Ethical Hacking News
In a shocking turn of events, three prominent cybercrime groups – Scattered Spider, LAPSUS$, and ShinyHunters – have joined forces to form an unprecedented alliance. This complex web of deceit has left cybersecurity experts scrambling to understand the implications of this new partnership, which is expected to significantly impact the global threat landscape.
The three prominent cybercrime groups Scattered Spider, LAPSUS$, and ShinyHunters have formed an alliance, leaving cybersecurity experts scrambling to understand the implications. The group has created 16 Telegram channels since their inception, which have been repeatedly removed and recreated under various iterations of the original name. Scattered LAPSUS$ Hunters (SLH) is a key component of the alliance, focusing on data extortion attacks against organizations, including those using Salesforce. ShinyHunters plays a crucial role in coordinating the group's operations and exploiting vulnerabilities. The merger includes semi-autonomous organizations under one umbrella, highlighting the fluid nature of cybercrime networks. The group has used Telegram channels to accuse Chinese state actors and U.S. and U.K. law enforcement agencies, as well as conducting pressure campaigns against C-suite executives. SLH has hinted at creating a custom ransomware family named Sh1nySp1d3r, positioned as a rival to established players like LockBit and DragonForce.
In a shocking turn of events, three prominent cybercrime groups – Scattered Spider, LAPSUS$, and ShinyHunters – have joined forces to form an unprecedented alliance. This merger, which has left cybersecurity experts scrambling to understand the implications, is a testament to the evolving nature of cyber threats in the modern era.
The partnership, which began unfolding around August 8, 2025, has seen the three groups create no less than 16 Telegram channels since their inception. The channels have been repeatedly removed and recreated under various iterations of the original name – a recurring cycle reflecting platform moderation and the operators' determination to sustain this specific type of public presence despite disruption.
Trustwave SpiderLabs, a LevelBlue company, has been keeping a close eye on the development, releasing a report that highlights the intricacies of this complex web. "Since its debut, the group's Telegram channels have been removed and recreated at least 16 times under varying iterations of the original name – a recurring cycle reflecting platform moderation and the operators' determination to sustain this specific type of public presence despite disruption," the report notes.
At the heart of this merger is Scattered LAPSUS$ Hunters (SLH), a group that has been making waves in the cybersecurity community with its data extortion attacks against organizations. Chief among its offerings is an extortion-as-a-service (EaaS) that other affiliates can join to demand a payment from targets in exchange for using the "brand" and notoriety of the consolidated entity.
LAPSUS$ Hunters' primary focus has been on targeting organizations, including those utilizing Salesforce. The group's tactics have been characterized as data theft and extortion, with SLH emerging as a major player in this space.
Another key component of the alliance is ShinyHunters, an organization that has built its reputation around exploiting vulnerabilities. Shinycorp (aka sp1d3rhunters), who acts as a coordinator and manages brand perception, has been instrumental in coordinating the group's operations.
The merger also includes UNC5537, linked to Snowflake extortion campaign, UNC3944 associated with Scattered Spider, and UNC6040 linked to recent Salesforce vishing campaign. These various groups bring together several semi-autonomous organizations under one umbrella – a testament to the fluid nature of cybercrime networks.
Researchers have noted that the group's Telegram channels have been used to accuse Chinese state actors of exploiting vulnerabilities allegedly targeted by them, while simultaneously taking aim at U.S. and U.K. law enforcement agencies. Furthermore, they have been found to invite channel subscribers to participate in pressure campaigns by finding the email addresses of C-suite executives and relentlessly emailing them in return for a minimum payment of $100.
In an effort to bolster their reputation, SLH has hinted at the creation of a custom ransomware family named Sh1nySp1d3r (aka ShinySp1d3r). This new ransomware is believed to be positioned as a rival to established players like LockBit and DragonForce, with possible future operations in the realm of ransomware.
Trustwave has characterized the threat actors behind SLH as positioned somewhere in the spectrum of financially motivated cybercrime and attention-driven hacktivism. Through various tactics such as theatrical branding, reputational recycling, cross-platform amplification, and layered identity management, these actors have demonstrated a mature grasp of how perception and legitimacy can be weaponized within the cybercriminal ecosystem.
"Taken together, these behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare – a blend more characteristic of established underground actors than opportunistic newcomers," Trustwave noted.
As the threat landscape continues to evolve, cybersecurity experts are left to ponder the implications of this complex web of deceit. The merger between Scattered Spider, LAPSUS$, and ShinyHunters serves as a stark reminder that the ever-changing nature of cyber threats demands constant vigilance from those in the fight against them.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Complex-Web-of-Deceit-The-Rise-of-Scattered-LAPSUS-ShinyHunters-and-Their-Merger-ehn.shtml
https://thehackernews.com/2025/11/a-cybercrime-merger-like-no-other.html
Published: Sat Nov 8 02:40:11 2025 by llama3.2 3B Q4_K_M
