Cyber threats
Barometer

An alliance between three well-known cybercrime groups—Scattered Spider, LAPSUS$, and ShinyHunters—has given rise to a new ransomware platform, with the aim of modernizing and making their activities more lucrative. These actors have been active for several years now, and although they have different origins, they now share a common goal: targeting Fortune 100 companies. However, this alliance is not so sudden. In August 2025, a Telegram channel was created, explicitly combining the names of the three actors. This channel was used to coordinate threats, announce data leaks, and promote a new Ransomware-as-a-Service (RaaS) offering called “shinysp1d3r,” which would later evolve into a new platform known today as Scattered LAPSUS$ Hunters.

According to observed exchanges, ShinyHunters confirmed that Scattered Spider provided initial access to targets, while ShinyHunters handled data exfiltration and publication. Members of LAPSUS$ also participated, forming an alliance that carried out high-profile campaigns, such as the compromises of Salesforce and Snowflake. These groups rely primarily on social engineering, impersonating employees to deceive IT departments and exploit human vulnerabilities. However, given the often short-lived nature of alliances between these actors, it will be necessary to closely monitor the evolution of this collaboration in order to assess its real scope and the level of threat it represents.

The cyber-extortion refers to all criminal acts aimed at obtaining a gain (financial, political, or other) by threatening to disclose, destroy, or prevent access to data or services. Perpetrators often combine data theft, blackmail (threat of publication), and service disruption (e.g., encryption, DDoS) to coerce the victim into paying or satisfying a demand.

The main forms of cyber extortion include ransomware (such as the attack by the Clop group exploiting the MOVEit vulnerability in 2023), extortion through the disclosure of sensitive data (such as the hacking of the Vastaamo psychotherapy center in Finland with the disclosure of medical records), and extortion through DDoS attacks (campaigns by the “Fancy Bear” or “Lazarus Group” threat actors demanding payments in cryptocurrency).

Malware, critical vulnerabilities, advanced persistent threats, industries particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected by Gatewatcher CTI, our Cyber Threat Intelligence platform.

Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than 4000 data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.