Skip to main content

On This Page
← AI News
AI News Cybersecurity Cybercrime

Cybercrime Merger: Scattered LAPSUS$ Hunters Unite as Major Threat

3 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

Cybercrime Merger: Scattered LAPSUS$ Hunters Unite as Major Threat

The convergence of three prominent cybercrime groups—Scattered Spider, LAPSUS$, and ShinyHunters—into a unified entity known as Scattered LAPSUS$ Hunters (SLH) has reshaped the cybercriminal landscape. This alliance, active since August 2025, employs Telegram as a central hub for coordination, extortion, and brand promotion, while expanding its network through affiliations with other threat clusters and developing novel ransomware capabilities.

Formation and Structure of SLH

  • Telegram Presence: SLH has created 16 Telegram channels since August 8, 2025, frequently renaming and recreating them to evade moderation. This cyclical strategy reflects their determination to maintain a visible, public-facing presence despite platform restrictions.
  • Extortion-as-a-Service (EaaS): The group offers EaaS, allowing affiliates to leverage the SLH brand for data extortion campaigns. Targets, including Salesforce users, are pressured to pay ransoms in exchange for non-disclosure of stolen data.
  • Operational Branding: Administrative posts in Telegram channels reference the “SLH/SLSH Operations Centre,” a symbolic label designed to project an organized, bureaucratic structure to enhance credibility among affiliates and victims.

Operational Tactics and Infrastructure

  • Social Engineering and Exploitation: SLH employs sophisticated techniques like spear-phishing, vishing (voice phishing), and exploit development. Notable tools include remote access tools (RATs) like ScreenConnect and AnyDesk for reconnaissance.
  • Targeted Campaigns: Members have accused Chinese state actors of exploiting vulnerabilities, while simultaneously targeting U.S. and U.K. law enforcement. They also organize “pressure campaigns” where subscribers are incentivized to email C-suite executives for $100 minimum payments.
  • Custom Ransomware Development: SLH is developing a custom ransomware family named Sh1nySp1d3r, positioning it as a competitor to established groups like LockBit and DragonForce. This signals a potential shift toward direct ransomware operations.

Affiliations and Network Expansion

  • The Com Network: SLH is part of a larger, loosely connected cybercriminal enterprise called The Com, which includes clusters like CryptoChameleon and Crimson Collective. This network enables fluid collaboration and resource sharing.
  • Key Affiliated Groups:
    • Shinycorp (sp1d3rhunters): Manages brand perception and coordination.
    • UNC5537: Linked to the Snowflake extortion campaign.
    • UNC3944: Associated with Scattered Spider.
    • UNC6040: Tied to Salesforce vishing campaigns.
  • Notable Individuals:
    • Rey and SLSHsupport: Maintain engagement and operational continuity.
    • yuka (Cvsp): Develops exploits and acts as an initial access broker (IAB).

Cartelization and Collaboration with DragonForce

  • DragonForce Partnership: SLH collaborates with DragonForce, a ransomware cartel that recently released a BYOVD (Bring Your Own Vulnerable Driver) malware variant. This exploit uses vulnerable drivers like truesight.sys and rentdrv2.sys to disable security software.
  • Infrastructure Sharing: DragonForce allows affiliates to deploy their own malware while using its infrastructure, reducing technical barriers for new actors. SLH acts as an affiliate, leveraging social engineering to breach targets before deploying DragonForce ransomware.
  • Conti Code Derivative: DragonForce’s ransomware is based on leaked Conti source code, with minimal modifications. It retains all original functionality but adds encrypted configurations to eliminate command-line arguments from the original code.

Impact and Implications

  • Blended Motives: SLH operates at the intersection of financial gain and attention-driven hacktivism, using theatrical branding and narrative warfare to legitimize their operations.
  • Threat Landscape Evolution: The merger represents a shift toward cartelization in cybercrime, where groups pool resources, share infrastructure, and standardize operations. This model lowers entry barriers for new actors and escalates the scale of attacks.
  • Cybersecurity Response: Trustwave and Acronis highlight the need for enhanced monitoring of Telegram channels, improved detection of BYOVD attacks, and proactive defense against EaaS models.

References

For further details, refer to the original report: https://thehackernews.com/2025/11/a-cybercrime-merger-like-no-other.html

Continue reading

Next article

Cloud Performance Beyond the Cloud: Monitoring the Entire Internet Stack

Related Content

Jan 6, 2026

Scattered Lapsus$ Hunters Snared in Cyber Researcher Honeypot

Scattered Lapsus$ Hunters were lured into a honeypot using synthetic data, revealing their tactics and leading to information shared with law enforcement.

Read article
May 19, 2026

IoT Vulnerabilities and AI-Driven Threats: Analysis of the CrowdStrike Global Threat Report

CrowdStrike's latest Global Threat Report tracks 281 known adversaries leveraging AI and cloud exploits to compromise data.

Read article
Oct 27, 2025

Weekly Recap: Critical Cyber Threats, Ransomware Resurgence, and Emerging Vulnerabilities

A detailed summary of major cyber threats, including Microsoft's WSUS exploit, LockBit 5.0 resurgence, Telegram backdoors, and global phishing trends, with actionable insights for security professionals.

Read article