Published: Friday | November 7, 2025 | Rheana Hagigal - Tier 2 Security Operations Centre Analyst
The cybersecurity landscape has been disrupted by the emergence of a powerful cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLH), a merger between three notorious groups: Scattered Spider, LAPSUS$, and ShinyHunters. This new federation represents a dangerous evolution of cybercrime, combining the social engineering tactics of Scattered Spider, the extortion-based aggression of LAPSUS$, and the data-theft expertise of ShinyHunters.
The Rise of Scattered LAPSUS$ Hunters
Since its debut in August 2025, SLH has repeatedly reemerged under various aliases across 16 Telegram channels, adapting to takedowns with resilience that mirrors organized crime structures. The group has built what appears to be an “Operations Centre,” using Telegram both for coordination and to publicize their exploits. Their operations blend extortion-as-a-service (EaaS), social engineering, and brand exploitation, allowing affiliates to carry out attacks under the SLH name for a share of profits.
Recent attacks have targeted organizations using Salesforce, highlighting the group’s focus on high-value enterprise systems. Given that many Jamaican organizations, including those in the public and financial sectors, rely on Salesforce for customer management and internal operations, this development poses a serious local risk.
Structure and Tactics
The SLH collective operates under a loose federation known as “The Com”, fostering collaboration across subgroups such as:
- UNC5537 (linked to Snowflake data extortion)
- UNC6040 (associated with recent Salesforce vishing campaigns)
- UNC3944 (core Scattered Spider members)
- Shinycorp (sp1d3rhunters), responsible for coordination and branding
Their tactics involve:
- Vishing and spear-phishing campaigns targeting corporate staff
- Use of remote access tools (AnyDesk, TeamViewer, ScreenConnect) for persistence
- Data extortion and leak threats on Telegram
- Emerging use of a custom ransomware variant, “Sh1nySp1d3r”
The group’s blend of financial motives and hacktivist theatrics has blurred the lines between cybercrime and activism, creating an ecosystem where reputation and visibility drive their momentum.
Impact on Jamaica
For Jamaica, this merger has several implications.
- Increased risk to organizations using Salesforce and other cloud-based platforms — SLH has already exploited such environments for extortion and credential theft.
- Heightened threat to public and private institutions that depend on external vendors and third-party SaaS tools, particularly as these groups thrive on social engineering.
- Potential spillover of ransomware campaigns targeting regional organizations, especially those lacking robust incident response mechanisms or relying on legacy infrastructure.
Given Jamaica’s growing digital transformation initiatives and various e-government platforms, awareness and preparedness against such evolving threats are critical.
Indicators of Compromise (IOCs)
Organizations are advised to monitor for the following known IOCs associated with SLH operations:
- Suspicious login attempts from unfamiliar IPs associated with Salesforce instances
- Unexpected installation of remote access tools (ScreenConnect, AnyDesk, Splashtop)
- Presence of archives named “SLH_data.zip” or “sp1d3r_dump”
- Unusual outbound connections to Telegram-related domains or short-link services
- Email subjects referencing “ShinySp1d3r Operations,” “SLSH,” or “Verification Notice”
Recommendations
JaCIRT advises all organizations to:
- Review user access controls on Salesforce, Microsoft 365, and other SaaS tools.
- Enable multi-factor authentication (MFA) across all accounts, particularly for administrative users.
- Restrict installation of remote access software and monitor logs for unapproved tools.
- Conduct phishing and vishing awareness training for all employees, especially customer service and IT support staff.
- Update endpoint protection systems to detect remote administration and privilege escalation activity.
- Report suspicious incidents immediately to JaCIRT for analysis and coordination.
Disclaimer: The thumbnail image used was generated using artificial intelligence for illustrative purposes.