A Cybercrime Merger Like No Other: Scattered Spider, LAPSUS$, and ShinyHunters Join Forces
The cybercrime underworld is abuzz with the news of a unique merger. Three prominent groups, Scattered Spider, LAPSUS$, and ShinyHunters, have joined forces to form a powerful collective. Since their debut, they've created 16 Telegram channels, showcasing their determination to maintain a public presence despite platform moderation.
This nascent collective has been named Scattered LAPSUS$ Hunters (SLH). They've launched data extortion attacks, including those targeting Salesforce users. Their primary offering is extortion-as-a-service (EaaS), allowing affiliates to demand payments from targets in exchange for using the group's brand and notoriety. The SLH is associated with a loose-knit, federated cybercriminal enterprise known as The Com, characterized by fluid collaboration and brand-sharing.
Telegram remains the central hub for SLH operations, mirroring hacktivist groups' style. It serves as a megaphone for threat actors to disseminate their messaging and market services. As their activities evolved, SLH administrative posts began to include signatures referencing the 'SLH/SLSH Operations Centre,' projecting an organized command structure and bureaucratic legitimacy.
SLH members have also accused Chinese state actors of exploiting vulnerabilities and targeted U.S. and U.K. law enforcement agencies. They've invited channel subscribers to participate in pressure campaigns by finding C-suite executives' email addresses and emailing them for a minimum payment of $100.
The group comprises semi-autonomous groups within The Com network, each with unique technical capabilities. Shinycorp (aka sp1d3rhunters) acts as a coordinator and manages brand perception. Other notable groups include UNC5537, UNC3944, and UNC6040, each linked to specific extortion campaigns.
SLH also includes identities like Rey and SLSHsupport, responsible for engagement, and yuka (aka Yukari or Cvsp), a history of exploit development, and presenting themselves as an initial access broker (IAB).
Scattered LAPSUS$ Hunters' primary focus remains data theft and extortion, but they've hinted at a custom ransomware family named Sh1nySp1d3r to rival LockBit and DragonForce. This suggests potential ransomware operations in the future.
Trustwave characterizes SLH as a hybrid of financially motivated cybercrime and attention-driven hacktivism, blending monetary incentives with social validation. They've mastered the art of weaponizing perception and legitimacy within the cybercriminal ecosystem.
The disclosure comes as Acronis reveals that DragonForce, a ransomware cartel, has unleashed a new malware variant using vulnerable drivers to disable security software. DragonForce has partnered with Qilin and LockBit to share techniques and resources, further strengthening their capabilities.
DragonForce's alignment with Scattered Spider is notable. Spider functions as an affiliate, using social engineering techniques to break into targets, followed by deploying remote access tools. This collaboration showcases the cartelization of cybercrime, allowing established groups and newcomers to operate without building a full ransomware ecosystem.
