Scattered Lapsus$ Hunters (SLH) hacking collective, known for including minors and targeting major corporations, has reemerged with expanded recruitment and activity, security researchers warn. However, the New Year began with a stumble: the gang fell for a honeypot.
“We would like to announce that we have gained full access to Resecurity systems. We took everything,” SLH gloated on their current Telegram channel, which is likely to get banned like many previous accounts.
The gang gloated that the cybersecurity firm “got fully owned,” and all their internal chats, employee data, client lists, and other sensitive information were stolen, according to a now-deleted post shared by databreaches.net.
Yet, Resecurity didn’t even blink over the devastating cybersecurity incident.
The firm stated that the threat actors accessed a deliberately deployed honeypot, which contained fabricated synthetic data, such as fake credentials and other decoy content. Researchers used fake accounts, dummy data, and AI-generated content to populate the honeypot.
“Following our publication, the group called ShinyHunters, previously profiled by Resecurity, fell into a honeypot. In fact, we are dealing with its rebranded version, which calls itself SLH due to the alleged overlap between the threat actors ShinyHunters, Lapsus$, and Scattered Spider,” the company confirmed on its blog post.
“The group claimed that ‘it has gained full access to Resecurity systems,’ which is a clear overstatement, as the honeypot environment prepared by us did not contain any sensitive information.”
This helped security researchers to log and expose IP addresses used by attackers, and they also were able to “identify the actor and link one of his active Gmail accounts to a US-based phone number and a Yahoo account.”
“The activity has been imaged and retained, including exact timestamps and network connections, which have been shared with law enforcement.”
Another reemergence
SLH, a conglomerate of three previously separate cybercrime gangs, stayed dormant for a while after high-profile intrusions, abusing Salesforce third-party integrations and targeting Zendesk users.
Cyble, a cybersecurity firm, warns that SLH has re-emerged with a more structured operational model, expanded recruitment efforts, and renewed public activity.
“They are actively seeking Initial Access brokers, insider collaborators, and corporate credentials that align with their selection criteria,” Cyble said in the report on the threat actor’s resurgence.
“The collective is actively pursuing privileged identity access and infrastructure credentials across major enterprises, demonstrating a shift toward deeper post-authentication exploitation and lateral expansion.”
Telegram and dark web forums provide evidence that SLH pivots toward high-revenue enterprises (≥ USD 500M) across telecommunications, software/gaming supply chains, BPO/call-center environments, and cloud/hosting providers. The gang avoids targeting companies in Russia, China, North Korea, or Belarus.
The collective has been building a new Ransomware variant called “ShinySp1d3r.” The members routinely issue bold, rogue, provocative statements regarding planned attacks or perceived enemies, which often are security researchers.
This wouldn’t be the first time the gang “retires” and resurfaces. The hackers regrouped last September after claiming they achieved their goals.
Members of the gang were subject to major arrests. Cybernews previously reported that LAPSUS$ was taken down in 2022. The alleged leader of Scattered Spider, known as “TylerB,” was arrested in Spain, and another gang member, Michael Urba (King Bob), will spend 10 years in federal US prison. ShinyHunters’ numbers were reduced after authorities arrested key individuals running notorious BreachForums.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked