A shocking cybercrime alliance has emerged, uniting three notorious groups: Scattered Spider, LAPSUS$, and ShinyHunters. Since August 8, 2025, this collective has created an astonishing 16 Telegram channels, showcasing their determination to maintain a public presence despite platform moderation efforts.
Trustwave SpiderLabs, a LevelBlue company, has released a report detailing the anatomy of this federated cybercriminal brand. The group, known as Scattered LAPSUS$ Hunters (SLH), has been active since early August, targeting organizations with data extortion attacks, including those utilizing Salesforce. Their primary offering is an extortion-as-a-service (EaaS) model, inviting affiliates to join and demand payments from targets under the consolidated entity's brand and notoriety.
All three groups are believed to be affiliated with a loose-knit enterprise called The Com, characterized by fluid collaboration and brand-sharing. SLH has also demonstrated connections to other clusters, such as CryptoChameleon and Crimson Collective.
Telegram serves as the central hub for SLH members to coordinate and promote their operations, adopting a style reminiscent of hacktivist groups. This dual purpose allows them to amplify their messaging and market their services effectively.
As SLH's activities evolved, administrative posts began to include signatures referencing the 'SLH/SLSH Operations Centre,' a self-imposed label that projects an image of organized command structure. This bureaucratic legitimacy adds weight to their otherwise fragmented communications.
Members of SLH have used Telegram to accuse Chinese state actors of exploiting vulnerabilities they claim to have targeted. They have also taken aim at U.S. and U.K. law enforcement agencies and invited channel subscribers to participate in pressure campaigns by targeting C-suite executives with relentless emails in exchange for a minimum payment.
The known threat clusters within SLH include:
- Shinycorp (aka sp1d3rhunters): Acts as a brand coordinator and manager
- UNC5537: Linked to the Snowflake extortion campaign
- UNC3944: Associated with Scattered Spider
- UNC6040: Linked to the recent Salesforce vishing campaign
Other key identities within the group are Rey, SLSHsupport, and yuka (aka Yukari or Cvsp), who has a history of developing exploits and presents as an initial access broker (IAB).
While data theft and extortion remain SLH's primary focus, they have hinted at a custom ransomware family named Sh1nySp1d3r (aka ShinySp1d3r), suggesting potential future ransomware operations. Trustwave characterizes these threat actors as operating at the intersection of financially motivated cybercrime and attention-driven hacktivism, blending monetary incentives and social validation.
"Through their theatrical branding, reputational recycling, cross-platform amplification, and layered identity management, the SLH actors have demonstrated a sophisticated understanding of how perception and legitimacy can be weaponized within the cybercriminal ecosystem," Trustwave noted.
This alliance's behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare, a blend more commonly associated with established underground actors than opportunistic newcomers.
In related news, Acronis has revealed that the threat actors behind DragonForce have released a new malware variant. This variant utilizes vulnerable drivers to disable security software and terminate protected processes as part of a bring your own vulnerable driver (BYOVD) attack. DragonForce, which launched a ransomware cartel earlier this year, has also partnered with Qilin and LockBit to share techniques, resources, and infrastructure, enhancing their individual capabilities.
"Affiliates can deploy their own malware while leveraging DragonForce's infrastructure and operating under their own brand," Acronis researchers explained. "This lowers the technical barrier, enabling both established groups and new actors to run operations without building a full ransomware ecosystem."
The ransomware group is aligned with Scattered Spider, which functions as an affiliate, using sophisticated social engineering techniques to break into targets of interest. DragonForce then deploys remote access tools to conduct reconnaissance before deploying its ransomware.
"DragonForce has crafted a dark successor, utilizing Conti's leaked source code but keeping all functionality unchanged, only adding an encrypted configuration to eliminate command-line arguments," Acronis stated.
This article provides an exclusive look into the evolving cybercrime landscape. Stay informed by following us on Google News, Twitter, and LinkedIn for more insights.
