ShinyHunters Targeted 100+ Enterprises: Canva Atlassian Epic

An extensive identity theft operation has set its sights on more than 100 prominent organizations across diverse sectors.

The threat comes from SLSH, a dangerous alliance combining the tactics of Scattered Spider, LAPSUS$, and ShinyHunters.

Unlike typical automated attacks, this campaign uses real people calling your employees while simultaneously running fake login pages that look exactly like your company’s system.

The attackers aim to steal credentials and security tokens from Okta and other single sign-on services, which act like master keys to access every application within an organization.

The campaign primarily uses a tool called a “live phishing panel.” This infrastructure allows attackers to intercept login information and security codes in real-time, even bypassing multi-factor authentication protections.

Major targets include Canva, Atlassian, Epic Games, HubSpot, and dozens of financial institutions, healthcare providers, and real estate companies.

Silentpush analysts identified the surge in malicious infrastructure deployment and recognized the attack patterns matching SLSH’s known operations from “The Com” ecosystem.

Silentpush analysts noted this wasn’t a random scanning attack but rather a carefully planned targeting of enterprises with substantial digital assets.

The threat actors use voice phishing, or “vishing,” where they call company help desks and employees impersonating IT staff requesting password resets or system access.

As they make these calls, they manipulate a fake login page matching exactly what appears on the victim’s screen, creating a convincing social engineering scenario.

How the Live Phishing Panel Works

The infection mechanism relies on human-led orchestration rather than automated malware deployment.

Once attackers gain initial access through vishing and credential theft, they use the stolen single sign-on session as a foundation for deeper intrusion.

This single compromised session becomes what attackers call a “skeleton key” giving them potential access to every connected application within the target organization.

The attackers then move laterally into internal communication systems like Slack or Teams, where they impersonate legitimate employees to trick administrators into granting higher privileges.

Following the LAPSUS$ playbook, the campaign progresses through data theft and extortion. Attackers rapidly download sensitive information and then demand ransom, threatening to publish stolen data publicly.

In some cases, they encrypt enterprise systems to increase pressure for payment.

Organizations on the critical target list detected by Silentpush should treat this threat as an emergency, warning all employees about ongoing vishing attempts and auditing their single sign-on logs immediately for suspicious device enrollments or unfamiliar login locations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.