Three of the world's most prolific cybercrime collectives—Scattered Spider, LAPSUS, and Shiny Hunters—have merged into a unified threat alliance called "Scattered LAPSUS Hunters" (SLH), creating what security researchers are calling the first consolidated federation within "The Com" cybercriminal network.
The group launched in early August 2025 and has demonstrated remarkable resilience, rebuilding its Telegram command centers 16 times after successive platform takedowns—a cycle that underscores both aggressive platform moderation and the operators' determination to maintain their high-visibility presence.
According to Trustwave SpiderLabs' latest threat intelligence report, SLH now operates an Extortion-as-a-Service (EaaS) model, allowing affiliate hackers to leverage the combined notoriety of all three brands to maximize ransom payments.
The group uses Telegram not just for communication but as a theatrical stage for announcing breaches, posting proof-of-compromise data, and even crowdsourcing harassment campaigns against executives.
"What sets SLH apart is its active use of Telegram as both a performative marketing and public messaging platform—a style more typical of hacktivist groups," the Trustwave report states.
Despite managing roughly 30 active online personas, linguistic analysis suggests fewer than five core operators control the federation, with the ShinyHunters contingent forming its nucleus.
The merged collective brings sophisticated technical capabilities to the table. SLH employs AI-automated voice phishing (vishing) tools that abuse services like Google Voice to scale social engineering attacks.
The group has claimed the exploitation of multiple zero-day vulnerabilities, including CVE-2025-61882, which affects Oracle E-Business Suite—the same flaw later exploited by Cl0p ransomware operators—and CVE-2025-31324, targeting SAP NetWeaver.
One particularly concerning member is "yuka" (also known as Yukari or Cvsp), an exploit developer previously associated with the BlackLotus UEFI bootkit and Medusa rootkit. This technical expertise enables SLH to target cloud infrastructure, SaaS platforms, CRM systems, and enterprise databases—high-value aggregation points that offer an immediate return on investment.
Companies like Salesforce have already been named as victims on SLH's data leak sites. The timing of this consolidation coincides with the collapse of BreachForums, a major cybercriminal marketplace, creating a vacuum that SLH appears designed to fill.
What Organizations Should Do:
Security teams should prioritize cloud security hygiene, implement robust multi-factor authentication resistant to social engineering, monitor for unusual privilege escalations, and maintain current patches for CRM and enterprise platforms. Given SLH's sophisticated vishing capabilities, employee security awareness training should specifically address AI-powered voice impersonation attacks.
The emergence of this federated alliance signals an evolution in cybercrime toward professionalized branding and service-oriented operations, where controlling narrative and audience engagement become strategic assets alongside technical exploitation capabilities.