Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

Scattered Lapsus$ Hunters

Also known aslapsus$_huntersScattered LAPSUS$ Hunters (SLH)scattered_lapsus_huntersscattered_lapsus$_huntersslhslshtrinity_of_chaos

Scattered LAPSUS$ Hunters (also referred to as SLH, SLSH, LPH, and Trinity of Chaos) is described in the provided reporting as a financially motivated cybercriminal conglomerate formed in mid-2025 from Scattered Spider, LAPSUS$, and ShinyHunters. The group is characterized as a loose amalgamation of typically young, reckless, English-speaking hackers and is associated with data theft, extortion, leak-site operations, and social-engineering-driven intrusions rather than traditional file-encrypting ransomware alone. Across the cited reporting, Scattered LAPSUS$ Hunters is linked to large-scale exfiltration and extortion activity, including the Salesforce-related data theft campaign affecting hundreds of companies, claims against Salesforce itself, and attacks or claimed attacks involving Resecurity, SK Telecom, Jaguar Land Rover, Discord/Zendesk-related exposure, Marks & Spencer, Co-op, Harrods, and Instructure’s September 2025 Salesforce incident. The group also reportedly exposed phone numbers and addresses of hundreds of government officials, including nearly 700 from DHS. The group’s tradecraft in the provided content centers on interactive social engineering, especially vishing and help-desk impersonation, credential theft, abuse of compromised authentication tokens, insider recruitment, and post-compromise extortion. Reporting states that the actors increasingly used human-driven interactive social engineering in 2025, sought insider access in sectors including call centers, gaming, hosting, SaaS, and telecom, and operated extortion schemes without necessarily deploying file encryption. The group used Telegram channels and dark web leak sites to communicate, threaten victims, advertise extortion-as-a-service, and publish or threaten stolen data. The content also notes overlap and affiliated branding with ShinyHunters and other offshoots or related subsets, including CoinbaseCartel as a data-theft offshoot of the broader collective. Public reporting cited in the content also references possible ransomware branding such as SHINYSP1D3R, though the reporting explicitly states it was unclear whether that capability was genuinely under development.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
MITRE ATT&CK

Tradecraft

47 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

15 of 15 tactics61 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1589
Gather Victim Identity Information
T1598×3
Phishing for Information
T1598.004×2
Spearphishing Voice
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
TA0001
Initial Access
5 techniques
T1078×7
Valid Accounts
T1190×4
Exploit Public-Facing Application
T1195×5
Supply Chain Compromise
T1199
Trusted Relationship
T1566×5
Phishing
T1566.002
Spearphishing Link
T1566.003
Spearphishing via Service
T1566.004×2
Spearphishing Voice
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.006
Python
T1203
Exploitation for Client Execution
TA0003
Persistence
3 techniques
T1078×7
Valid Accounts
T1098
Account Manipulation
T1098.001×2
Additional Cloud Credentials
T1098.003
Additional Cloud Roles
T1556
Modify Authentication Process
TA0004
Privilege Escalation
3 techniques
T1078×7
Valid Accounts
T1098
Account Manipulation
T1098.001×2
Additional Cloud Credentials
T1098.003
Additional Cloud Roles
T1484
Domain or Tenant Policy Modification
TA0005
Stealth
1 technique
T1078×7
Valid Accounts
TA0112
Defense Impairment
2 techniques
T1484
Domain or Tenant Policy Modification
T1556
Modify Authentication Process
TA0006
Credential Access
9 techniques
T1003
OS Credential Dumping
T1003.001
LSASS Memory
T1056
Input Capture
T1528
Steal Application Access Token
T1552
Unsecured Credentials
T1552.001
Credentials In Files
T1552.004
Private Keys
T1555
Credentials from Password Stores
T1555.005
Password Managers
T1556
Modify Authentication Process
T1557×2
Adversary-in-the-Middle
T1621
Multi-Factor Authentication Request Generation
T1649×2
Steal or Forge Authentication Certificates
TA0007
Discovery
3 techniques
T1069
Permission Groups Discovery
T1069.002
Domain Groups
T1580
Cloud Infrastructure Discovery
T1654
Log Enumeration
TA0008
Lateral Movement
1 technique
T1021
Remote Services
TA0009
Collection
4 techniques
T1056
Input Capture
T1185
Browser Session Hijacking
T1213×3
Data from Information Repositories
T1557×2
Adversary-in-the-Middle
TA0011
Command and Control
2 techniques
T1090
Proxy
T1219
Remote Access Tools
TA0010
Exfiltration
4 techniques
T1020×3
Automated Exfiltration
T1041×9
Exfiltration Over C2 Channel
T1048
Exfiltration Over Alternative Protocol
T1567×4
Exfiltration Over Web Service
T1567.002×2
Exfiltration to Cloud Storage
TA0040
Impact
4 techniques
T1486×10
Data Encrypted for Impact
T1489
Service Stop
T1498
Network Denial of Service
T1657×5
Financial Theft
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ShinySp1d3rOn Oct. 4, 2025, the threat actors claimed to be developing a new form of ransomware named “SHINYSP1D3R” as noted in Figures 6 and 7.2Jun 14, 2026
ShinyHunters"ShinyHunters has operated this model exclusively. They have never encrypted a single victim’s file."1Mar 5, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-61882Unauthenticated RCE in Oracle E-Business Suite Concurrent Processing BI Publisher IntegrationIn the wildEvidence1

As with the zero-day vulnerability announced by Oracle last week – tracked as CVE-2025-61882... Mandiant initially noted that Cl0p abused known and patched vulnerabilities, but added last week that the group also exploited the CVE-2025-61882 zero-day. SOCRadar also wrote that the flaw had been exploited in the wild – Oracle issued a patch for it October 4 – and that a public proof-of-concept exploit had been released.

IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

3 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
cysecurity newsNews
Jun 16, 2026
Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors - CySecurity News - Latest Information Security and Hacking Incidents

Ransom-motivated group that falsely claimed complete compromise and data theft from Resecurity, but was instead caught in a decoy environment that aided law-enforcement follow-on action.

Read more
register securityNews
Jun 2, 2026
'Dumbass' criminal breaks the 'first rule of ransomware club'

Data-leak and extortion crew that falsely claimed full access to Resecurity systems but instead fell into a honeypot, leading to investigative action.

Read more
the record mediaNews
May 18, 2026
Grafana refuses to pay ransom after codebase theft | The Record from Recorded Future News

Larger cybercriminal collective from which CoinbaseCartel emerged as a data-theft offshoot.

Read more
register securityNews
May 14, 2026
Security pros doubt Canvas attackers really deleted stolen student data

Named as an interconnected extortionist network associated with The Com, involved in SIM swapping and coercive/extortion activity including threats of physical harm.

Read more
+195 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping47

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.