A shocking merger has taken place in the world of cybercrime, uniting three notorious groups: Scattered Spider, LAPSUS$, and ShinyHunters. This alliance, known as Scattered LAPSUS$ Hunters (SLH), has been making waves since its emergence in August 2025.
SLH has established a strong presence on Telegram, creating and recreating channels to maintain visibility despite platform moderation. Their activity has been a cat-and-mouse game, with channels removed and reestablished multiple times. Trustwave SpiderLabs, a cybersecurity expert, describes this as a "recurring cycle" reflecting the group's determination to stay in the public eye.
But here's where it gets controversial: SLH offers an "extortion-as-a-service" model, allowing affiliates to join and demand payments from targets under the SLH brand. This raises questions about the nature of their collaboration and the potential for further criminal activities.
The group's structure is intriguing, with a loose federation of cybercriminal enterprises known as "The Com." SLH is assessed to be part of this network, along with other clusters like CryptoChameleon and Crimson Collective. Their use of Telegram as a central hub is reminiscent of hacktivist groups, serving both operational and marketing purposes.
As Trustwave notes, SLH has developed a mature understanding of how perception and legitimacy can be manipulated within the cybercriminal ecosystem. Their branding, reputation management, and cross-platform amplification strategies showcase a sophisticated approach.
And this is the part most people miss: SLH's activities combine social engineering, exploit development, and narrative warfare. This blend is more characteristic of established underground actors than newcomers, indicating a high level of expertise.
In a related development, Acronis has revealed that the threat actors behind DragonForce, another ransomware group, have released a new malware variant. This variant utilizes vulnerable drivers to disable security software, showcasing a sophisticated bring-your-own-vulnerable-driver (BYOVD) attack.
DragonForce has also partnered with Qilin and LockBit, forming a ransomware cartel. This alliance aims to share techniques, resources, and infrastructure, enhancing their individual capabilities. Acronis researchers explain that affiliates can deploy their own malware using DragonForce's infrastructure, lowering the technical barrier to entry.
The connection between DragonForce and Scattered Spider is intriguing. Scattered Spider, functioning as an affiliate, uses sophisticated social engineering techniques to break into targets, followed by the deployment of remote access tools. DragonForce then takes over, utilizing Conti's leaked source code to create a unique ransomware variant.
This merger and collaboration among cybercriminal groups highlight the evolving nature of cyber threats. As these groups become more organized and sophisticated, the need for robust cybersecurity measures and awareness becomes even more critical.
What are your thoughts on these developments? Do you think these alliances will lead to more coordinated and dangerous cyber attacks? Share your insights and let's discuss the implications of these mergers in the comments below!
