✅ Report Title: Threat Group Profiling – Scattered Lapsus$ Hunters (SLSH)
✅ Executive Summary:
- The Scattered Lapsus$ Hunters (SLSH) group began its operations on Telegram in August 2025 as a financially motivated cybercrime collective.
- The group conducted social engineering attacks against Salesforce, exfiltrated data from multiple companies, operated an Extortion-as-a-Service (EaaS) model, and showed indications of developing a Ransomware-as-a-Service (RaaS) model.
- SLSH is an alliance formed by the threat groups Scattered Spider, Lapsus$ and ShinyHunters.
📌 Who Is Scattered Lapsus$ Hunters?
- SLSH is an alliance between Scattered Spider, Lapsus$ and ShinyHunters, all of which are believed to be associated with The Com, a youth cybercrime network based in the United States and the United Kingdom.
- Identified members include Shiny, sevy, rey, alg0dm, and unc3944.
- Impersonators attempted to exploit the SLSH name for scams. Analysis of Telegram activity and Bitcoin addresses enabled the identification of a fake SLSH channel and its operator, @shinyspiders.
📌 Key Characteristics of the SLSH Group
- The group operated with clear financial motivation and targeted companies across industries and countries without distinction.
- SLSH combined the tactics historically used by its component groups, demonstrating how their alliance enabled them to evolve into a more capable and threatening operation.
📌 Major Activities
- The group conducted Vishing campaigns and leveraged stolen Salesloft Drift OAuth tokens to access Google Salesforce environments, facilitating large-scale data theft across various enterprises.
- SLSH claimed responsibility for attacks against South Korean organizations such as Wemade, HMM, and SKTelecom, as well as major companies in other countries.
📌 Activities on Deep and Dark Web Forums
- The SLSH group promoted its first official Telegram channel through the breachforums[.]hn forum, an affiliated forum operating under the BreachForums brand.
- The group leaked stolen corporate data on Telegram, its dedicated Data Leak Site (DLS), and hacking forums such as Breachstars, indicating familiarity with deep- and dark-web ecosystems.
📌 Telegram Channel Operation Pattern
- SLSH conducted most of their public operations on Telegram, continuously leaking stolen data and posting pressure messages to push victims into negotiations.
- The group repeatedly published intimidation or mockery-based messages, threatening to leak or sell data if victims refused to engage.
- Their Telegram channels were frequently shut down and subsequently recreated. SLSH also expanded its influence through cross-posting with affiliated channels to strengthen its network presence.
📌 Business Models
- SLSH leveraged its brand reputation to operate an extortion-driven service model.
- The group operated an EaaS (Extortion-as-a-Service) program, collaborating with other cybercriminal groups to support data leaks, intimidation, and negotiation processes.
- Evidence indicated development of a ransomware strain named ShinySp1der as part of an attempted RaaS (Ransomware-as-a-Service) initiative.
- For detailed insights regarding SLSH, please contact S2W Threat Intelligence Center (TALON).
✅ Recommended Threat Detection and Mitigation Actions:
- Although the group announced on October 20, 2025, that it would cease operations due to the arrest of key members, it created a new Telegram channel on November 21, 2025, stating that it would continue its activities.
- Continuous monitoring of related infrastructure and threat-actor activity is essential to detect potential renewed threats at an early stage and to reinforce threat-intelligence analysis and response capabilities.
🧑💻 Author: S2W TALON
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request or with a subscription to the S2W platform.