The threat actor ecosystem is constantly evolving, but the rise of Scattered LAPSUS$ Hunters (SLH) signals a significant shift in how cybercriminal groups structure and advertise their operations. This is not a single, centralized ransomware gang; it is a brand built on distributed trust and shared services, drawing parallels to the disruptive organizational models popularized by the original LAPSUS$ group.
Trustwave SpiderLabs' Cyber Threat Intelligence team has been meticulously tracking this brand's emergence, and their recent analysis provides critical insights into the anatomy of this "federated cybercriminal brand." Understanding SLH's communication dynamics is essential for cybersecurity professionals looking to anticipate the next evolution of access brokers and extortionists.
Trustwave's analysis confirms that SLH is less a traditional hacking collective and more of a marketplace or certification mark for affiliate hackers. This federated model allows the brand to scale rapidly while distributing risk.
As the SpiderLabs blog notes, SLH has consolidated its activity across various public platforms, utilizing this consolidation to project an image of legitimacy and success within the criminal underground.
There are some key operational characteristics of SLH.
-
Distributed trust and vetting: SLH operates as a self-managed ecosystem where members are vetted and their exploits are certified under the shared brand. This system attempts to solve a critical problem for cybercriminals: the risk of dealing with scam artists or low-quality access brokers. By associating with the SLH brand, affiliates signal a higher likelihood of success and trustworthiness to potential buyers.
-
Focus on Initial Access Brokering (IAB): Like its namesake, LAPSUS$, the SLH brand appears highly focused on the initial stages of the kill chain. Their primary product is often the sale of verified, high-value access mechanisms. This includes:
-
Stolen credentials for corporate accounts
-
Access to collaboration tools (Slack, Teams)
-
VPN and Remote Desktop Protocol (RDP) access points
-
Communication agility: The group demonstrates a high degree of communication agility, quickly adapting and migrating its presence across different forums, Telegram channels and chat services as platforms are shut down as members are exposed. This constant migration is a core element of its resilience and contributes to the "scattered" nature of the brand.
"This is a merger of extreme convenience. Scattered Spider brings social engineering expertise that helps the group bypass enterprise MFA implementations, while LAPSUS$ is apt at moving laterally inside networks," said Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit. "ShinyHunters brings in data extortion and exfiltration capabilities. Combine all three together and enterprises face a threat group who are experts in initial access, lateral movement, and data exfiltration. From what we can see, they colluded at BreachForums. However, since its takedown, the group has moved operations to Telegram, a P2P-based resilient network, which really got the groups together."
Dani added, "Based on the recent Red Hat heist, the prime candidate for the next merger in my opinion will be the threat actor group named Crimson Collective. They bring in a focus on cloud-native infrastructure attacks that Scattered Spider, LAPSUS$, and Shiny Hunters are lacking."
The strategic threat for CISOs
The emergence of the SLH model fundamentally changes how security teams must approach threat intelligence and defense:
1. Initial access is a highly liquid commodity: The federated model turns verified network access into a standardized, liquid commodity. Trustwave's work highlights that when a brand like SLH vouches for an access mechanism, the barrier to entry for a follow-on attack (such as ransomware deployment or data exfiltration) drops significantly.
Actionable intelligence: CISOs should prioritize threat intelligence feeds that specifically track IAB marketplaces and their associated brands. If SLH or a similar entity is observed selling access to an industry peer, it is a definitive call for an immediate, high-alert audit of all perimeter controls and credential hygiene.
2. Defending against the LAPSUS$ playbook: The LAPSUS$ threat, which SLH emulates, relied heavily on social engineering and exploiting the weaknesses of internal IT teams, such as poor MFA implementations or excessive privileges.
Mitigation focus: Defenses must center on phishing-resistant MFA—specifically FIDO2 keys or certificate-based systems—for all critical accounts, particularly those governing VPN, SSO, and administrative cloud portals. As the threat actor is often seeking access to a live, trusted session, focusing on Session Hijacking Prevention is vital.
3. The challenge of tracking federated risk: Tracking SLH is challenging because there is no single, fixed command-and-control infrastructure. Security teams must rely on behavioral tracking and linguistic analysis across numerous public and private channels to consolidate indicators of compromise (IoCs) related to the brand. The SpiderLabs effort exemplifies the kind of consolidation necessary to move from tracking individual attacks to understanding the federated organizational risk they pose.
"The actors behind Scattered LAPSUS$ Hunters using 'SLH/SLSH Operations Centre' highlights the ongoing maturity of cybercriminal operations, using a self-applied label projects an organized command structure, and gives legitimacy to fragmented groups," said Lauren Rucker, Sr. Cyber Threat Intelligence Analyst at Deepwatch. "Bringing together three groups affiliated with the loose-knit The Com enterprise, the merger markets an Extortion-as-a-Service (EaaS) model with Scattered Spider contributing expertise in advanced social engineering, ShinyHunters handling large-scale data theft, and LAPSUS$ supplying reputational capital."
"Future mergers will likely follow this pattern of consolidation into larger umbrella groupings to establish further legitimacy in their reputation, especially as SLH already associates with adjacent clusters CryptoChameleon and Crimson Collective," Rucker continued. "SLH's ambition to deploy a custom ransomware family, Sh1nySp1d3r, demonstrates their intent to rival other major groups like LockBit and DragonForce. Additionally, continued collaboration with initial access brokers and exploit developers, like the persona Yuka, ensures specialized technical capabilities drive future integrations."
We asked a few other cybersecurity vendor SMEs for their thoughts.
Andy Bennett, CISO at Apollo Information Systems, said:
-
"Whether or not an organization is more concerned with this group of attackers working together than they are a nation state attacker likely depends on whether or not they are more likely to be targeted by this group or a nation state. Organizations with a mature understanding of the most likely attack vectors they face will be less likely to be more concerned about a new group just because they have made some headlines."
-
"If you see attackers starting to take aims at the types of technologies and systems or processes you use in your organization, then you should pay attention and take the appropriate steps to dynamically address that shift in your threat models. For some organizations, it may mean tweaking configurations optimizing detection and tools, and for other organizations, it may mean education and awareness to combat social engineering attacks. Something I would recommend for all organizations is to run tabletop exercises to test and improve the organization's ability to respond to the types of attacks they are most likely to face."
-
"Organizations hit by this collective's ransomware attacks (and others) are more likely to be targeted again. Paying a ransom drastically increases that likelihood. Victims' data, both the data used to originally compromise them and the data stolen during the ransomware attack, can be repacked and sold on the dark web for other attackers to use. Unfortunately, until we find ways to limit attackers' ability to monetize cybercrime, the incentive will remain for attackers to keep up the pressure. We shouldn't stop pursuing them, and we should be ramping up arrests and prosecutions, but there is a lot of work to be done and a lot more arrests to be made before we see an appreciable impact in lowering cybercriminal activity."
Agnidipta Sarkar, Chief Evangelist at ColorTokens, said:
-
"The Trinity of Chaos, as many call them, consistently manages to breach organizations through a third-party platform first, then uses that beachhead to pivot inward. As if their motto is "log-in, not hack-in → start in someone else's cloud → end at the target." In almost every major breach that we can reconstruct—be it Salesforce, Snowflake, Okta-managed tenants, SAP SaaS, or even ESXi hypervisor environments—the initial access was a credential misuse of a valid account, and that did not happen on the victim's corporate LAN or VPN but inside a SaaS or PaaS console that the victim's business units already trusted."
-
"In my view, companies must immediately microsegment critical digital systems and move to cryptographic passwordless credential management. If your SaaS admins can download a CSV, you are in scope. Considering microsegmentation can be implemented quickly, even affected companies can gain an advantage even if they deploy microsegmentation within hours of being attacked."
The rise of Scattered LAPSUS$ Hunters is a warning sign that cybercrime is adopting decentralized business models for resilience and scale. For defenders, it means we must shift from protecting against a singular enemy to securing our networks against a distributed, self-certifying network of threat actors all operating under a recognized banner of betrayal.
