In 2025, cybersecurity teams confronted a new threat: Scattered LAPSUS$ Hunters, an alliance uniting the notorious Scattered Spider, LAPSUS$, and ShinyHunters groups.
This supergroup represents a new level of organization in cybercrime, blending advanced social engineering, data theft, and extortion tactics into coordinated, multi-stage attacks against high-value enterprise targets.
Origins of the Threat Actor Group
Each member group of the Scattered LAPSUS$ Hunters contributes distinct capabilities.
Scattered Spider is known for its initial access techniques, including help-desk impersonation and credential theft.
LAPSUS$ has built its reputation on insider recruitment and source code leaks from major corporations. ShinyHunters brings expertise in large-scale data harvesting and extortion.
Together, they have created a collective capable of simultaneously breaching, exfiltrating, and monetizing sensitive enterprise data across diverse industries — from SaaS platforms like Salesforce to sectors such as aviation, retail, and insurance.
The alliance became publicly visible in mid-2025 when a Telegram channel surfaced claiming to unite members of all three groups.
The channel quickly gained notoriety, coordinating leaks, threats, and promotions of a new ransomware-as-a-service (RaaS) offering called shinysp1d3r.
Though the channel was later removed, its brief existence demonstrated the alliance’s global reach and ability to coordinate large-scale operations.
Timeline of Attacks
The group’s earliest activities trace back to late 2024, when attackers infiltrated corporate Salesforce systems through sophisticated vishing campaigns.
These integrations granted the attackers API-level access, enabling large-scale data exfiltration from major firms.
Between March and June 2025, Scattered LAPSUS$ Hunters compromised the GitHub repositories of Salesloft and later Drift, gaining unauthorized access to OAuth tokens and customer integration data.
Google’s Threat Analysis Group linked these incidents to overlapping clusters associated with both ShinyHunters and Scattered Spider.
In September 2025, the FBI issued a FLASH alert on the attacks.
Although the group announced a temporary shutdown in September, investigators observed continued activity, including the launch of an extortionware portal in October 2025.
The portal threatened public exposure of stolen data unless ransom payments were made, demonstrating the group’s ongoing operational capacity despite public claims of disbandment.
Tactics, Techniques, and Procedures (TTPs)
Picus Security researchers analyzed TTPs for the Scattered LAPSUS$ Hunters.
Their resource development often involves insider recruitment, which includes advertising on dark web channels for employees willing to sell access to corporate systems like Okta, Microsoft SSO, and GitHub.
For initial access, the group favors vishing and OAuth abuse rather than traditional software exploits.
Using AI-driven voice technology, attackers impersonate IT support staff, persuading employees to approve malicious applications or reset multi-factor authentication (MFA) tokens.
This combination of human manipulation and token hijacking has proven highly effective in breaching environments.
Once inside, the group targets Active Directory databases using built-in Windows tools such as ntdsutil or, in some cases, by attaching domain controller disks to unauthorized virtual machines via VMware vCenter.
They also steal credentials through browser password dumps and exploit cloud instance metadata APIs to escalate privileges in cloud environments.
For persistence and surveillance, the attackers configure email forwarding rules to exfiltrate communications and deploy legitimate remote access tools like TeamViewer and Splashtop to evade detection.
Ultimately, their campaigns culminate in financial extortion through dark web leak portals where stolen data is auctioned or published to pressure victims.
Building Cyber Resilience
Organizations can defend against this threat actor by focusing on human, technical, and procedural resilience.
The first priority is employee awareness and training — especially regarding vishing and MFA fatigue attacks.
Employees should verify all IT-related requests through official channels and report any unusual authentication prompts.
From a technical perspective, organizations should enforce least-privilege access, implement conditional MFA policies, and monitor for suspicious OAuth application approvals.
Cloud infrastructure should be configured to restrict access to sensitive APIs, and development environments should require signed integrations.
Security teams should audit administrative tools and remote access software regularly to ensure they are used only by authorized personnel.
Endpoint detection and response (EDR) tools can help identify unauthorized installations or unusual privilege escalations. And organizations should leverage AI detection tools.
Conducting regular threat simulations and tabletops can help assess defenses against tactics employed by Scattered LAPSUS$ Hunters.
The emergence of Scattered LAPSUS$ Hunters marks a turning point in cybercrime evolution — an alliance that blends technical prowess with social engineering mastery.
Their operations demonstrate how human vulnerabilities, when combined with access to cloud ecosystems and insider threats, can yield devastating results.
