Full Report
Introduction In August 2025, a Telegram channel named “Scattered LAPSUS$ Hunters” surfaced, linking itself to notorious cybercrime groups: Scattered Spider, ShinyHunters, and LAPSUS$. The group quickly began posting stolen data, ransom demands, and provocative statements, reviving chaos once driven by LAPSUS$. Its name hints at connections to “The Com”, an underground network where actors often […] The post Anatomy of the Red Hat Intrusion: Crimson Collective and SLSH Extortions appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Incident Report: Emergence of SLSH Collective and Associated Extortions
## Executive Summary
In August 2025, the "Scattered LAPSUS\$ Hunters" (SLSH) Telegram channel emerged, signaling an alliance between Scattered Spider, ShinyHunters, and LAPSUS\$. This group engaged in extortion campaigns, relying heavily on social engineering (vishing) to compromise systems, notably affecting third-party providers for platforms like Discord. The group also shared exploit code for a critical Oracle E-Business Suite zero-day, CVE-2025-61882, which was actively exploited by criminal groups, leading to emergency patching across the industry.
## Incident Details
- **Discovery Date:** August 2025 (SLSH channel surfacing)
- **Incident Date:** Starting August 2025 (Zero-day exploitation by Clop/SLSH activity overlap); September 2025 (Discord provider breach)
- **Affected Organization:** Discord (via third-party provider); Oracle (via zero-day vulnerability); Salesforce (threatened)
- **Sector:** Software/Cloud Services, Technology
- **Geography:** Global (Attribution complex due to underground networks)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2025 (Observed exploit activity for CVE-2025-61882 started around this time)
- **Vector:** Exploitation of Oracle E-Business Suite Zero-Day (CVE-2025-61882) and Vishing/Malicious App Installation.
- **Details:** Attackers used exploit code for CVE-2025-61882, allowing unauthenticated RCE. Additionally, SLSH used vishing to trick employees into installing fake Salesforce Data Loader apps or approving malicious connected apps.
### Lateral Movement
- **Date/Time:** Subsequent to initial access (e.g., September 2025 for Discord breach)
- **Vector:** Gaining access to admin systems via compromised third-party vendors (e.g., Zendesk compromise leading to Discord admin access).
- **Details:** Movement involved leveraging initial Foothold to target specific high-value entities or related infrastructure.
### Data Exfiltration/Impact
- **Date/Time:** August/September 2025 (Confirmed by Clop using the zero-day; Data exfiltrated from Discord third-party).
- **Impact:** Stolen data posted, ransom demands issued. For Discord, limited user data, including payment details and IDs, was exposed.
### Detection & Response
- **Date/Time:** Post-exploitation (e.g., Oracle confirming and patching the zero-day after Mandiant revelation in August 2025). Salesforce stated they would not comply with ransom demands.
- **Response actions taken:** Oracle released an emergency patch for CVE-2025-61882. Law enforcement arrested two suspected Scattered Spider members in the UK in late September.
## Attack Methodology
- **Initial Access:** Unauthenticated Remote Code Execution (CVE-2025-61882); Vishing leading to fake app installs or malicious connected app approvals.
- **Persistence:** Implied via RAT installation in targeted communications.
- **Privilege Escalation:** Not explicitly detailed, but standard for RCE or achieved via social engineering approval processes.
- **Defense Evasion:** Utilizing established relationships within underground networks ("The Com"); employing intimidation tactics (malware payloads sent to researchers).
- **Credential Access:** Implied via RAT functionality (AsyncRAT) used for keylogging and credential theft.
- **Discovery:** Not explicitly detailed, standard post-exploitation reconnaissance.
- **Lateral Movement:** Compromise of third-party providers to access primary targets (e.g., Zendesk compromise for Discord access).
- **Collection:** Data gathering related to extortion targets (Salesforce, Discord data).
- **Exfiltration:** Posting stolen data on the SLSH Telegram channel.
- **Impact:** Extortion/Ransom demands; reputational damage; data disclosure.
## Impact Assessment
- **Financial:** Implied financial impact via ransom demands (Clop group extorted $115 million in similar operations).
- **Data Breach:** Limited user data exposed from Discord's third-party provider, including payment details and IDs. Threat of Salesforce data leaks.
- **Operational:** Disruption related to necessary vendor security assessments and emergency patching cycles (e.g., Oracle EBS).
- **Reputational:** Increased chaos and linkage to notorious groups (LAPSUS\$ revival); targeted intimidation of security researchers (KrebsOnSecurity, Mandiant).
## Indicators of Compromise
- **Network indicators (Defanged):** _limewire[.]com_ (used for hosting malicious links).
- **File indicators:** AsyncRAT (RAT dropper/payload).
- **Behavioral indicators:** Use of vishing tactics to solicit installation of data loader apps; communication via the "Scattered LAPSUS\$ Hunters" Telegram channel; ransom demands linked to UNC5537/UNC6040 historical targets.
## Response Actions
- **Containment measures:** Immediate patching of Oracle E-Business Suite systems against CVE-2025-61882.
- **Eradication steps:** Revocation and regeneration of all potentially compromised credentials, API keys, and session cookies associated with affected vendors (implied for Discord/Salesforce supply chain).
- **Recovery actions:** Rebuilding or restoring compromised systems from clean backups; Salesforce adopted a non-compliance stance on ransom payments.
## Lessons Learned
- The evolution of cybercrime into loosely connected Extortion-as-a-Service (EaaS) models (ShinyHunters model) increases threat diversity.
- Human manipulation (vishing, fake apps) remains a critical vulnerability, outweighing occasional software flaws.
- Actors rapidly weaponize publicly disclosed zero-days (CVE-2025-61882).
- Attribution is deliberately complicated by actors leveraging shared infrastructure and rebranding (SLSH links to UNC3944, UNC5537, UNC6040).
- Intimidation tactics targeting researchers are a consistent feature of these advanced groups.
## Recommendations
- Immediately patch all Oracle E-Business Suite servers for CVE-2025-61882 and isolate unpatched systems.
- Implement strict continuous monitoring focused on credential and token misuse across the environment.
- Enhance user awareness training, specifically targeting vishing attempts that coerce users into installing unverified software or authorizing malicious connected applications.
- Enforce least-privilege and just-in-time access models for all administrative and service accounts.
- Conduct regular audits of third-party vendor security posture and access controls, especially those with access to core administrative systems (like Zendesk for support access).
- Implement continuous secret scanning in code repositories and configuration files to prevent hardcoded credential exposure.