3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Scattered Lapsus$ Hunters

Scattered Lapsus$ Hunters

ID: 219b63c41bbabe87ef9f5bd451c19433
Cybercrime Cybercriminal Online Fraud Rings
Threat types: Extortion-as-a-Service, Social Engineering
Unknown
Updated: 2026-04-13
Created: 2026-03-04
Progress: 81% Completeness: 73% Freshness: 100%
Operation zone:
Aliases Limited alias preview
Scattered Lapsus ShinyHunters ScatteredLapsus$Hunters S***
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Scattered Lapsus$ Hunters (SLSH) is publicly reported as a cybercrime alliance blending tradecraft associated with Scattered Spider (UNC3944), LAPSUS$, and ShinyHunters. The most consistent operational model is identity-first compromise (vishing/help-desk manipulation and OAuth/SSO abuse), followed by SaaS tenant data theft (notably Salesforce customers) and coercive extortion pressure using leak-site deadlines and executive harassment/intimidation.


Technique Technique name Tactics Evidence
T1566 Phishing TA0001
  • 2025-10-03 — INFERENCE (confidence: medium): phishing may occur in the ecosystem, but core reporting emphasizes vishing/help desk manipulation and OAuth abuse rather than email-based delivery. · ref
T1598 Phishing for Information TA0043
  • 2025-10-03 — Social engineering via phone (vishing) is repeatedly described as central to tenant compromise and help desk manipulation. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-10-03 — Identity-first compromise implies abuse of valid accounts/privileged sessions after help desk manipulation and token/OAuth access. · ref
T1528 Steal Application Access Token TA0006
  • 2025-10-03 — OAuth/SSO abuse is cited in reporting as a mechanism to access SaaS environments without exploiting platform vulnerabilities. · ref
T1219 Remote Access Tools TA0011
  • 2025-10-03 — INFERENCE (confidence: medium): remote admin tooling may be used in some affiliated Scattered Spider lineage incidents; prioritize identity and SaaS telemetry as primary signals. · ref
T1005 Data from Local System TA0009
  • 2025-10-03 — Data theft from SaaS tenants and corporate datasets is central to extortion claims; collection occurs through tenant export and access workflows. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-10-10 — Exfiltration is inherent in the extortion model; reporting emphasizes stolen records and threatened publication after deadlines. · ref
T1657 Financial Theft TA0040
  • 2026-02-02 — Harassment, threats, and swatting-like intimidation against executives and families are described as part of coercive extortion strategy. · ref
T1565 Data Manipulation TA0040
  • 2025-10-03 — INFERENCE (confidence: low): integrity manipulation is not the dominant described outcome; primary impact is data exposure and coercion rather than destructive disruption. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-07T02:59:29+00:00

Scattered Lapsus$ Hunters - Cybercrime alliance / extortion ecosystem (EaaS-style data theft + harassment) with strong social-engineering tradecraft

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Scattered Lapsus$ Hunters (SLSH)

Classification: Unclassified / OSINT — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Scattered Lapsus$ Hunters (SLSH)

Focus: Identity-first compromise (vishing/help desk), OAuth/SSO abuse, SaaS tenant data theft, and extortion pressure workflows. The goal is early detection before bulk export and coercion escalation.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-05T22:42:45+00:00

IOC Appendix — Scattered Lapsus$ Hunters (SLSH)

Classification: Unclassified / OSINT — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-05T22:43:16+00:00

OSINT Library — Scattered Lapsus$ Hunters (SLSH)


2025-10-10 — Unit 42 — “Scattered Lapsus$ Hunters: What Retail and Hospitality Organizations Should Know”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
t.me/shs******* Restricted Not integrated
t.me/Fsc************** Restricted Not integrated
t.me/sca****************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.