Since August of 2025, three of the groups most notorious cybercrime —Scattered Spider, LAPSUS$ and ShinyHunters— have formalized an alliance under the name Scattered LAPSUS$ Hunters (SLH), creating up to 16 channels in Telegram to coordinate and consolidate its operations. This merger represents a qualitative leap in the “professionalization” of cybercrime, mixing extortion, hacktivism and media manipulation in the same ecosystem.
Key points and operational details
The new collective operates as a platform extortion as-a-service (EaaS), where affiliates can exploit the reputation of the group to launch attacks and require bailouts. Among the recent incidents are observed campaigns users of Salesforcecombining techniques vishing, spear-phishing and exploitation of vulnerabilities.
The actors maintained a constant presence on Telegram, despite the closures repeated their channels. There spread the message, recruit collaborators and to organize campaigns of harassment against executives of companies offering payments to those who participate.
Among the subgroups identified include UNC5537 (Snowflake extortion), UNC3944 (Scattered Spider) and UNC6040 (Salesforce vishing). Also operate figures, recognized as King, SLSHsupport and yuka (Yukari/Cvsp), the latter is known initial access broker experience in development of exploits.
Malware, campaigns and future projection
Although the main activity remains the exfiltration and extortion of datathe group has hinted at the development of your own ransomware “Sh1nySp1d3r”, intended to compete with LockBit and DragonForce. This last, according to Acronis, has started a cooperation with Qilin and LockBit for sharing infrastructure and technical BYOVD (Bring Your Own Vulnerable Driver, using drivers vulnerable as truesight.sys or rentdrv2.sys to disable security defenses.
Historically, Scattered Spider she has acted as a Initial Access Brokerleveraging social engineering advanced, remote access (ScreenConnect, AnyDesk, TeamViewer, Splashtop) and recognition techniques extensive. This direct relationship with DragonForce confirms a cartelist of cybercrime, similar to what's seen in the past with Conti and its derivatives.
Analysis and context
Scattered LAPSUS$ Hunters represents a hybridization between cybercrime and financial hacktivism media, where the prestige and the theatricality are worth as much as the money. Its structure mimics that of a formal organization, with administrative roles and brand management, showing an understanding mature cyber war.
For companies, this type of partnership involves an increased risk: coordinated attacks, a campaign of extortion, public and mass escapes of data under the same “brand of criminal.
How you can help Amber Solutions?
At Amber Solutionswe recommend services of Threat Intelligence and DFIR essential to anticipate campaigns of extortion, track infrastructure in Telegram and respond to breaches quickly. Our services Pen Testing and Red Teaming allow us to assess the resistance to input vectors as vishing, or the exploitation of vulnerabilities in the corporate world.
Because to understand the alliances criminals as Scattered LAPSUS$ Hunters it is key to anticipate and neutralize threats before they strike. Amber Solutions can help you achieve this, by combining intelligence, simulation and advanced response.
