A sophisticated identity-theft operation, dubbed SLSH, is actively targeting over 100 high-profile organizations, including tech giants like Canva, Atlassian, and Epic Games. This dangerous new threat combines the tactics of notorious hacking groups Scattered Spider, LAPSUS$, and ShinyHunters, leveraging a potent mix of human-driven social engineering and advanced phishing techniques to breach corporate defenses.
The SLSH campaign distinguishes itself from typical automated cyberattacks by employing real individuals to contact company employees. Simultaneously, attackers deploy highly convincing fake login pages that mirror authentic company systems. The primary objective is to steal credentials and security tokens, particularly from single sign-on (SSO) services like Okta, which serve as critical access points to an organization’s entire suite of applications.
SLSH Operation: A New Frontier in Identity Theft
The core of SLSH’s operational capability lies in its “live phishing panel.” This infrastructure allows threat actors to intercept login information and crucial security codes in real-time. This sophisticated method enables them to bypass even robust multi-factor authentication (MFA) protections, posing a significant challenge to conventional security measures. The targeted entities represent a broad spectrum of industries, with confirmed targets including prominent tech companies, numerous financial institutions, healthcare providers, and real estate firms.
Analysts at Silentpush have identified a substantial increase in the deployment of malicious infrastructure associated with this campaign. They have recognized attack patterns that align with the known operations of SLSH, often referred to as being part of “The Com” ecosystem. These attacks are not characterized by random scanning but rather by a deliberate and strategic targeting of enterprises possessing significant digital assets and sensitive data.
The attackers employ voice phishing, commonly known as “vishing,” where they initiate calls to company help desks and individual employees. During these calls, they impersonate IT support personnel, often requesting password resets or access to systems under the guise of routine maintenance or troubleshooting. While conducting these vishing calls, the threat actors simultaneously manipulate a fake login page that precisely mimics the victim’s legitimate company login screen, creating a highly plausible social engineering scenario.
How the Live Phishing Panel Facilitates Breaches
The infection mechanism employed by SLSH relies heavily on human-led orchestration rather than the deployment of automated malware. Once attackers achieve initial access through vishing and the successful theft of credentials, they leverage the compromised single sign-on session. This single, stolen session effectively acts as a “skeleton key,” granting them potential access to every application connected to the organization’s SSO infrastructure.
Following the initial breach, the attackers proceed to move laterally within the target network. They often infiltrate internal communication systems such as Slack or Microsoft Teams. Within these platforms, they impersonate legitimate employees, a tactic designed to deceive administrators into granting higher levels of privileges or access. This phase of the attack closely mirrors the playbook of the LAPSUS$ group.
After establishing a foothold and escalating privileges, the campaign progresses toward data theft and extortion. The threat actors rapidly download sensitive corporate information. Subsequently, they engage in ransom demands, threatening the public disclosure of the stolen data. In certain instances, to further amplify pressure, they may also proceed to encrypt critical enterprise systems, rendering them inoperable until a ransom is paid.
Organizations identified by Silentpush as being on the critical target list are being advised to treat this threat as an immediate emergency. This includes vigilance in warning all employees about ongoing vishing attempts and conducting immediate audits of their single sign-on logs. The audit should focus on identifying any suspicious device enrollments or unfamiliar login locations that could indicate a breach.
The ongoing activity by SLSH highlights a concerning evolution in cyber threats, where sophisticated social engineering is synergized with advanced technical capabilities. The targeting of SSO services represents a strategic shift, aiming for broad access through single points of compromise. The coming weeks will likely see further analysis of the compromised data and potential follow-on attacks against organizations that fail to fortify their defenses against these human-centric phishing tactics.