The nascent collective that combines three prominent cybercrime groups, Scattered Spider, LAPSUS$, and ShinyHunters, has created no less than 16 Telegram channels since August 8, 2025.
“Since its debut, the group’s Telegram channels have been removed and recreated at least 16 times under varying iterations of the original name – a recurring cycle reflecting platform moderation and the operators’ determination to sustain this specific type of public presence despite disruption,” Trustwave SpiderLabs, a LevelBlue company, said in a report shared with The Hacker News.
Scattered LAPSUS$ Hunters (SLH) emerged in early August, launching data extortion attacks against organizations, including those using Salesforce in recent months. Chief among its offerings is an extortion-as-a-service (EaaS) that other affiliates can join to demand a payment from targets in exchange for using the “brand” and notoriety of the consolidated entity.
All three groups are assessed to be affiliated with a loose-knit and decentralized cybercriminal enterprise referred to as The Com that’s marked by “fluid collaboration and brand-sharing.” The threat actors have since exhibited their associations with other adjacent clusters tracked as CryptoChameleon and Crimson Collective.
However, Trustwave also noted that the self-declared hybrid brand could be appropriating the names of the legacy groups, or impersonating them, to present a unified front. There is no evidence to suggest at this stage that this change represents a “formal, centralized organization” comprising exclusively of the three entities.
Telegram, according to the cybersecurity vendor, continues to be the central place for its members to coordinate and bring visibility to the group’s operations, embracing a style akin to hacktivist groups. This serves a fold purpose: turning its channels into a megaphone for the threat actors to disseminate their messaging, as well as market their services.
“As activity matured, administrative posts began to include signatures referencing the ‘SLH/SLSH Operations Centre,’ a self-applied label carrying symbolic weight that projected the image of an organized command structure that lent bureaucratic legitimacy to otherwise fragmented communications,” Trustwave noted.
 |
| Observed Telegram channels and activity periods |
Members of the group have also used Telegram to accuse Chinese state actors of exploiting vulnerabilities allegedly targeted by them, while simultaneously taking aim at U.S. and U.K. law enforcement agencies. Furthermore, they have been found to invite channel subscribers to participate in pressure campaigns by finding the email addresses of C-suite executives and relentlessly emailing them in return for a minimum payment of $100.
Some of the known threat clusters part of the crew are listed below, highlighting a federated alliance where semi-autonomous groups within The Com network appear to collaborate and pool their technical expertise under one umbrella to enhance operational impact –
- Shinycorp (aka sp1d3rhunters), who acts as a coordinator and manages brand perception
- UNC5537 (linked to Snowflake extortion campaign)
- UNC3944 (associated with Scattered Spider)
- UNC6040 (linked to recent Salesforce vishing campaign)
Also part of the group are identities like Rey and SLSHsupport, who are responsible for sustaining engagement, along with yuka (aka Yukari or Cvsp), who has a history of developing exploits and presents themselves as an initial access broker (IAB).
 |
| Consolidated administrative and affiliated personas |
While data theft and extortion continue to be Scattered LAPSUS$ Hunters’ mainstay, the threat actors have hinted at a custom ransomware family named Sh1nySp1d3r (aka ShinySp1d3r) to rival LockBit and DragonForce, suggesting possible ransomware operations in the future.
Trustwave has characterized the threat actors as positioned somewhere in the spectrum of financially motivated cybercrime and attention-driven hacktivism, commingling monetary incentives and social validation to fuel their activities.
“Through theatrical branding, reputational recycling, cross-platform amplification, and layered identity management, the actors behind SLH have shown a mature grasp of how perception and legitimacy can be weaponized within the cybercriminal ecosystem,” it added.
“Taken together, these behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare – a blend more characteristic of established underground actors than opportunistic newcomers.”
Cartelization of Another Kind
The disclosure comes as Acronis revealed that the threat actors behind DragonForce have unleashed a new malware variant that uses vulnerable drivers such as truesight.sys and rentdrv2.sys (part of BadRentdrv2) to disable security software and terminate protected processes as part of a bring your own vulnerable driver (BYOVD) attack.
DragonForce, which launched a ransomware cartel earlier this year, has since also partnered with Qilin and LockBit in an attempt to “facilitate the sharing of techniques, resources, and infrastructure” and bolster their own individual capabilities.
“Affiliates can deploy their own malware while using DragonForce’s infrastructure and operating under their own brand,” Acronis researchers said. “This lowers the technical barrier and allows both established groups and new actors to run operations without building a full ransomware ecosystem.”
The ransomware group, per the Singapore headquartered company, is aligned with Scattered Spider, with the latter functioning as an affiliate to break into targets of interest through sophisticated social engineering techniques like spear-phishing and vishing, followed by deploying remote access tools like ScreenConnect, AnyDesk, TeamViewer, and Splashtop to conduct extensive reconnaissance prior to dropping DragonForce.
“DragonForce used the Conti leaked source code to forge a dark successor crafted to carry its own mark,” it said. “While other groups made some changes to the code to give it a different spin, DragonForce kept all functionality unchanged, only adding an encrypted configuration in the executable to get rid of command-line arguments that were used in the original Conti code.”
Serhii Melnyk, cyber threat intelligence analyst at Trustwave, told The Hacker News that the links between DragonForce and Scattered Spider are more of an “affiliate-level overlap” than a formal collaboration, characterizing the relationship between the two clusters as recurrent but opportunistic and transactional in nature, where Scattered Spider serves as an access broker or affiliate to deliver the encryptor.
“From our vantage point, this isn’t the first time Scattered Spider–linked actors (part of the broader The Com ecosystem) have deployed DragonForce ransomware,” Melnyk said. “We previously observed a similar pattern in late April-early May 2025, when U.K. retailers including Marks & Spencer, Co-op, and Harrods were hit. The attacks used Scattered Spider-style social engineering and RMM-based intrusion, followed by DragonForce ransomware payloads.”
“This history supports that Scattered Spider actors have periodically partnered with DragonForce affiliates, likely for payload deployment and monetization, but there’s no indication of a formal or enduring alliance. Instead, it aligns with the group’s broader pattern of temporary, transactional cooperation with multiple RaaS operations – previously seen with BlackCat, RansomHub, and Qilin – as part of TheCom’s fluid, cross-group ecosystem.”
(The story was updated after publication with additional insights from Trustwave.)
