaked files include R&D and product details, supply chain information, and internal documents dating back to 2020. Nike is investigating the incident, but no customer or employee PII has been identified in the dump. The breach could have significant commercial and operational impacts, including potential disruptions to product launches and supply chain operations. World Leaks removed the Nike entry from its leak site, suggesting potential negotiations or ransom payment. World Leaks is believed to be a rebrand of the Hunters International ransomware group, which emerged in late 2023 and was flagged as a possible Hive ransomware rebrand due to code similarities. Hunters International claimed responsibility for over 280 attacks, including victims such as the U.S. Marshals Service, Tata Technologies, Hoya, AutoCanada, and Austal USA.

Open in new tab

China-Linked APTs Deploy PeckBirdy JScript C2 Framework Since 2023

China-aligned APT actors have been using the PeckBirdy JScript-based command-and-control (C2) framework since 2023 to target Chinese gambling industries, Asian government entities, and private organizations. The framework leverages living-off-the-land binaries (LOLBins) for execution across various environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified, each employing different tactics, including credential harvesting and malware delivery. The framework's flexibility allows it to operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET, using multiple communication methods like WebSocket and Adobe Flash ActiveX objects. Additional scripts for exploitation, social engineering, and backdoor delivery have been observed, along with links to known backdoors like HOLODONUT and MKDOOR. HOLODONUT disables security features such as AMSI before executing payloads in memory, while MKDOOR disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings. Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor. Some samples used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads, and SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia. The Shadow-Void-044 campaign used stolen code-signing certificates, Cobalt Strike payloads, and exploits, including CVE-2020-16040, to maintain persistent access. The Shadow-Earth-045 campaign targeted a Philippine educational institution in July 2024, using the GrayRabbit backdoor and the HoloDonut backdoor. The threat actor behind the Shadow-Earth campaign developed a .NET executable to launch PeckBirdy with ScriptControl.

Open in new tab