Full Report
Trustwave SpiderLabs’ Cyber Threat Intelligence team is tracking the recent emergence of what appears to be the consolidation of three well-known threat groups into a “federated alliance” that offers, among its activities, Extortion-as-a-Service (EaaS). The collective comprises Scattered Spider, ShinyHunters, and LAPSUS$. The group heavily uses a public encryption communication service as its primary operating…
Analysis Summary
# Threat Actor: Federated Alliance (Scattered Spider, ShinyHunters, and LAPSUS$)
## Attribution & Identity
* **Identification:** A "federated alliance" emerging in early August 2025, consolidating three previously well-known threat groups: Scattered Spider, ShinyHunters, and LAPSUS$.
* **Known Aliases and Associated Groups:**
* Core Members: Scattered Spider, ShinyHunters, LAPSUS$.
* Associated Clusters (Affiliations noted): CryptoChameleon, Crimson Collective.
* Context: Described as a hybrid entity blending traits from these groups operating within "The Com" (an informal cybercriminal milieu known for fluid collaboration).
## Activity Summary
* **Primary Activity:** Offering Extortion-as-a-Service (EaaS).
* **Recent Campaigns/Operations:** The collective emerged in August 2025, appearing first on Telegram. They utilize the well-known names of the member groups to create fear among potential victims, aiming to generate higher financial returns from their EaaS activities.
## Tactics, Techniques & Procedures
* **Communication/Operation Base:** Heavily uses a public encryption communication service as its primary operating base.
* **Branding/Reputation Usage:** Leverages the established names and reputations of Scattered Spider, ShinyHunters, and LAPSUS$ to instill fear in targets and affiliates.
* **Operational Model:** Federated/Hybrid entity structure combining operational traits of its core members.
* **MITRE ATT&CK IDs:** Not specified in the provided text.
## Targeting
* **Sectors:** Not explicitly listed for the alliance's EaaS offering, however, associated groups (implied context from the source's linkage to other news items) might target sectors mentioned elsewhere, such as Defense Industry, Government, Financial, Manufacturing, and Transportation. **(Note: Specific targeting for this new alliance is not detailed in the available text section.)**
* **Geography:** Not specified in the provided text.
* **Victims:** Not specified in the provided text.
## Tools & Infrastructure
* **Malware Families Used:** Not specified in the provided text.
* **Infrastructure (C2, domains, IPs):** Primary operating base is described as a "public encryption communication service." (Specific URLs/IPs are not provided).
## Implications
* **Strategic Implication:** Represents a consolidation of significant threat group reputation and operational experience under a new EaaS model.
* **Threat Assessment:** The merging of heavily recognized names (Scattered Spider, ShinyHunters, LAPSUS$) is a deliberate tactic intended to maximize extortion leverage and fear factor, potentially leading to higher financial yield against targets. The affiliation with other "The Com-adjacent" clusters suggests rapid potential growth in scope/capability.
## Mitigations
* **Communication Security Monitoring:** Organizations should enhance monitoring of communications traffic, especially encrypted channels, if known affiliates are suspected of involvement.
* **Brand Impersonation Awareness:** Organizations should be aware that threats leveraging the names of well-known groups (like LAPSUS$ or Scattered Spider) may be actors operating under this new federation, potentially indicating a high-stakes extortion attempt.
* **EaaS Defense Posture:** Organizations must strengthen overall resilience against extortion methodologies, as the group is explicitly modeling an EaaS franchise.