A new and alarming cyber alliance has surfaced, merging three of the most infamous hacker groups — Scattered Spider, LAPSUS$, and ShinyHunters. Together, they have formed a unified collective called Scattered LAPSUS$ Hunters (SLH), signaling a new phase of organized cybercrime that blends extortion, social engineering, and brand manipulation.
A New Wave of Cyber Collaboration
Since August 8, 2025, the SLH group has created at least 16 Telegram channels, each being taken down and recreated multiple times. This persistent cycle reflects both platform moderation efforts and the group’s determination to maintain visibility in the public domain.
According to a report by Trustwave SpiderLabs (a LevelBlue company) shared with The Hacker News, the threat actors have built a system of extortion-as-a-service (EaaS), allowing affiliates to exploit the group’s reputation and brand to pressure organizations into paying ransom.
These groups are part of a loose cybercrime network called “The Com”, characterized by flexible cooperation and shared branding. SLH’s links with other clusters, such as CryptoChameleon and Crimson Collective, further highlight its expanding ecosystem.
Telegram as the Nerve Center
Telegram remains the primary coordination hub for SLH members. The platform enables them to publicize their attacks, recruit affiliates, and communicate openly in a style resembling hacktivist movements.
Administrative messages now include references to the “SLH/SLSH Operations Centre”, a self-declared identity projecting the illusion of an organized command structure behind scattered cyber activity.
Propaganda and Targeting
The group’s members have even accused Chinese state actors of exploiting vulnerabilities allegedly targeted by them, while also criticizing U.S. and U.K. law enforcement agencies. They have encouraged their followers to launch email harassment campaigns against executives, offering small rewards for participation — as little as $100 per target.
Unified Threat Clusters
Some of the major subgroups under the SLH network include:
- Shinycorp (sp1d3rhunters): acts as coordinator and brand manager
- UNC5537: linked to the Snowflake extortion campaign
- UNC3944: associated with Scattered Spider
- UNC6040: connected to Salesforce vishing attacks
Key figures such as Rey, SLSHsupport, and yuka (Yukari/Cvsp) handle engagement, exploit development, and initial access brokerage.
Future of Ransomware Operations
SLH continues to focus on data theft and extortion, but the group has teased a potential custom ransomware family called Sh1nySp1d3r (or ShinySp1d3r). If released, it could challenge major ransomware groups such as LockBit and DragonForce.
Trustwave describes SLH as a hybrid of financially driven cybercrime and hacktivist theatrics, combining monetary gain and online reputation-building to strengthen their presence.
The actors’ use of branding, perception control, and identity manipulation shows an understanding of how legitimacy can be weaponized to amplify influence in underground circles.
The Rise of Cyber Cartels
Meanwhile, cybersecurity firm Acronis has reported that DragonForce, another aggressive ransomware gang, has released new BYOVD (Bring Your Own Vulnerable Driver) malware variants, exploiting drivers like truesight.sys and rentdrv2.sys to disable security tools.
DragonForce has also allied with Qilin and LockBit, forming a ransomware cartel that enables affiliates to use shared infrastructure and techniques. This collaboration reduces technical barriers and allows even less-experienced hackers to launch major attacks.
Acronis confirmed that DragonForce works with Scattered Spider, with the latter serving as an affiliate using social engineering techniques such as spear-phishing and vishing before deploying remote tools like ScreenConnect, AnyDesk, TeamViewer, and Splashtop for reconnaissance.
Trustwave’s analyst Serhii Melnyk emphasized that the relationship between Scattered Spider and DragonForce is mostly transactional, not permanent — a typical pattern in The Com’s ecosystem where cooperation is short-term and profit-driven.
