Unprecedented Cybercrime Alliance: Scattered Spider, LAPSUS$, and ShinyHunters Unite

The emergence of a new cybercrime collective, comprising Scattered Spider, LAPSUS$, and ShinyHunters, has led to the creation of 16 Telegram channels since August 8, 2025. The group, known as Scattered LAPSUS$ Hunters (SLH), specializes in data extortion attacks, particularly targeting organizations using Salesforce. They offer an extortion-as-a-service (EaaS) model for affiliates to demand payment from targets in exchange for using the group’s branding.

The collective operates within a loose-knit cybercriminal enterprise called The Com, known for its fluid collaboration and brand-sharing practices. They have connections with other clusters such as CryptoChameleon and Crimson Collective. Telegram serves as the primary platform for coordination and visibility, allowing the threat actors to disseminate messages and market their services.

The group has accused Chinese state actors of exploiting vulnerabilities targeted by them and has engaged in pressure campaigns against C-suite executives. Key members, including Shinycorp, UNC5537, UNC3944, and UNC6040, play various roles within the alliance. Rey, SLSHsupport, and yuka are responsible for sustaining engagement and developing exploits.

While Scattered LAPSUS$ Hunters focus on data theft and extortion, they have hinted at launching a custom ransomware family named Sh1nySp1d3r. Trustwave categorizes the threat actors as a blend of financially motivated cybercrime and attention-driven hacktivism, leveraging social engineering, exploit development, and narrative warfare.

In a separate development, DragonForce, a ransomware group, has partnered with Qilin and LockBit to enhance their capabilities through shared techniques and resources. Affiliates can leverage DragonForce’s infrastructure to deploy their malware, reducing the technical barriers for running ransomware operations. DragonForce’s partnership with Scattered Spider involves sophisticated social engineering techniques and reconnaissance before deploying ransomware.

The collaboration between cybercriminal groups highlights the evolving landscape of cyber threats and the increasing sophistication of ransomware operations. By forging alliances and sharing resources, threat actors are able to amplify their impact and target a wider range of victims.