PoisonSeed targets Mailchimp, Mailgun, and Zoho to phish high-value accounts

Posted on by

Activities align with CryptoChameleon

While many threat researchers have linked PoisonSeed actors to Scattered Spider, Silent Push believes the alignment is more accurate with the CryptoChameleon advanced phishing kit from 2024.

The mailchimp-sso[.]com domain, which is the basis of the association made with Scattered Spider, was registered on Porkbun from the previous attack up until March 24, 2025, when it was re-registered on NiceNic, a registrar of choice for both Scattered Spider and CryptoChameleon, the analysts pointed out.

PoisonSeed’s cryptocurrency seed phrase poisoning attack utilizing a supply chain spam operation does not align with Scatter Spider TTPs, which Silent Push tracked as still active in 2025 with targeted brands including Credit Karma, Forbes, Nike, Louis Vuitton, and Vodafone.