Full Report
The nascent collective that combines three prominent cybercrime groups, Scattered Spider, LAPSUS$, and ShinyHunters, has created no less than 16 Telegram channels since August 8, 2025. "Since its debut, the group's Telegram channels have been removed and recreated at least 16 times under varying iterations of the original name – a recurring cycle reflecting platform moderation and the operators'
Analysis Summary
# Threat Actor: Scattered LAPSUS$ Hunters (SLH)
## Attribution & Identity
* **Identity:** A nascent collective formed by the merger of three prominent cybercrime groups: Scattered Spider, LAPSUS$, and ShinyHunters.
* **Associated Groups/Aliases:**
* Scattered Spider
* LAPSUS$
* ShinyHunters
* The Com (The broader, federated cybercriminal enterprise they belong to)
* CryptoChameleon (Adjacent cluster association)
* Crimson Collective (Adjacent cluster association)
* Shinycorp (Acts as a coordinator, manages brand perception)
* UNC5537 (Linked to Snowflake extortion campaign)
* UNC3944 (Associated with Scattered Spider)
* UNC6040 (Linked to recent Salesforce vishing campaign)
* **Key Personas:**
* Rey and SLSHsupport (Responsible for sustaining engagement)
* yuka (aka Yukari or Cvsp) (Initial Access Broker (IAB), history of developing exploits)
* **Self-Designation:** "SLH/SLSH Operations Centre" (Used to project an image of organized command structure).
## Activity Summary
* The group has been actively operating since at least August 8, 2025, evidenced by the rapid creation and recreation of Telegram channels.
* They engage in data theft and extortion attacks.
* They offer Extortion-as-a-Service (EaaS), allowing affiliates to use the consolidated entity's "brand" and notoriety to demand payment from targets.
* The group uses Telegram as a central coordination and public presence platform, mimicking hacktivist styles to disseminate messaging and market services.
* They have engaged in reputational recycling and theatrical branding.
* Members have been observed accusing Chinese state actors of exploiting vulnerabilities, while simultaneously targeting U.S. and U.K. law enforcement agencies.
* They actively market operational activities, including inviting subscribers to participate in pressure campaigns for a minimum payment of $100 by finding and relentlessly emailing C-suite executive emails.
## Tactics, Techniques & Procedures
* **Communication/Coordination:** Heavily reliant on **Telegram**, creating and recreating channels frequently (at least 16 times since August 8, 2025) to evade platform moderation.
* **Initial Access/Brokerage:** Involvement of an Initial Access Broker (yuka/Cvsp).
* **Extortion:** Primary activity, including EaaS models.
* **Social Engineering:** Linked to vishing campaigns (via UNC6040 linkage).
* **Advocacy/Pressure Campaigns:** Encouraging subscribers to conduct direct email pressure campaigns against executives.
* **Future TTP:** Hinted at developing a custom ransomware family named **Sh1nySp1d3r**.
* **MITRE ATT&CK IDs:** No specific IDs were mentioned in the context provided.
## Targeting
* **Sectors:** Organizations using **Salesforce** have been specifically mentioned victims of recent extortion attacks.
* **Geography:** Explicitly targeted **U.S. and U.K. law enforcement agencies** in messaging.
* **Victims:** Organizations targeted for data extortion; specifics include organizations using **Salesforce**.
## Tools & Infrastructure
* **Malware Families:** Hinted roadmap includes a custom ransomware family named **Sh1nySp1d3r** (aka ShinySp1d3r).
* **Infrastructure:** **Telegram** is the central infrastructure used for coordination, marketing, and operations visibility (evidenced by constant channel recreation).
## Implications
* The consolidation of three distinct, prominent groups suggests a sophisticated, federated criminal enterprise ("The Com") capable of pooling diverse technical skills and brand recognition.
* The EaaS model lowers the barrier to entry for affiliates while increasing the reputational damage and perceived threat level for victims.
* The blend of financial motivation (extortion) and social validation/hacktivism suggests a complex threat profile requiring a multi-faceted response.
* The potential introduction of a custom, branded ransomware (Sh1nySp1d3r) could signal a significant escalation in capability and branding efforts similar to major existing ransomware operations.
## Mitigations
* **Information Security:** Monitor for communications and phishing attempts referencing the SLH brand or its associated predecessor groups.
* **Platform Moderation:** Organizations utilizing platforms like Telegram must maintain rigorous monitoring and incident response for coordinated harassment or brand-specific extortion attempts originating from these channels.
* **Executive Protection:** Implement enhanced security controls and training for C-suite executives regarding targeted email pressure campaigns, emphasizing validation of unsolicited communications.
* **Early Detection:** Monitor for early indicators related to the potential Sh1nySp1d3r ransomware, focusing on initial access techniques known to be employed by Scattered Spider and affiliates.