A shocking merger has taken place in the world of cybercrime, uniting three notorious groups: Scattered Spider, LAPSUS$, and ShinyHunters. This alliance, known as Scattered LAPSUS$ Hunters (SLH), has been making waves since its emergence in August 2025. With a total of 16 Telegram channels created and removed in a cat-and-mouse game with platform moderators, SLH has demonstrated its resilience and determination to maintain a public presence.
Trustwave SpiderLabs, a cybersecurity expert, has revealed that SLH offers an intriguing service called Extortion-as-a-Service (EaaS). This allows affiliates to join forces and demand payments from targets, leveraging the consolidated entity's brand and notoriety. But here's where it gets controversial: SLH's activities extend beyond data theft and extortion. They've hinted at developing a custom ransomware family, Sh1nySp1d3r, aiming to rival established players like LockBit and DragonForce.
SLH's operations are a blend of financially motivated cybercrime and attention-driven hacktivism. Trustwave characterizes them as masters of perception and legitimacy, employing theatrical branding and cross-platform amplification. Their administrative posts carry a self-applied label, "SLH/SLSH Operations Centre," projecting an image of an organized command structure.
The group's Telegram channels have become a hub for coordination and visibility, with members using the platform to accuse Chinese state actors and take aim at U.S. and U.K. law enforcement. They've even invited subscribers to participate in pressure campaigns, targeting C-suite executives with relentless emails for a minimum payment.
SLH's alliance brings together several semi-autonomous groups within the larger cybercriminal enterprise, "The Com." Some of the known threat clusters include Shinycorp (aka sp1d3rhunters), UNC5537 (linked to the Snowflake extortion campaign), UNC3944 (associated with Scattered Spider), and UNC6040 (linked to the Salesforce vishing campaign).
The consolidation of administrative and affiliated personas showcases a cohesive alliance, with identities like Rey, SLSHsupport, and yuka (aka Yukari or Cvsp) playing crucial roles. Yuka, an initial access broker with a history of developing exploits, adds technical expertise to the group.
As if the SLH merger wasn't enough, another cartelization event has taken place. Acronis has disclosed that the threat actors behind DragonForce have released a new malware variant. This variant utilizes vulnerable drivers to disable security software and terminate protected processes as part of a "bring your own vulnerable driver" (BYOVD) attack. DragonForce, in partnership with Qilin and LockBit, aims to share techniques, resources, and infrastructure, bolstering their individual capabilities.
"Affiliates can deploy their own malware while using DragonForce's infrastructure and operating under their own brand," Acronis researchers explain. "This lowers the technical barrier, enabling both established groups and newcomers to run operations without building a full ransomware ecosystem."
The ransomware group, DragonForce, is aligned with Scattered Spider, which functions as an affiliate to break into targets of interest using sophisticated social engineering techniques. They deploy remote access tools to conduct extensive reconnaissance before deploying DragonForce.
"DragonForce has crafted a dark successor, keeping all Conti code functionality unchanged but adding an encrypted configuration to eliminate command-line arguments," Acronis notes.
This merger and cartelization highlight the evolving nature of cybercrime, where groups collaborate to enhance their capabilities and stay ahead of law enforcement. As the cybercriminal ecosystem continues to adapt, it's crucial to stay informed and vigilant.
What are your thoughts on these mergers and the evolving landscape of cybercrime? Share your insights and join the discussion in the comments below!
