CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Scattered Spider, ShinyHunters, and LAPSUS$ Form Unified Cyber Extortion Collective

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A new cyber extortion collective, Scattered LAPSUS$ Hunters (SLH), has emerged as a unified alliance combining Scattered Spider, ShinyHunters, and LAPSUS$. The group is leveraging the reputational capital of these three high-profile criminal brands to create a consolidated threat identity. SLH is using Telegram as a command hub and brand engine, cycling through public channels to maintain a persistent presence. The alliance aims to fill the void left by the collapse of BreachForums and attract displaced operators with an affiliate-driven extortion model. SLH has created 16 Telegram channels since August 8, 2025, and offers an extortion-as-a-service (EaaS) model. The group is part of a larger cybercriminal enterprise known as The Com and has associations with other threat clusters, including CryptoChameleon and Crimson Collective. SLH's activities blend financially motivated cybercrime and attention-driven hacktivism, with a mature grasp of perception and legitimacy within the cybercriminal ecosystem. The group has hinted at developing a custom ransomware family named Sh1nySp1d3r and is aligned with DragonForce, functioning as an affiliate to break into targets through social engineering techniques. Recently, the admin of SLH, Rey, a 16-year-old named Saif Al-Din Khader from Amman, Jordan, has been cooperating with law enforcement since June 2025. Rey has been involved in releasing SLSH's new ShinySp1d3r ransomware-as-a-service offering, which is a rehash of Hellcat ransomware modified with AI tools.

Timeline

  1. 26.11.2025 19:22 1 articles · 23h ago

    Rey's identity exposed and cooperation with law enforcement

    The admin of SLH, Rey, has been identified as a 16-year-old named Saif Al-Din Khader from Amman, Jordan. Rey has been cooperating with law enforcement since June 2025 and has been involved in releasing the group's new ShinySp1d3r ransomware-as-a-service offering. The article details Rey's operational security mistakes that led to the exposure of his real-life identity and location, as well as his involvement in pro-Palestinian hacktivist activities.

    Show sources
    Open in new tab
  2. 04.11.2025 16:15 3 articles · 23d ago

    Scattered Spider, ShinyHunters, and LAPSUS$ Form Unified Extortion Collective

    SLH has created 16 Telegram channels since August 8, 2025, and offers an extortion-as-a-service (EaaS) model. The group is part of a larger cybercriminal enterprise known as The Com and has associations with other threat clusters, including CryptoChameleon and Crimson Collective. SLH uses Telegram to coordinate and market their services, similar to hacktivist groups. The group has accused Chinese state actors of exploiting vulnerabilities and targeted U.S. and U.K. law enforcement agencies. SLH invites channel subscribers to participate in pressure campaigns by finding and emailing C-suite executives. The group has hinted at developing a custom ransomware family named Sh1nySp1d3r and is aligned with DragonForce, functioning as an affiliate to break into targets through social engineering techniques. The admin of SLH, Rey, is a 16-year-old named Saif Al-Din Khader from Amman, Jordan, who has been cooperating with law enforcement since June 2025. Rey has been involved in releasing the group's new ShinySp1d3r ransomware-as-a-service offering, which is a rehash of Hellcat ransomware modified with AI tools.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

DragonForce Cartel Ransomware Emerges with Conti-Derived Encryption

A new ransomware operation, DragonForce, has emerged, leveraging leaked Conti source code. This group has adopted a cartel-like structure, encouraging affiliates to create branded variants. DragonForce uses Conti's ChaCha20 and RSA encryption, targeting both local storage and network shares via SMB. The group has conducted coordinated attacks and recruited affiliates, including Devman, and has partnered with Scattered Spider for initial access operations. DragonForce has shown aggressive tactics, defacing rival groups' infrastructure and attempting server takeovers. Security experts advise robust backup practices, network segmentation, and consistent patching to defend against such threats.

Open in new tab

LockBit, Qilin, and DragonForce Form Ransomware Alliance

LockBit, Qilin, and DragonForce have formed a strategic alliance to enhance their ransomware operations. This collaboration aims to share techniques, resources, and infrastructure, potentially increasing the threat to critical infrastructure and expanding the attack surface to previously low-risk sectors. LockBit has returned to active operations with new victims identified in September 2025, marking a significant comeback over a year after Operation Cronos disrupted its infrastructure. The alliance comes as LockBit returns to the scene following a significant law enforcement operation in early 2024, which disrupted its infrastructure and led to the arrest of some of its members. Qilin has been the most active ransomware group in recent months, targeting North America-based organizations disproportionately. The partnership is expected to bolster LockBit's reputation among affiliates and facilitate a surge in attacks.

Open in new tab

Discord User Data Compromised in Third-Party Breach

Hackers claim to have stolen data from 5.5 million unique Discord users after compromising a third-party customer service provider. The attack occurred on September 20, 2025, affecting users who interacted with Discord’s customer support and/or Trust and Safety teams. The breach appears to be financially motivated, with hackers demanding a ransom. The Scattered Lapsus$ Hunters (SLH) threat group claimed responsibility for the attack, stating they breached a Zendesk instance used by Discord for customer support. The compromised data includes real names, usernames, email addresses, contact details, IP addresses, messages, attachments, photos of government-issued identification documents, partial billing information, and purchase history. Discord took immediate action to isolate the support provider from its ticketing system and launched an investigation with the help of a forensics firm and law enforcement. The hackers also accessed corporate data, including training materials and internal presentations. Discord has notified law enforcement and relevant data protection authorities about the incident. No full credit card numbers, CVV codes, passwords, or authentication data were compromised. Additionally, no messages or activity on Discord outside of communication with customer support were obtained by the attackers.

Open in new tab

WestJet data breach impacts 1.2 million customers

WestJet, a major Canadian airline, has confirmed that a cyberattack on June 13, 2025, compromised the personal information of 1.2 million customers. The breach involved the theft of travel documents, including passports and ID documents. The attackers gained access to the network through a Citrix system after resetting an employee's password via social engineering. The breach was attributed to threat actors associated with Scattered Spider, although no official attribution has been made. The compromised data includes full names, dates of birth, mailing addresses, travel documents, requested accommodations, filed complaints, WestJet Rewards Member IDs, and details of WestJet RBC Mastercard information. No credit card or debit card numbers, expiry dates, CVV numbers, or user passwords were compromised. The airline is working with the FBI and has offered a free 2-year identity theft protection and monitoring service to affected customers. The breach was first identified on June 13, 2025, and the data breach notification was sent to the Office of the Maine Attorney General on September 29, 2025.

Open in new tab

Global Phishing Campaign Installs Multiple RATs via JavaScript Droppers

A rapidly spreading phishing campaign is targeting Windows users and Booking.com partner accounts worldwide, stealing credentials and deploying various remote access trojans (RATs) using malicious JavaScript files and PowerShell commands. The campaign affects multiple sectors, including manufacturing, technology, healthcare, construction, retail/hospitality, and the hospitality industry. The attackers use personalized phishing pages and socially engineered scenarios to lure victims into downloading the malware. The campaign involves multiple stages, including an initial obfuscated script, a spoofed site, and the deployment of RATs such as PureHVNC, DCRat, and Babylon RAT. The attackers employ sophisticated techniques to evade detection and maintain long-term access to compromised networks. The campaign has been observed in countries including Austria, Belarus, Canada, Egypt, India, and Pakistan. The phishing emails use themes related to voicemail messages, purchases, and banking verification issues to deceive recipients into clicking on malicious links. The initial payload is a ZIP archive containing an obfuscated JavaScript file that acts as a dropper for UpCrypter, which functions as a conduit for various RATs. The malware uses steganography to embed the final payload within a harmless-looking image and includes anti-analysis and anti-virtual machine checks to evade detection. The malware is executed without writing to the file system, minimizing forensic traces. The campaign is part of a larger trend where threat actors abuse legitimate services for phishing attacks. A new campaign impersonates Ukrainian government agencies to deliver CountLoader, which drops Amatera Stealer and PureMiner. The phishing emails contain malicious SVG files designed to trick recipients into opening harmful attachments. The SVG files initiate the download of a password-protected ZIP archive containing a CHM file, which activates CountLoader. CountLoader drops various payloads, including Cobalt Strike, AdaptixC2, and PureHVNC RAT, and in this case, Amatera Stealer and PureMiner. Amatera Stealer gathers system information, collects files, and harvests data from various applications and browsers. A Vietnamese-speaking threat group uses phishing emails with copyright infringement notice themes to deploy PXA Stealer, which evolves into PureRAT. PureRAT is a modular, professionally developed backdoor that gives attackers complete control over a compromised host. The campaign demonstrates a progression from simple phishing lures to multi-layered infection sequences involving defense evasion and credential theft. The attack chain begins with a ZIP archive containing a legitimate PDF reader executable and a malicious DLL, using DLL sideloading to execute the next payload. The malware employs multiple stages of obfuscation, including Base64 encoding, steganography, and anti-analysis techniques to evade detection. The campaign uses a combination of Python scripts and .NET executables to achieve its objectives, demonstrating a progression from simple phishing lures to multi-layered infection sequences. The final payload, PureRAT, is a modular, professionally developed backdoor that provides complete control over a compromised host. The threat actor uses Telegram bot descriptions and URL shorteners to dynamically fetch and execute the next payload, allowing for flexible updates to the attack chain. The malware includes defense evasion techniques such as AMSI patching and ETW unhooking to avoid detection by security tools. The campaign is attributed to a Vietnamese-speaking threat group associated with the PXA Stealer malware family, using infrastructure traced to Vietnam. The threat actor demonstrates proficiency in multiple languages and techniques, including Python bytecode loaders, WMI enumeration, .NET process hollowing, and reflective DLL loading. The pivot from a custom-coded stealer to a commercial RAT like PureRAT lowers the barrier to entry for the attacker, providing access to a stable, feature-rich toolkit. A large-scale phishing operation has been targeting Booking.com partner accounts since at least April 2025. The campaign exploits hotel systems and customer data, using a sophisticated malware campaign. The intrusion begins with malicious emails sent from legitimate hotel accounts or impersonating Booking.com, leading victims to execute a PowerShell command that downloads PureRAT. PureRAT allows attackers to remotely control infected machines, steal credentials, capture screenshots, and exfiltrate sensitive data. The malware initially targets hotel staff to steal login credentials for booking platforms, which are then used in fraudulent schemes. The campaign demonstrates the growing professionalization of cybercrime targeting the hospitality industry, with hundreds of malicious domains active as of October 2025. The firm continues to monitor adversary infrastructure and improve detection methods to help protect booking platforms and their customers. Researchers have uncovered a broad campaign in which threat actors target hotels with ClickFix attacks to steal customer data as part of ongoing attacks against the hospitality sector that includes secondary attacks against the establishments' customers. The initial attack against hotels uses a compromised email account to send malicious messages to multiple hotel establishments. In some instances, attackers alter the "From" header to impersonate Booking.com, while subject lines are often related to guest matters, including references to last-minute booking, listings, reservations, and the like. The attack chain then uses a redirection URL that ultimately leads to a ClickFix reCAPTACHA challenge in which users are prompted to copy a malicious PowerShell command. This command eventually leads to the deployment of infostealing and remote access Trojan (RAT) malware. The campaign has led to secondary attacks against hotel customers, with attackers contacting them via WhatsApp or email using legitimate reservation details of the target. Attackers then ask victims to validate banking details by visiting a URL, which leads to the phishing page that mimics Booking.com’s typography and layout and which harvests the victim’s banking information. A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around February 2025. Of the 4,344 domains tied to the attack, 685 domains contain the name "Booking", followed by 18 with "Expedia," 13 with "Agoda," and 12 with "Airbnb," indicating an attempt to target all popular booking and rental platforms. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The campaign uses a unique identifier called AD_CODE to ensure consistent branding across pages. The phishing pages attempt to process a transaction in the background while displaying a support chat window for 3D Secure verification. The identity of the threat group remains unknown, but Russian is used in source code comments and debugger output. The campaign is linked to a previous phishing campaign targeting the hospitality industry with PureRAT malware. The phishing kit is a fully automated, multi-stage platform designed for efficiency and stealth. The phishing kit employs CAPTCHA filtering to evade security scans and uses Telegram bots to exfiltrate stolen credentials and payment information.

Open in new tab