The Cybercriminal Alliance: A New Era of Online Threats
In a shocking development, three notorious cybercrime groups—Scattered Spider, LAPSUS$, and ShinyHunters—have joined forces, creating a powerful alliance that has already left its mark on the digital world. Since August 8, 2025, this collective has been on a mission, establishing no fewer than 16 Telegram channels as their digital headquarters.
Trustwave SpiderLabs, a cybersecurity expert, revealed (https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-lapsuss-hunters-anatomy-of-a-federated-cybercriminal-brand/) that the group's Telegram presence has been a cat-and-mouse game with platform moderators. The channels, under various iterations of the original name, have been removed and recreated at least 16 times, showcasing the operators' determination to maintain their public presence.
But here's where it gets intriguing: the group, known as Scattered LAPSUS$ Hunters (SLH), has been offering an extortion-as-a-service (EaaS) model. This allows affiliates to demand payments from targets, leveraging the collective's brand and reputation. And they've been busy, launching data extortion attacks against organizations, including those using Salesforce.
The Com Connection: All three groups are believed to be part of a larger, loosely organized cybercriminal network called The Com, known for its fluid collaboration and brand-sharing. They've also been linked to other clusters like CryptoChameleon (https://thehackernews.com/2024/03/new-phishing-kit-leverages-sms-voice.html) and Crimson Collective (https://thehackernews.com/2025/10/threatsday-bulletin-ms-teams-hack-mfa.html#crimson-collective-targets-aws-environments) , further expanding their reach.
Telegram, the group's preferred platform, serves as a command center for coordination and a megaphone for their activities. This dual purpose allows them to organize their operations and market their illicit services, much like hacktivist groups.
As the group evolved, their Telegram posts became more sophisticated, with signatures referencing an 'SLH/SLSH Operations Centre,' creating an illusion of a structured command. This tactic adds a layer of legitimacy to their otherwise fragmented communications.
Controversial Tactics: Members of SLH have made bold accusations via Telegram, claiming that Chinese state actors are exploiting vulnerabilities they had targeted. Simultaneously, they've targeted law enforcement agencies in the U.S. and U.K. They've even encouraged subscribers to participate in pressure campaigns by emailing C-suite executives for a fee, a tactic that raises ethical concerns.
The alliance is a cohesive force, bringing together several semi-autonomous groups and their unique technical skills:
- Shinycorp (aka sp1d3rhunters): The brand manager and coordinator.
- UNC5537 (https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html): Linked to the Snowflake extortion campaign.
- UNC3944 (https://thehackernews.com/2025/06/google-warns-of-scattered-spider.html): Associated with Scattered Spider.
- UNC6040 (https://thehackernews.com/2025/06/google-exposes-vishing-group-unc6040.html): Involved in the recent Salesforce vishing campaign.
Other key players include Rey and SLSHsupport, responsible for engagement, and yuka (aka Yukari or Cvsp), an exploit developer and initial access broker (IAB).
Future Threats: While data theft and extortion remain their primary focus, the group has hinted at developing a custom ransomware family, Sh1nySp1d3r, to rival established names like LockBit and DragonForce (https://thehackernews.com/2024/09/microsoft-identifies-storm-0501-as.html) . This suggests a potential expansion into ransomware operations.
Trustwave describes the group as a hybrid of financially motivated cybercriminals and attention-seeking hacktivists, driven by both monetary gain and social validation.
"The actors behind SLH have mastered the art of perception manipulation and legitimacy within the cybercriminal world," Trustwave noted, highlighting their sophisticated branding and identity management strategies.
A Complex Web: This alliance represents a sophisticated blend of social engineering, exploit development, and narrative manipulation, typically seen in established underground groups rather than newcomers.
And this is the part most people miss—the emergence of this collective coincides with another significant development. Acronis reported that the threat actors behind DragonForce have released a new malware variant, exploiting vulnerable drivers like truesight.sys and rentdrv2.sys (part of BadRentdrv2 (https://github.com/keowu/BadRentdrv2) ) to disable security software.
DragonForce, which formed a ransomware cartel this year, has partnered with Qilin and LockBit (https://thehackernews.com/2025/10/lockbit-qilin-and-dragonforce-join.html) to share techniques and resources. This allows affiliates to use DragonForce's infrastructure while operating under their own brands, lowering the barrier for new actors to launch attacks.
DragonForce's connection to Scattered Spider is significant. Scattered Spider acts as an affiliate, using advanced social engineering tactics to breach targets, then deploying remote access tools for reconnaissance before delivering DragonForce's payload.
Interestingly, DragonForce modified the Conti leaked source code, creating a variant with an encrypted configuration to remove command-line arguments, ensuring a unique, untraceable version.
As the cybercriminal landscape evolves, these alliances and innovations present a complex challenge for security experts. What do you think about these developments? Are we witnessing a new era of cybercrime? Share your thoughts in the comments below!
