Hospitality Hacks and Retail Reality Checks

The Golden Scale: 'Tis the Season for Unwanted Gifts

Clock Icon 6 min read
Related Products
Unit 42 Incident Response iconUnit 42 Incident ResponseUnit 42 Ransomware Readiness Assessment iconUnit 42 Ransomware Readiness Assessment

In October 2025, we published two Insights blogs on threat activity affiliated with the cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH). After a few weeks of apparent inactivity, the threat actors have returned with a vengeance based on open-source reporting and conversations obtained from a new Telegram channel (scattered LAPSUS$ hunters part 7). This latest Insights threat blog will detail several notable observations made by Unit 42 since mid-November, and prepares organizations as we head into the holiday season.

New Data Theft Allegations and Imposed Deadline

On Nov. 20, 2025, Salesforce released a security advisory acknowledging that they had detected “unusual activity involving Gainsight-published applications.” This led the company to revoke “all active access and refresh tokens associated with Gainsight-published applications” while also temporarily removing such applications from their AppExchange while they conduct an investigation.

At the time of this writing time, Salesforce assesses that the activity was not a result of any vulnerability in their platform and that “this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.” The company has notified all impacted customers and issued an additional advisory on Nov. 22, 2025 with a number of indicators of compromise (IoCs) related to this activity.

Based on BleepingComputer’s reporting, Bling Libra (aka ShinyHunters) claimed to have gained access to an additional 285 Salesforce instances by breaching Gainsight. The threat group asserted they accomplished this using secrets obtained via their supply chain attack targeting Salesloft Drift in August 2025, which Unit 42 previously reported on Sep. 10, 2025.

Gainsight acknowledged on Sept. 3, 2025 that they were breached via stolen OAuth tokens linked to the Salesloft Drift attack. In this security alert the company confirmed the following types of information were likely accessed by the threat actors:

  • Names
  • Business email addresses
  • Phone numbers
  • Regional/location details
  • Gainsight product licensing information
  • Plain text content from certain support cases (not including attachments)

On Nov. 20, 2025, SLSH representatives posted a message within their newly created Telegram channel. It included an image that appears to represent a new dedicated leak site (DLS) with text reading “24 November 2025, stay tuned” as shown in Figure 1. This seemingly implies a deadline set for any companies affected by this latest data theft campaign to pay a ransom.

Dark themed image displaying a screen with the text "SHINYHUNTERS" at the top. Below, a teaser message reads "24 November 2025, stay tuned." The image features engagement icons, a red heart with 4 likes, a clap with 1 like, and a message indicating 1.7K views. Time stamp reads "unc 3944, 11:21 PM."
Figure 1. Screenshot of Telegram post to scattered LAPSUS$ hunters part 7 channel on Nov. 20, 2025. Source: Telegram.

On Nov. 21, 2025, SLSH posted another message shown in Figure 2, which functions as a warning to companies that have not yet been affected by their Salesforce data theft campaigns.

Image displaying a text message discussing security incidents affecting Salesforce by hackers named ShinyHunters, Scattered Spider, and Lapsus$. The sender expresses confidence in resolving these issues and signs off as "SLH Newsroom." The message includes emojis and reactions from viewers.
Figure 2. Screenshot of Telegram post to scattered LAPSUS$ hunters part 7 channel on Nov. 21, 2025. Source: Telegram.

Emergence of ShinySp1d3r Ransomware-as-a-Service

On Nov. 19, 2025, BleepingComputer reported on a new ransomware-as-a-service (RaaS) program dubbed “ShinySp1d3r” which is allegedly still under active development by SLSH. The ransomware currently only works on Windows systems but representatives for the criminal syndicate told reporters that they are close to producing versions for Linux and ESXi systems.

Unit 42 previously alluded to the development of ShinySp1d3r ransomware in our last Insights blog on SLSH. Additionally, last week, we also published timely threat intelligence on our research into IoCs likely associated with this form of ransomware. Figures 3 and 4 provide further information on the encryptor portion of ShinySp1d3r upon successful execution.

A computer screen displaying a ransomware notice titled "ShinySp1d3r Ransomware." The notice informs the user that their files have been encrypted and includes instructions to open an instructional file for further steps. Icons like the Recycle Bin and other typical desktop items are visible.
Figure 3. Screenshot of ShinySp1d3r wallpaper. Source: Unit 42.
Screenshot of a computer desktop displaying an open Notepad document titled "Ransom Note" with a message claiming a security breach. The desktop also shows other opened applications like SQL Server Management Studio and a network connections folder. The ransom note includes an overview for coordinating recovery.
Figure 4. Screenshot of ShinySp1d3r ransom note. Source: Unit 42.

On Nov. 21, 2025, SLSH posted another Telegram message shown in Figure 5 where they threaten to deploy ShinySp1d3r ransomware for all of New York City and the State of New York.

Text displayed in a social media post stating, "We are going to lock down the entire New York State and City with ShinySp1d3r. Mark. My. Words." followed by various emoji reactions including a clown face, a face with glasses, a thumbs up, and a flame.
Figure 5. Screenshot of Telegram post to scattered LAPSUS$ hunters part 7 channel on Nov. 21, 2025. Source: Telegram.

Latest Insider Access Recruitment Attempts

On Nov. 21, 2025, CrowdStrike confirmed to BleepingComputer that an employee had shared screenshots of internal systems with SLSH which were then posted to the group’s Telegram channel. CrowdStrike asserted that the individual was terminated last month and that none of its systems were breached as a result of this activity. Bling Libra confirmed to reporters that they agreed to pay the insider $25,000 for access to CrowdStrike’s network.

On the same day, SLSH posted several more Telegram messages further illustrated in Figures 6 and 7. The first image shown below highlights the industries that the threat actors were looking to solicit insiders from, which includes retail and hospitality organizations.

Screenshot of a social media post discussing sectors targeted by the hacking group Scattered LAPSUS$ Hunters, listing various industries such as insurance, finance, automotive, hotels, telecom, gasoline companies, and investment companies, as well as reference to Five Eyes.
Figure 6. Screenshot of Telegram post to scattered LAPSUS$ hunters part 7 channel on Nov. 20, 2025. Source: Telegram.

The second image shown below illustrates how the threat actors are attempting to calm any unease that potential insiders may be feeling in the aftermath of CrowdStrike’s insider detection.

Text on a mobile screen displaying a message from the hacker group Scattered LAPUS$ Hunters that warns employees to cooperate with them to gain insider access, highlighting their method to bypass security with discretion and responsibility.
Figure 7. Screenshot of Telegram post to scattered LAPSUS$ hunters part 7 channel on Nov. 21, 2025. Source: Telegram.

Looking Ahead to 2026

On Nov. 24, 2025, Gainsight announced that connections to other SaaS platforms such as HubSpot and Zendesk were being temporarily suspended due to the supply chain attack. The company also encouraged customers to rotate their S3 keys as a precautionary measure.

At time of publication, Unit 42 had yet to identify any communications by the threat actors claiming to have leaked information related to their alleged Gainsight data theft campaign. However, they did post the following message to their Telegram channel on Nov. 24, 2025:

“pretty sure the 2025 victim count by us in total is ~1.5k (1000 already publicly reported) and still increasing”

My overall prediction when it comes to these financially-motivated threat actors in 2026 and beyond is more of the same: unwavering chaos. We previously expected SLSH to take a break and reemerge at the beginning of the new calendar year with the aforementioned activities, but they have seemingly decided to expedite that timeline based on these latest observations. The emergence of a RaaS program, in conjunction with an EaaS offering, makes SLSH a formidable adversary in terms of the wide net they can cast against organizations using multiple methods to monetize their intrusion operations. Additionally, the insider recruitment element adds yet another layer for organizations to defend against.

The timing of these developments could not be worse for most organizations, especially retailers, as they ramp up for the biggest shopping weeks of the calendar year. Figure 8 provides more insight on how the threat actors plan to operate in the coming weeks, which seemingly alludes to more customer data potentially being leaked to their DLS.

Screenshot of a social media post warning that all the IR people should monitor their logs over the holidays due to #ShinyHuntazz targeting customer databases, with various emoji reactions including a distressed face, fire, smiley, alien, and detective. Posted at 5:43 PM with 1.3K interactions.
Figure 8. Screenshot of Telegram post to scattered LAPSUS$ hunters part 7 channel on Nov. 23, 2025. Source: Telegram.

Palo Alto Networks recently predicted that 2026 will be the “Year of the Defender” with regards to applying AI-driven defenses to combat AI-powered attacks. I strongly believe that this sentiment of 2026 being the year of the defender also needs to hold true if we are to collectively defeat the many fronts that SLSH is targeting organizations from.

One of the best gifts you can give your organization this time of year is joining and actively participating in an industry-specific Information Sharing and Analysis Center — this enables your network defenders to learn from other peer institutions and collectively shift the outcome to “left of bang.”

Unit 42 is ready to help support your organization with an active compromise or to provide a proactive assessment to lower your organization's risk related to this evolving threat activity.

Tags

Table of Contents

Related Articles

Related Hospitality Hacks and Retail Reality Checks Resources

Enlarged Image

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow