The initial group, which combined three prominent cybercriminal groups: Scattered Spider, LAPSUS$, and ShinyHunters, created 16 Telegram channels since August 8, 2025.
“Since its debut, the group’s Telegram channel has been deleted and recreated at least 16 times, with various iterations of its original name. This repeating cycle reflects platform moderation and the operator’s determination to maintain this particular type of public presence despite disruption,” Level Blue company Trustwave SpiderLabs said in a report shared with Hacker News.
Scattered LAPSUS$ Hunters (SLH) emerged in early August and launched data extortion attacks against organizations, including those that had been using Salesforce in recent months. Chief among its offerings is extortion-as-a-service (EaaS), where other affiliates can participate and demand payments from targets in exchange for using the consolidated entity’s “brand” and notoriety.
All three groups are assessed as belonging to a loosely organized, federated cybercrime enterprise called The Com, characterized by “fluid collaboration and brand sharing.” The threat actor has since shown association with other adjacent clusters tracked as CryptoChameleon and Crimson Collective.
Cybersecurity vendors say Telegram remains a central place for members to coordinate and gain visibility into the group’s activities, adopting a style similar to hacktivist groups. This also has a dual purpose for attackers to not only advertise their services but also turn the channel into a megaphone to spread their message.
“As the operation matured, administrative posts began to include signatures referring to ‘SLH/SLSH Operations Center,’ a self-applied label with symbolic weight that projected an image of an organized chain of command, lending bureaucratic legitimacy to fragmented communications,” Trustwave noted.
 |
| Observed Telegram channels and activity periods |
Members of the group also use Telegram to accuse Chinese state agencies of exploiting vulnerabilities that are said to be targeting them, as well as law enforcement agencies in the United States and United Kingdom. Additionally, they have been found to solicit subscribers to participate in pressure campaigns by finding email addresses of executives and persistently emailing them in exchange for a minimum payment of $100.
Some of the known threat clusters that are part of the crew are listed below. This highlights the cohesive alliance that brings together several semi-autonomous groups within The Com network and their technological capabilities under one umbrella.
- Shinycorp (aka sp1d3rhunters) acts as a coordinator and manages brand awareness
- UNC5537 (related to Snowflake extortion campaign)
- UNC3944 (related to Scattered Spider)
- UNC6040 (link to recent Salesforce vishing campaign)
The group also includes identities like Rey and SLSHsupport, who are responsible for maintaining engagement, and yuka (also known as Yukari or Cvsp), which has a history of developing exploits and claims to be an Initial Access Broker (IAB).
 |
| Consolidated managers and related parties |
While data theft and extortion continue to be the mainstay of Scattered LAPSUS$ Hunters, threat actors have hinted at a custom ransomware family named Sh1nySp1d3r (also known as ShinySp1d3r) that rivals LockBit and DragonForce, hinting at possible future ransomware activity.
Trustwave characterizes threat actors as falling somewhere on the spectrum between financially motivated cybercrime and high-profile hacktivism, with a mix of financial incentives and social recognition driving their activities.
“Through theatrical branding, reputation recycling, cross-platform amplification, and multi-layered identity management, the threat actors behind SLH demonstrate a mature understanding of how recognition and legitimacy are weaponized within the cybercrime ecosystem,” it added.
“Taken together, these actions demonstrate an operating structure that combines social engineering, exploit development, and narrative warfare, a combination more characteristic of established underground actors than opportunistic newcomers.”
Another kind of cartelization
This disclosure comes after Acronis revealed that the attackers behind DragonForce have released new malware variants that use vulnerable drivers such as truesight.sys and rentdrv2.sys (part of BadRentdrv2) to disable security software and terminate protected processes as part of BYOVD (Bring Your Own Vulnerable Driver Attack) attacks.
DragonForce, which launched its ransomware cartel earlier this year, has since also partnered with Qilin and LockBit to “facilitate the sharing of technology, resources and infrastructure” and strengthen their respective capabilities.
“Affiliates can leverage DragonForce’s infrastructure to deploy their own malware while operating under their own brand,” Acronis researchers said. “This lowers the technical barrier and allows both established groups and new threat actors to conduct operations without having to build a full ransomware ecosystem.”
According to the Singapore-based company, the ransomware group works with Scattered Spider, which acts as an affiliate to infiltrate targets of interest through advanced social engineering techniques such as spear phishing and vishing, and then deploys remote access tools such as ScreenConnect, AnyDesk, TeamViewer, and Splashtop to conduct extensive reconnaissance before dropping DragonForce.
“Dragon Force used the source code leaked by Conti to forge a Dark Successor created to put its own mark on it.” “Whereas other groups made some changes to the code to put a different spin on it, DragonForce didn’t change all the functionality, just added encrypted configuration to the executable to remove the command line arguments used in the original Conti code.”
