Special Alert: SLSH Malicious "Supergroup" Targeting 100+ Organizations via Live Phishing Panels
A massive identity-theft campaign is currently active, targeting Okta Single Sign-On (SSO) and other SSO platform accounts across 100+ high-value enterprises.
Silent Push has identified a surge in infrastructure deployment that mirrors the TTPs (Tactics, Techniques, and Procedures) of SLSH—a predatory alliance between Scattered Spider, LAPSUS$, and ShinyHunters. This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing (“vishing”) operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups.
The Threat: SLSH “Supergroup”
SLSH (Scattered LAPSUS$ Hunters) is an aggressive cybercrime group that emerged from “The Com” ecosystem. By merging Scattered Spider’s social engineering expertise with LAPSUS$’ extortion models, they have created a sophisticated initial access strategy that targets enterprise organizations through their identity providers.
The primary infrastructure being used is a new “Live Phishing Panel.” This allows a human attacker to sit in the middle of a login session, intercepting credentials and MFA tokens in real-time to gain immediate, persistent access to corporate dashboards.
Critical Target List (Last 30 Days)
If your organization is listed below, Silent Push has detected active targeting or infrastructure preparation directed at your domain within the last month.
| Industry Sector | Companies |
| Technology & Software | Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, RingCentral, ZoomInfo, Iron Mountain. |
| Fintech & Payments | Adyen, Jack Henry, Shift4 Payments, SoFi. |
| Biotech & Pharma | Alnylam, Amgen, Arvinas, Biogen, Gilead Sciences, Moderna, Neurocrine Biosciences. |
| Financial Services / Banking | Apollo Global Mgmt, Blackstone, Cohen & Steers, Frost Bank, goeasy Ltd., Guild Mortgage, Morningstar, RBC, Securian Financial, State Street, TPG Capital. |
| Real Estate (REITs & Investment) | Avison Young, Brixmor Property, CBRE, Centerspace, Colliers, eXp Realty, Goodman Group, Howard Hughes Corp., Kennedy Wilson, Macerich, Public Storage, Realty Income, Redfin, RE/MAX, Simon Property Group, WeWork. |
| Real Estate Tech / Software | Entrata, RealPage, Zillow. |
| Infrastructure, Energy & Utilities | Acco Engineered Systems, AECOM, Alliant Energy, American Water, Beach Energy, Cenovus Energy, CMS Energy, DistributionNOW, Halliburton, Invenergy, MasTec, NOV Inc., Oceaneering, Sempra Energy, Sunrun, Talen Energy. |
| Healthcare & MedTech | Bayshore Healthcare, Globus Medical, GoodRx, ResMed, Surgery Partners, UCHealth. |
| HR Tech & Outsourcing | Awardco, Cornerstone OnDemand, Gusto, TriNet. |
| Logistics & Transportation | Brambles (CHEP), Crowley, Covenant Logistics, Lineage Logistics, Pitney Bowes. |
| Manufacturing & Industrial | Ball Corp, BlueLinx, Canfor, Littelfuse, Methode Electronics, Reliance Steel. |
| Retail & Consumer Goods | Amway, Carvana, Do it Best, GameStop, Murphy USA, Sargento Foods, Sonos, Spin Master, Lamb Weston. |
| Insurance | HBF Health, Mercury Insurance, Risk Strategies. |
| Legal Services | Jones Day, Paul Hastings LLP, Perkins Coie. |
| Media, Education & Hospitality | Cengage, Choice Hotels, Hearst. |
| Telecommunications | Telstra. |
Why Immediate Action Is Required
Standard security awareness training often fails to stop this specific threat. SLSH operators are highly persuasive, frequently calling help desks and employees while simultaneously manipulating a live phishing page to match the victim’s specific login prompts.
The Risk
- Total SSO takeover: Once an Okta or another SSO provider’s session is hijacked, the attacker has a “skeleton key” to every app in your environment.
- Data extortion: Following the LAPSUS$ playbook, these actors prioritize rapid data exfiltration for public extortion.
- Lateral movement: The attackers use the initial SSO breach to move into internal communications (such as with Slack or Teams) to social-engineer higher-privilege admins.
- Data encryption: A final step in an SLSH attack after data exfiltration is often to encrypt enterprise data and then blackmail organizations into paying ransom to acquire decryption keys.
Defensive Requirements
Organizations should not wait for a breach notification and immediately:
- Warn customer support and employees about ongoing SLSH attacks: The best way to prevent unexpected vishing campaigns from succeeding is to alert your employees about ongoing attacks targeting your company. If someone receives any suspicious messages, calls, or emails during this time, they should be immediately escalated to managers and security teams for review.
- Audit Okta system and other SSO provider logs: Hunt for “New Device Enrolled” events immediately followed by a login from an unfamiliar IP address.
- Deploy pre-attack intelligence: Silent Push identifies these attack surfaces at the DNS level before vishing calls begin. Use of Silent Push Indicators of Future Attack™ (IOFA™) feeds can block malicious look-alike domains before they go live.
FAQs
What is the SLSH threat group? SLSH is a cybercriminal alliance of Scattered Spider, LAPSUS$, and ShinyHunters, specializing in vishing, SSO credential theft, and ransomware campaigns.
How does a live phishing panel work? It allows an attacker to intercept MFA tokens and login credentials in real-time, enabling them to bypass security prompts while the victim is on the phone.
How can I protect my Okta or other SSO provider account from vishing? The most effective defense is to use phishing-resistant MFA (FIDO2) and to verify all IT support calls through an official out-of-band channel.
