A new cybercrime supergroup has emerged, and it's unlike anything we've seen before. Scattered Spider, LAPSUS$, and ShinyHunters, three notorious cybercrime entities, have joined forces. This merger isn't just about sharing resources; it's a strategic move to amplify their impact and evade detection. But what does this mean for cybersecurity? Let's dive in.
The group, known as Scattered LAPSUS$ Hunters (SLH), wasted no time in establishing its presence, creating no less than 16 Telegram channels since August 8, 2025. This constant churn of channels highlights the group's determination to maintain a public presence despite platform moderation efforts. According to a report by Trustwave SpiderLabs, the group's Telegram channels are central to their operations, serving as a hub for coordination and a platform to broadcast their activities, similar to hacktivist groups.
SLH quickly began launching data extortion attacks, including targeting organizations using Salesforce. Their primary offering is an extortion-as-a-service (EaaS) model, allowing other affiliates to leverage the consolidated group's brand and notoriety to demand payments. This collaborative approach is a hallmark of their strategy.
All three groups are connected to a larger, loosely organized cybercriminal network called The Com, known for its fluid collaborations and brand-sharing. SLH has also shown associations with other groups like CryptoChameleon and Crimson Collective, further demonstrating the interconnectedness of the cybercrime landscape.
Telegram plays a crucial role for SLH, acting as a command center and a marketing tool. The group uses it to disseminate messages and promote its services. The administrative posts include signatures referencing the 'SLH/SLSH Operations Centre,' projecting an image of organized command structure, adding a layer of legitimacy to their activities.
But here's where it gets controversial... The group has also used Telegram to accuse Chinese state actors of exploiting vulnerabilities, while simultaneously targeting U.S. and U.K. law enforcement agencies. They even invite subscribers to participate in pressure campaigns, offering payment for finding and relentlessly emailing C-suite executives.
Who are the key players? The SLH alliance brings together several semi-autonomous groups within The Com network, each contributing unique skills:
- Shinycorp (aka sp1d3rhunters): Coordinates activities and manages brand perception.
- UNC5537: Linked to the Snowflake extortion campaign.
- UNC3944: Associated with Scattered Spider.
- UNC6040: Linked to a recent Salesforce vishing campaign.
Other key figures include Rey and SLSHsupport, who focus on engagement, and yuka (aka Yukari or Cvsp), known for developing exploits.
And this is the part most people miss... SLH is hinting at a custom ransomware family called Sh1nySp1d3r (aka ShinySp1d3r), potentially rivaling established players like LockBit and DragonForce. This suggests a future shift towards full-scale ransomware operations.
Trustwave views SLH as a blend of financially motivated cybercrime and attention-driven hacktivism, combining monetary incentives with social validation to fuel their activities. They are masters of perception, using branding, reputational recycling, and layered identity management to weaponize legitimacy within the cybercriminal ecosystem. Their operational structure combines social engineering, exploit development, and narrative warfare.
Cartelization of Another Kind
This revelation comes as Acronis reports that the DragonForce group has released a new malware variant using vulnerable drivers like truesight.sys and rentdrv2.sys to disable security software. DragonForce, which launched a ransomware cartel earlier this year, has also partnered with Qilin and LockBit to share techniques and resources. This lowers the technical barrier for both established and new groups to run operations.
DragonForce is aligned with Scattered Spider, with the latter breaking into targets using social engineering and deploying remote access tools. DragonForce used the Conti leaked source code to forge a dark successor crafted to carry its own mark.
What do you think? Is this level of collaboration a sign of the evolving cybercrime landscape? Do you see any potential benefits or drawbacks to this type of consolidation? Share your thoughts in the comments below!
