Scattered LAPSUS Hunters emerges as a federated cybercriminal brand uniting Scattered Spider, ShinyHunters, and LAPSUS$ into a single Extortion-as-a-Service alliance anchored on Telegram. Trustwave SpiderLabs describes how the group, operating within the broader “The Com” underground milieu, has launched at least 16 Telegram channels since August 2025 as previous instances are removed by moderation. Under the SLH or SLSH Operations Centre banner, operators blend theatrically branded data leak sites, reputation recycling, and aggressive messaging to market extortion services that let affiliates leverage the notoriety of the combined brand to pressure victims. Scattered LAPSUS Hunters exploits Telegram not only for basic communication but as a stage for narrative warfare, mixing breach claims, leaked data teasers, interactive polls, and crowd-sourced harassment campaigns. The alliance associates itself with personas such as shinycorp, UNC5537, UNC3944, UNC6040, and yuka (aka Yukari or Cvsp), reflecting a convergence of exploit developers, data brokers, and social engineers under one umbrella. Alongside classic data theft and extortion, the crew has hinted at developing a Sh1nySp1d3r ransomware family built on code lineage stretching back to campaigns involving Oracle and SAP vulnerabilities, suggesting ambitions to expand deeper into the ransomware ecosystem. Scattered LAPSUS Hunters threat considerations go beyond a single malware family or intrusion technique. The group demonstrates how cybercriminals professionalize branding, leverage social performance for intimidation, and quickly reconstitute channels after takedowns, making pure infrastructure disruption insufficient. Defenders should expect SLH-branded extortion threats linked to compromises achieved via phishing, vishing, SaaS exploitation, or zero-day brokerage, and treat references to the alliance as signals of experienced operators with access to high-value data sets and exploit tooling.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: Scattered LAPSUS Hunters consolidates multiple high-profile cybercrime brands into a single extortion ecosystem that can target enterprises across SaaS, cloud, and on-prem environments. Victims face heightened reputational pressure as attackers trade on well-known names, amplifying the psychological and negotiation leverage associated with data theft and outage threats. Technical Context: The alliance fuses exploit development, initial access brokerage, and social-engineering-driven intrusions under a shared narrative on Telegram and associated leak sites. While specific TTPs vary by affiliate, recurring patterns include cloud-first data theft, SaaS and CRM exploitation, and vishing-enabled credential harvesting, all supported by an infrastructure designed to rapidly regenerate channels and maintain public visibility despite platform enforcement.
⚡Strategic Intelligence Guidance
- Incorporate Scattered LAPSUS Hunters and associated personas into threat models and extortion response playbooks, ensuring leadership understands the group’s branding tactics and likely pressure strategies.
- Enhance monitoring and hardening for SaaS, CRM, and cloud platforms frequently targeted by The Com-aligned operators, including strong MFA, access reviews, and activity anomaly detection.
- Integrate voice phishing, messaging app abuse, and social engineering training into security awareness programs for high-privilege users, especially those in IT, finance, and executive roles.
- Coordinate with legal, communications, and incident response partners to prepare for high-visibility leak site postings and social-media-driven harassment when dealing with SLH-branded extortion events.
Threats
Scattered LAPSUS HuntersScattered SpiderShinyHuntersLAPSUS$Sh1nySp1d3r ransomware
Targets
Global enterprisesSaaS providersCRM platforms