DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/THREAT ACTORS/SCATTERED LAPSUS$ HUNTERS (ShinySp1d3r RaaS)
TLP:WHITETHREAT ACTOR DOSSIER // SCATTERED-LAPSUS-HUNTERS-SHINYSP1D3RFIRST SEEN: AUG 2025

SCATTERED LAPSUS$ HUNTERS (ShinySp1d3r RaaS)

ALSO KNOWN AS: SLSH, Scattered LAPSUS$ Hunters, UNC6040 (ShinyHunters component, Google TAG), UNC6395 (Scattered Spider component, Google TAG)
FROM:DMZ INTELLIGENCE DESK
ORIGIN:English-speaking / Western (primarily US, UK — 'The Com' community)
ATTRIBUTION:ORGANIZED CRIME
STATUS:ACTIVE
FIRST OBSERVED:AUG 2025
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL71/100
RESOURCES71/100
PERSISTENCE74/100
STEALTH66/100
IMPACT80/100

SUBJECT PROFILE

Scattered Lapsus$ Hunters (SLSH) is a declared alliance of three notorious English-speaking cybercrime collectives — Scattered Spider, Lapsus$, and ShinyHunters — that formalized a joint operation in August 2025 following a series of coordinated Salesforce platform intrusions claiming 91 victim organizations. The alliance is now developing ShinySp1d3r, a custom RaaS platform featuring novel ETW hook-based logging suppression, self-propagating encryptor, and planned Linux/VMware ESXi variants — representing a leap from the groups' historical reliance on third-party encryptors (BlackCat, Qilin, DragonForce). The collective is actively recruiting corporate insiders targeting organizations with $500M+ annual revenues, excluding CIS countries and healthcare, with aggressive commission-based IAB deals and insider outreach on Telegram and dark web forums heading into mid-2026.

Financial — data theft, extortion, and ransomware; expanding from pure social-engineering/exfiltration into full-spectrum RaaS operations via the ShinySp1d3r platform

OPERATIONAL HISTORY

T1566 (Phishing — vishing/voice phishing and help desk impersonation), T1621 (MFA Bombing / push fatigue), T1539 (Steal Web Session Cookie — OAuth manipulation), T1528 (Steal Application Access Token — Salesforce API-level access via fake integration), T1078 (Valid Accounts — SIM swapping for credential takeover), T1591 (Gather Victim Org Information — insider recruitment via Telegram), T1486 (Data Encrypted for Impact — ShinySp1d3r), T1003 (Credential Dumping), T1562 (ETW hook disabling via EtwEventWrite function hooking — ShinySp1d3r), T1486 (Intermittent/space-filling encryption to impede recovery)

TECHNOLOGY
CLOUD SERVICES
TELECOMMUNICATIONS
FINANCIAL SERVICES
RETAIL
SAAS VENDORS

KNOWN INFRASTRUCTURE

ShinySp1d3r ransomware encryptor (Windows; Linux/ESXi variants in development; samples identified on VirusTotal Nov 2025); dedicated leak site (DLS) built on BreachForums infrastructure; multiple Telegram channels (sequentially banned); Tox protocol for victim communications; insider recruitment via underground forums (Exploit, RAMP); FBI FLASH alert attributes Salesforce intrusions to UNC6040/UNC6395

ATTRIBUTED CAMPAIGNS

FILE DATE: AUG 2025
Salesforce/Gainsight/Salesloft Multi-Org Intrusions
SLSH used vishing and fake OAuth integrations — not Salesforce vulnerabilities — to breach 91 organizations' Salesforce environments, including data theft from Adidas, Google, Cisco, Qantas, Cartier, Louis Vuitton, and others; FBI issued a FLASH alert attributing activity to UNC6040 and UNC6395 on September 12, 2025.
FILE DATE: NOV 2025
ShinySp1d3r RaaS Platform Development
SLSH announced and began promoting ShinySp1d3r — a custom-built RaaS encryptor ███████████████████ evasion, self-propagation, and ESXi targeting — on Telegram channels; early Windows samples surfaced on VirusTotal, with Linux/ESXi builds assessed as forthcoming.
FILE DATE: JAN 2026
Aggressive Insider Recruitment Campaign
Post-reemergence, SLSH launched a structured insider recruitment drive targeting employees at organizations with $500M+ revenue, seeking access to Okta, Microsoft SSO, Citrix VPN, and GitHub/GitLab, with commission-based payment structures advertised across Telegram and dark web forums.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn