Scattered Spider’s Cybercrime Merger: How the Scattered LAPSUS$ Hunters Brand Expands Reach

TL;DR

• Three cybercriminal groups, Scattered Spider, LAPSUS$, and ShinyHunters, have joined forces.

• To protect your organization from this merged group, focus on defending the network paths these attackers exploit.

If Wall Street ran cybercrime, it would look like this. Three headline crews, Scattered Spider, LAPSUS$, and ShinyHunters, pulled off the cyber equivalent of a three‑way merger to dominate reach and leverage. One label, one megaphone, and many operators created a near‑monopoly on mayhem (merger‑like consolidation, not a formal org). 

Why did this “merger” happen? For the same reason it happens in legit business: scale, distribution, and speed. One banner multiplies audience, cuts the time from access to impact, and opens an affiliate on‑ramp for operators with their own credentials, tools, and footholds. Shared infrastructure speeds reuse, blunts takedowns, and the brand carries negotiations. The net effect is more hands, a bigger megaphone, shorter cycles, and more chaos. 

Why is it happening now? Consolidation turned their flywheel: channels respawn, followers migrate, affiliates plug in, and pressure resumes, compressing the time from first phish to disruption. In this blog, we’ll explore more about who these groups are, how they work, and how organizations can ramp up their cloud network security defenses against them.  

The Merger Logic

This merger makes business sense for the three groups on several levels: 

• Shared distribution. Multiple crews point at a single Telegram megaphone; channel resets don’t slow the audience migration. 

• Brand equity. Scattered Spider’s notoriety + LAPSUS$ chaos‑marketing + ShinyHunters’ data‑theft pipeline = instant credibility for new ops. 

• Talent & tooling liquidity. Semi‑independent operators bring their own access, RMM kits, and BYOVD techniques under one banner. 

• Resilience to takedowns. If one node burns, the brand persists and respawns, like post‑merger business units swapping storefronts. 

• Go‑to‑market speed. Extortion‑as‑a‑service playbooks and media theatrics turn attention into leverage quickly. 

• Enterprise scale fit. The model thrives in complex organizations where many workable paths exist to critical systems. 

Who Are the Players?

Scattered Spider

Scattered Spider surfaced in 2022 and quickly built a reputation for high-pressure social engineering backed by fast hands-on keyboard execution. A typical run starts with vishing or service desk impersonation to get a reset or one MFA prompt, drops commercial RMM like ScreenConnect, AnyDesk, TeamViewer, or Splashtop, lifts browser cookies and OAuth tokens, and uses bring your own vulnerable driver to tamper with EDR when needed.  From there they pivot into M365, Google Workspace, Okta, or cloud consoles, then hit impact moves like IdP policy abuse for mass lockouts, session revocation, mailbox and transport rule hijacks, and rapid staging with 7z, rclone, or cloud sync.  

Signals that matter: First seen RMM by a non-IT user, a new local admin within one hour, OAuth grants with wide scopes, IdP policy changes by unfamiliar admins, and EDR tamper or Safe Mode events. 

LAPSUS$

First seen in 2021, LAPSUS$ weaponized spectacle. They often acquire access through SIM swap or contractor and insider bribery, and then seize the company voice by taking over Slack or Teams and status pages to compress decision time. Technically, they lean on session reuse in SaaS and tenant-wide controls, driving large export activity like eDiscovery jobs while posting as officials with stolen tokens. The punch is timed disclosure tied to negotiation.

Signals that matter: Admin logins from consumer carriers, sudden mailbox or transport rule creation, and spikes in export or report jobs outside change windows. 

ShinyHunters

First seen in 2020, ShinyHunters is the most market-oriented of the trio — a data-first monetization crew that packages and sells at speed. Access frequently comes from token theft or API key abuse in GitHub or GitLab and CI or CD systems, plus enumeration of misconfigured storage like S3 or Azure Blob. They prefer API only access with low and slow pulls, show PAT sprawl and ephemeral read-only accounts, and trigger object listing spikes followed by heavy reads. The impact is a staged leak and negotiation with partners for reach. 

Signals that matter: first seen repo clones from atypical networks, new PAT or API keys minted off hours, S3 ListBucket surges followed by many GETs, and Azure ListContainers or ListBlobs spikes from unfamiliar IPs.

Notice some common patterns between these groups: repeated Telegram takedowns followed by near‑instant channel reappears, paid call‑to‑action campaigns to spam executives, and opportunistic partnerships with other crews.  

How They Operate

These three threat groups are after leverage that hurts quickly: business‑critical apps, customer data, identity providers, control planes, and comms channels that shape the narrative.  While they value any credentials they can steal, what they really want is a path: any repeatable route from a phished human to crown‑jewel services. They are building momentum from public pressure and internal friction within their targeted organizations to compress decision time and force leadership to accept their demands.  

The Group's Operating Model in One Paragraph

A small core runs the megaphone and negotiations; affiliates bring their own access and tools. Playbooks are shared, not centralized: social engineer the user, land RMM (Remote Monitoring and Management), harvest tokens, fan out into SaaS/control planes, achieve objectives (exfiltration or service disruption), then turn up the pressure in public once the work is done. 

The Attack Chain (6 Steps That Repeat)

1. Contact & Convince — Vishing/SMS/IM, help‑desk spoofing, contractor targeting. The goal in this step is a session, reset, or one MFA push. 

2. Land & Persist on Endpoint — Drop commercial RMM (ScreenConnect/AnyDesk/TeamViewer/Splashtop), create local admin, seed scheduled tasks. 

3. Harvest & Pivot — Lift cookies/tokens, mint OAuth grants, reuse SSO into M365/Google/Okta/Salesforce and cloud consoles. 

4. Expand Reachability — Exploit flat or exception‑ridden networks to reach apps and data paths; stage tooling (7z, rclone, cloud sync). 

5. Monetize/Impact — Data‑first extortion; affiliates optionally add an encryptor. The goal is service disruption + leverage, not stealth. 

6. Apply Pressure — Telegram campaigns, dox posts, inbox flooding, status‑page takeovers to force speed.   

Common accelerants these groups exploit include:  

• Standing admins and break‑glass accounts (emergency accounts meant to be used when normal administrative accounts are unavailable) with weak factor policies. 

• Unsigned/allow‑any RMM policies outside IT. 

• Broad SaaS OAuth scopes and long‑lived tokens. 

• Network exceptions that never expired; inconsistent east‑west policy across clouds. 

• Fragmented comms response that is slow to throttle exec inbox floods or publish the “what’s legitimate” notice. 

Why This Matters

Everything after this is a path problem. When paths are cheap and plentiful, the chain completes fast; when paths are scarce and policy‑enforced, the chain stalls. At enterprise scale, focus on making paths explicit and tagged across clouds, removing standing trust, and enforcing least‑privilege reachability so lateral movement is expensive.  

Why They Keep Winning in Big Environments

They penetrate layers, not just endpoints. SLH style operators chain small weaknesses into a path that lands on business‑critical systems. Here's a typical hop pattern: 

1. Identity surface: voice phishing and help‑desk workflow gaps create a valid session. Weak factor policies or SMS for admins make this fast. 

2. Endpoint foothold: commercial RMM is installed, often signed. User context becomes a beachhead for privilege and token theft. 

3. SaaS and control planes: stolen cookies and OAuth grants extend access into M365, Google, Okta, Salesforce and cloud consoles. Admin changes become force multipliers. 

4. Network reachability: flat or inconsistent segmentation allows traversal to crown‑jewel apps and data paths. East‑west traffic is cheap. 

5. Impact tooling: data theft at scale, scriptable account lockouts, or the addition of an encryptor. Goal is disruption of critical services and business continuity. 

Complex organizations are an attractive target for SLH for several reasons:  

• Complexity debt: more apps, more tenants, more exceptions. Attack paths exist because temporary rules and one‑off changes persist. 

• Change velocity: constant adds and migrations outpace manual reviews. 

• Third-party sprawl: contractors, MSP RMM, and partner connections widen the identity and network attack surface. 

• Inconsistent controls: mixed MFA strength, mixed EDR settings, mixed network policy between clouds. 

• Noisy environments: pressure campaigns succeed because coordination takes time and visibility is fragmented. 

Bottom line: the issue isn’t broken people or tools. It’s architecture debt and default‑open paths that reward persistence. This pattern means that the success of any attack is not about finding a single zero‑day vulnerability to exploit. It is about reliably finding a workable route through identity, endpoint, SaaS, and network layers to disable or degrade critical infrastructure. 

Path‑Centric Questions for Your Next Architecture Review

To protect your organization from threats like Scattered Spider, LAPSUS$, and ShinyHunters, focus on defending your paths. At your next architecture review, ask some critical questions:  

1. What are our top 5 business‑critical paths (user → app → data) and who can traverse them today? 

2. How many distinct routes exist to each critical service across VPNs, SD‑WAN, peering, and cloud backbones? 

3. Where do we still have standing admin (human or service) and can we move to just‑in‑time on managed devices only? 

4. Which RMM tools are allow‑listed by policy, and where are we seeing first‑seen installs outside IT/Ops? 

5. What’s our driver‑deny coverage (BYOVD) across EDRs, and do we alert on new kernel driver loads? 

6. In SaaS, which tenants allow broad OAuth scopes or token minting without step‑up auth? 

7. Do we enforce least‑privilege east‑west by application tags/segments across all clouds, not just within a single VPC/VNet? 

8. Where are temporary exceptions (firewall rules, routes, trust grants) older than 30 days? 

9. Can we observe egress by policy, not by IP lists, and steer inspection consistently across clouds? 

10. What is our MFA‑anomaly‑to‑containment time and unauthorized‑RMM dwell time this quarter? 

Where Aviatrix Helps

Attackers win when lateral movement is cheap and visibility thin. Aviatrix Cloud Native Security Fabric (CNSF) reduces both in public cloud with: 

• Policy‑driven microsegmentation across clouds: CSNF shrinks the blast radius with least‑privilege pathways between VPCs and VNets. It makes east‑west traversal a policy decision, not a routing accident. 

• Tag‑aware security domains: CNSF enforces rules by app, environment, and sensitivity so compromised endpoints cannot freely reach crown‑jewel services. 

• Centralized egress controls and service insertion: CNSF steers high‑risk traffic through inspection points and partner security services. It applies consistent egress policy rather than thousands of ad‑hoc rules. 

• CoPilot visibility and flow telemetry: CNSF lets you see which workloads talk to which, across AWS, Azure, and GCP. You can detect unusual paths, new dependencies, and shadow connectivity created during an intrusion. 

• Repeatable guardrails: CNSF allows you to template and audit network policy so exceptions are temporary and documented, not permanent holes that attackers love. 

Even if voice‑phishable MFA fails and an endpoint is compromised, Aviatrix limits reach, exposes abnormal paths, and gives teams a single place to enforce policy across clouds. That shortens investigation time and contains the incident faster. 

Bottom Line

In large multicloud estates, path‑centric design and fabric‑level detections are what change the game. I’ll be sharing more patterns and real‑world examples soon, but the essentials are all here: reduce workable paths, remove standing trust, and make lateral movement expensive. SLH is not a single crew. It is a label that turns attention into leverage. To stop them and attackers like them, build for noisy, fast‑moving pressure operations. Harden identity flows, block vulnerable drivers, restrict RMM to the devices that should have it, and segment your crown‑jewel paths. Use Aviatrix to make segmentation and visibility consistent so one compromised account does not turn into a company‑wide problem. 

Join Us at Gartner IOCS London

Join Aviatrix at Gartner IOCS London from November 17-18! Our CISO, John Qian, will be speaking at a Theater Session on November 18 about “Why Cloud Network Security Is the Foundation for Outsmarting Modern Attackers.”