A new, potent cybercrime collective has materialized, fusing the forces of three already prominent groups: Scattered Spider, LAPSUS$, and ShinyHunters. Since August 8, 2025, this nascent alliance has demonstrated a determined effort to maintain a public profile, evidenced by the creation of no less than 16 Telegram channels. This activity, as noted by security researchers, shows a continuous cycle of creation and disruption, with channels repeatedly being removed by the platform and then immediately recreated under slightly altered names. This persistence underscores the operators’ commitment to sustaining this specific type of public visibility despite facing moderation efforts.
The consolidated entity, which surfaced in early August, is being tracked as Scattered LAPSUS$ Hunters (SLH) and immediately began launching sophisticated data extortion attacks against various organizations, including recent targets utilizing the Salesforce platform. A key component of the group’s offering is an extortion-as-a-service (EaaS) model. This service invites other affiliates to join the operation, allowing them to leverage the collective’s “brand” and notoriety to demand payments from victims in exchange for their participation and access to the combined entity’s resources.
All three originating groups are believed to be part of a broader, more fluid cybercriminal ecosystem known as The Com. This network is characterized by loose-knit, federated cooperation and a practice of brand-sharing among its constituents. Furthermore, the threat actors comprising SLH have actively exhibited associations with other adjacent criminal clusters, specifically those tracked under the names CryptoChameleon and Crimson Collective, suggesting a constantly shifting and expanding web of collaboration across the cyber-underworld.
According to security experts, Telegram serves as the central nexus for this group, acting as the primary medium for members to coordinate their activities and bring visibility to their operations. This approach mimics the style often seen in hacktivist groups, serving a dual function. The channels operate as a megaphone for the threat actors to widely disseminate their messaging and boasts, while also functioning as a robust market to advertise and sell their illegal services to potential affiliates and partners.
As their operations have matured, administrative posts within the channels have increasingly begun to include signatures referencing the “SLH/SLSH Operations Centre.” Security researchers interpret this self-applied label as having significant symbolic weight, projecting an image of an organized command structure. This lends a deceptive sense of bureaucratic legitimacy to what are often fragmented and chaotic communications. Members have also used Telegram for political grandstanding, notably to accuse Chinese state actors of exploiting vulnerabilities they allegedly targeted, while simultaneously taking swipes at U.S. and U.K. law enforcement. Moreover, the group is known to invite their channel subscribers to participate in pressure campaigns, asking them to find email addresses of C-suite executives and relentlessly spam them with demands in return for a minimum payment of $100. This highlights a highly cohesive, though semi-autonomous, alliance that brings considerable technical capabilities under a unified umbrella within The Com network.
Reference:
