Scattered LAPSUS$ Hunters (SLH) is a federated cybercriminal alliance that publicly emerged in early August 2025. It unites three previously distinct but well-known hacker groupsโScattered Spider, LAPSUS$, and ShinyHuntersโunder a shared brand and operational umbrella. Rather than functioning as a single hierarchical organization, SLH operates as a brand-level coalition, centralizing extortion operations, recruitment, and public communications. Its public-facing infrastructure, primarily Telegram channels and data-leak sites, serves as the hub for announcements, proof-of-compromise releases, and coordination with affiliates.
1. Primary Objectives
The alliance is designed to maximize extortion revenue, strengthen leverage through public visibility, and expand access via insiders and affiliates. SLHโs objectives include monetizing stolen data at scale, providing โExtortion-as-a-Serviceโ (EaaS) to partnered operators, conducting high-impact attacks on prominent enterprises, and maintaining long-term access channels through insider recruitment. The group deliberately cultivates fear, urgency, and reputational harm to victims to increase ransom-payment likelihood.
2. Techniques and Tactics
SLH relies heavily on human-centric intrusion methods such as vishing, smishing, SIM swapping, help-desk impersonation, and MFA fatigue to compromise accounts without deploying complex malware. Once inside target environments, the group uses legitimate remote-access tools, credential-dumping utilities, cloud-identity abuse, and living-off-the-land techniques to move laterally. Privilege escalation is achieved through exploitation of tokens, service accounts, and identity misconfigurations. Data is exfiltrated through cloud platforms, backups, remote consoles, and automated scripts. Their pressure strategy involves publishing stolen data, issuing aggressive ransom demands, and leveraging the SLH brand to amplify intimidation.
3. Exploiting Vulnerabilities and Weaknesses
SLH exploits a broad range of vulnerabilities. These include human authentication weaknesses (SMS-based MFA, weak recovery workflows), overly permissive cloud-identity structures, unpatched enterprise software, misconfigured backup and disaster-recovery tools, and insecure third-party OAuth integrations. These weaknesses enable attackers to escalate from a single compromised account to broad systemic access, often without relying on conventional malware.
4. Reported and Claim-Linked Enterprise Software Vulnerabilities
SLH has been associated with attempts to exploit enterprise-software vulnerabilities, particularly in Oracle and SAP ecosystems. Attackers target web-facing misconfigurations, authentication bypasses, and remote-code-execution pathways. Although not all claims are independently verified, evidence indicates that SLH affiliates blend opportunistic CVE exploitation with advanced social-engineering techniques to maximize infiltration opportunities.
5. Exploit Tools
SLHโs toolkit combines legitimate administrative software with offensive utilities. Remote-access platforms such as AnyDesk and TeamViewer provide interactive control. Credential-dumping tools enable privilege escalation, while automated scripts assist with reconnaissance and high-volume data exfiltration. In cloud environments, the group manipulates service principals, API keys, and OAuth scopes. Backup utilities capable of exporting extensive datasets are frequently abused. The groupโs extortion infrastructure, built around leak portals and public communication channels, amplifies psychological pressure on victims.
6. Companies Affected and Scale of Impact
SLH has publicly named or claimed intrusions affecting global airlines, automotive manufacturers, consumer-goods brands, and other large enterprises. Since the start of the year, the group has targeted Salesforce customers through voice phishing attacks, breaching companies such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, as well as LVMH subsidiaries including Dior, Louis Vuitton, and Tiffany & Co. In addition to breaches, SLH has attempted to extort a wide range of high-profile brands and organizations, including Google, Cisco, Toyota, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald’s, Walgreens, TransUnion, HBO MAX, UPS, Chanel, and IKEA. The group also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations. This incident alone resulted in damages exceeding ยฃ196 million ($220 million) in the last quarter. Victims have faced production stoppages, large-scale customer-data exposure, and supply-chain disruptions. Additional risk has spread through SaaS integrations and third-party service providers. Reported consequences include the exposure of millions to hundreds of millions of records, severe operational downtime, legal and regulatory penalties, and lasting reputational damage.
7. Categories of Damage and Organizational Impact
Targeted companies encounter emergency response costs, legal liabilities, regulatory investigations, and long-term trust erosion. Operational disruptionsโincluding factory shutdowns and outages in enterprise platformsโdirectly impact revenue. Customer-remediation measures, such as credit-monitoring services and mass notifications, further increase financial strain. Stolen credentials, tokens, and sensitive data often remain viable for other attackers, creating an extended post-incident risk horizon.
8. Latest Updates
Despite publicly claiming to โdisbandโ, SLH-linked channels continue to release new leaks, extortion claims, and shifting communication patterns. Intelligence teams view the claim of dissolution as tacticalโlikely a pause, rebranding effort, or misdirection strategy rather than a genuine end. The group remains active within data-leak ecosystems, and stolen artifacts including tokens, credentials, and integration keys continue surfacing in emerging threat clusters. SLHโs structure remains fluid and affiliate-driven, sustaining operations under or adjacent to the original identity.
9. Defense and Mitigation Actions
Organizations are encouraged to deploy phishing-resistant MFA, enforce stringent OAuth and third-party-integration policies, and strengthen help-desk identity-verification procedures. Monitoring cloud-privilege escalations and isolating backup systems is essential. Regular hunting for leaked tokens, dormant privileged accounts, and irregular data-movement patterns remains critical. Given SLHโs blend of social-engineering expertise and cloud-identity exploitation, identity-centered security controls represent the single most impactful defensive priority.