TL;DR
Scattered Spider, LAPSUS$, and ShinyHunters have consolidated into a single operation known as Scattered LAPSUS$ Hunters, combining social engineering reach, data theft capability, and chaos-as-leverage into one playbook.
Their TTPs have been documented and in TI feeds since 2020. IOC matching is not stopping them because they do not rely on novel malware. They use valid credentials, commercial tools, and open network paths.
The defense is not better intelligence. It is closing the paths that make the intelligence irrelevant.
Security leaders do not have a threat awareness problem.
There is no shortage of advisories, indicators, campaign breakdowns, threat actor profiles, vendor alerts, and executive briefings. The industry is very good at telling you what attackers are doing. And yet organizations still get hit by the same kinds of attacks, through the same kinds of gaps.
That is because awareness is only the beginning.
The real value of threat intelligence is not that it catalogues attackers or tactics, but that it reveals the conditions inside your environment that still make the attacker's job easy. It shows you where trust is too broad, where visibility is too thin, where controls are inconsistent, and where attack paths remain cheaper than they should be.
That is the lesson modern extortion campaigns keep teaching.
Groups like Scattered Spider, LAPSUS$, and ShinyHunters may differ in style, branding, and public noise, but their success comes from a familiar pattern: they abuse legitimate access, inherit trust, move quickly through reachable systems, and turn that access into leverage before defenders can contain them.
That is not just a threat story. It is a program, architecture, and attack path story.
And that is exactly why threat intelligence matters: because it should help you get harder to move through.
The Threat Intelligence Paradox: Why Awareness Is Not Enough
Every major attack from these groups follows a playbook that has been public for years. The FBI published a Scattered Spider advisory in 2023 specifically detailing help desk impersonation and MFA bypass techniques. CISA and NCSC published joint advisories on LAPSUS$ covering insider recruitment and SaaS abuse patterns. ShinyHunters' preference for GitHub token theft and misconfigured S3 enumeration has been documented by TI vendors since their first major campaigns.
Your feeds have their indicators. Your SOC has seen their signatures.
And yet the incidents keep happening, at MGM, where Scattered Spider's 2023 campaign cost approximately $100 million in operating impact. At Caesars, which reportedly paid around $15 million to make the problem go away. At Snowflake customers, at telecom providers, at financial services firms that had every advisory in their inbox and got hit anyway.
Why?
Because this is where most threat intelligence programs stop too early. They ingest the feed, review the advisory, brief leadership, maybe add a rule, and then they move on.
But threat intelligence is supposed to teach you something about your own environment. Every serious threat report should trigger a harder question:
What does this reveal about the attack paths we still allow?
When TI repeatedly shows attackers abusing trusted access, it is teaching you that identity alone is not enough. When it shows attackers pivoting through SaaS and cloud consoles, it is teaching you that access governance is incomplete. When it shows attackers moving fast after login, it is teaching you that your environment may still be too easy to traverse once a foothold is established.
That is the part most programs miss. They treat intelligence like a source of alerts instead of a source of lessons. IOC matching does not stop someone who shows up with a valid credential, a commercially signed RMM tool, and a Telegram channel.
Attackers do not need extraordinary tradecraft if your environment already gives them workable routes.
This Is an Attack Path Problem
These groups are path-first attackers. Their entire operating model depends on finding a repeatable route from a phished or bribed human to a business-critical system. Research by Obsidian Security on Salesforce-related incidents confirms the pattern: campaigns centered on voice phishing, malicious connected apps, token acquisition, and large-scale SaaS data access, all using valid access, inherited trust, and fast monetization.
The chain looks like this:
Identity surface. A vishing call or help desk workflow gap creates a valid session. Weak MFA, SMS, voice callback, and standing admin accounts, makes this fast.
Endpoint foothold. A commercially signed RMM tool like ScreenConnect, AnyDesk, or TeamViewer gets installed. It is signed. Most security stacks allow it. The beachhead is set.
SaaS and control planes. Stolen cookies and OAuth grants extend reach into M365, Okta, Salesforce, and cloud consoles. Admin changes at this layer become force multipliers.
Network reachability. Flat or inconsistently segmented networks let them move from the compromised endpoint to crown-jewel apps and data stores. East-west traffic is cheap. Lateral movement is a routing accident waiting to happen.
Impact. Data exfiltration, account lockouts, service disruption. Then the Telegram campaign starts and the clock on your decision window begins. The window between foothold and Telegram announcement is where most of the real damage happens, and in these campaigns, that window is often measured in hours, not days.
The architecture determines whether the chain completes. The intelligence just watches it happen.
The attacker wins when the attack path is cheap.
Five Plays to Close the Paths
1. Map Your Paths Before They Do
Scattered Spider, LAPSUS$, and ShinyHunters research their targets before the first call. They map your SaaS footprint, identify your identity provider, find your help desk workflows, and locate the cheapest route to impact. If you have not done that exercise yourself, they have done it for you.
What it prevents: Blind spots that let lateral movement go undetected for hours or days
Success looks like: Documented path inventory reviewed quarterly, tied to your most critical assets
Metric to track: Percentage of crown-jewel paths with documented access controls and monitoring coverage
2. Make RMM Explicit, Not Default-Open
Scattered Spider's operational superpower is commercially signed remote access tools your security stack already trusts. Allow-list approved tools by device and authorized user population. Alert on first-seen RMM installs outside IT and operations teams. A new AnyDesk install on a finance workstation is not a support ticket. It is an investigation.
What it prevents: The endpoint foothold that makes everything else possible
Success looks like: RMM policy documented, allow-list enforced, first-seen installs generating automatic alerts
Metric to track: Mean time to detect unauthorized RMM installation
3. Remove Standing Trust From Identity
Standing admin accounts and long-lived OAuth tokens are the fuel these groups run on. Every standing admin that exists for convenience is an account Scattered Spider can own with one successful vishing call. Every OAuth grant scoped beyond what an application needs is a token ShinyHunters can harvest and reuse.
Move toward just-in-time access for privileged accounts. Enforce phishing-resistant MFA, not SMS, not voice callback, for anything with admin scope. Make trust earned and temporary, not inherited and permanent.
What it prevents: The identity surface that turns one compromised account into tenant-wide access
Success looks like: JIT admin access in place, phishing-resistant MFA enforced for admin roles, OAuth grants reviewed quarterly
Metric to track: Percentage of privileged accounts using phishing-resistant MFA; number of OAuth grants with admin-level scope
4. Segment Crown-Jewel Paths
Flat networks are LAPSUS$ and Scattered Spider's second-favorite thing after weak MFA. When east-west movement from a compromised endpoint to a crown-jewel application is a routing decision rather than a policy decision, attackers complete the chain. When it requires an explicit allow, they stall.
Segment by application, environment, and sensitivity. Make lateral movement expensive, not impossible, but expensive enough that the chain breaks before it reaches impact.
What it prevents: Lateral movement from a compromised endpoint to business-critical systems
Success looks like: East-west policy enforced by application segment across all clouds, temporary firewall exceptions reviewed and expired on a 30-day cycle
Metric to track: Number of network exceptions older than 30 days; lateral movement dwell time
5. Connect Threat Intelligence to Path Visibility
When your threat intelligence feed fires on a known indicator, a first-seen RMM signature, an OAuth abuse pattern, or an IdP policy change from an unfamiliar account, the question your team needs to answer is not "is this real?" It is "does this path exist in my environment, and can I see it?"
If the answer to the second question is no, the intelligence is telling you something your architecture has not fixed. Every TI alert that cannot be answered with network visibility is a documented gap. Treat it like one.
What it prevents: Intelligence that fires but cannot be actioned because visibility does not reach far enough
Success looks like: Threat intelligence alerts correlated to network path data, not just endpoint logs
Metric to track: Percentage of threat intelligence alert types with corresponding network-layer detection coverage
Where Aviatrix Fits
Scattered Spider, LAPSUS$, and ShinyHunters win in large, complex environments because complexity creates paths. More clouds, more tenants, more exceptions, more temporary rules that became permanent, more places for east-west movement to happen without anyone noticing.
Aviatrix Cloud Native Security Fabric addresses the path problem at the network layer, where these groups actually operate once they are past identity and endpoint.
CoPilot flow telemetry gives you visibility into what workloads are actually doing across AWS, Azure, and GCP, so when an attacker creates a new path during an intrusion, you see it. That is the missing layer for most organizations: not more alerts, but network-level context that shows whether the behavior your TI flagged is actually happening in your environment.
On the enforcement side, policy-driven microsegmentation shrinks the blast radius so a compromised endpoint cannot freely reach crown-jewel services. Tag-aware security domains enforce rules by application and sensitivity rather than IP ranges that change constantly. Centralized egress controls apply consistent policy instead of thousands of ad hoc rules that quietly accumulate into the attack paths these groups depend on.
A mature threat intelligence program uses intelligence to drive three things:
Better detections
Exposed architectural gaps
Measurable reduction in reachable paths
Aviatrix is how you execute the third one.
The intelligence told you these groups were coming. Aviatrix closes the paths they planned to use.
Start with a free Workload Attack Path Assessment. Map your blast radius before anyone else does.
The Bottom Line
These three groups do not need a zero-day. They need a help desk rep to answer the phone, an OAuth token that has not rotated in two years, and a flat network that lets them move from a compromised laptop to your customer database without a policy decision in between.
All of that is fixable. None of it requires buying another feed.
The strongest security programs use threat intelligence to do three things: understand how attackers are operating, identify the conditions that make those tactics viable, and reduce those conditions before the next incident tests them.
Close the paths. Make standing trust the exception. Enforce east-west policy like it matters, because when Scattered Spider calls your help desk next week, it does.
References
CISA, "Joint Cybersecurity Advisory," July 29, 2025, https://www.cisa.gov/sites/default/files/2025-08/aa23-320a-scattered-spider-508c.pdf.
Cloud Security Alliance, “Scattered Spider: The Group Behind Major ESXi Ransomware Attacks,” July 9, 2025, https://cloudsecurityalliance.org/blog/2025/07/09/scattered-spider-the-group-behind-major-esxi-ransomware-attacks.
Cyber Review Safety Board, “Review Of The Attacks Associated With Lapsus$ And Related Threat Groups,” July 24, 2023, https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf.
Obsidian Security, “ShinyHunters and Scattered Spider: A Merger of Chaos in the 2025 Salesforce Attacks,” August 20, 2025, https://www.obsidiansecurity.com/blog/shinyhunters-and-scattered-spider-a-merger-of-chaos-in-the-2025-salesforce-attacks.
SC Media, “Ongoing widespread AWS customer credential theft exposed by open S3 bucket,” December 10, 2024, https://www.scworld.com/news/ongoing-widespread-aws-customer-credential-theft-exposed-by-open-s3-bucket.
