Flash Report: Scattered Lapsus$ Hunters Announce Return

Key Findings

• On November 24, 2025, ZeroFox observed that the threat collective "Scattered Lapsus$ Hunters" (SLSH) had seemingly resumed activity through a new Telegram channel after nearly a month of silence.
• Multiple posts on the Telegram channel suggest that SLSH is offering financial incentives and actively recruiting insiders who can provide initial access to corporate networks.
• Recent messages on the channel likely indicate an escalation of border threats of disruption compared to previous publications. 
• SLSH’s recent activity on Telegram almost certainly indicates clear intent to continue and likely escalate its previously observed operations, such as conducting data breaches and data leaks, publicly exposing corporations, and actively recruiting insiders.

Details

On November 24, 2025, ZeroFox observed that the SLSH threat collective had seemingly resumed activity through a new Telegram channel (hXXps://t[.]me/smokinmandiant) after nearly a month of silence.

• On November 19, 2025, reports surfaced of the emergence of an in-development build of a new RaaS platform called “ShinySp1d3r”. The new RaaS build is the result of a collaboration between notorious threat collectives “ShinyHunters”, “Scattered Spider”, and “Lapsus$”.
• SLSH posted on its Telegram channel on October 11, 2025, that it was ceasing activities until 2026, likely in an effort to reduce law enforcement scrutiny while retooling and figuring out its next steps. SLSH began operations in August 2025 and has most recently claimed responsibility for an extortion campaign against Salesforce. 

Multiple posts on the Telegram channel suggest that SLSH is offering financial incentives and actively recruiting insiders who can provide initial access to corporate networks. SLSH is almost certainly seeking access that enables the execution of administrative commands, the retrieval of configuration files, or the establishment of remote connectivity via a Virtual Private Network (VPN), Citrix, or similar secure-access technologies. 

• SLSH stated in the channel that there are several criteria in place for eligible insiders; workers at companies with revenue of under USD 500 million; those at organizations in Russia (RF), People's Republic of China (PRC), Democratic People's Republic of Korea (DPRK), and Belarus; and those in the healthcare sector will not be eligible.
• SLSH commented that its recruitment focus includes telecommunications providers, large software and gaming companies, global call center operators, and major server-hosting providers. SLSH likely wants to choose these actors because they offer significant access and leverage to amplify its attacks and campaigns.

Recent messages on the channel likely indicate an escalation of border threats of disruption compared to previous publications. For example, in one post, SLSH expressed the intent to “lock down” the state of New York by using its newly developed ShinySp1d3r ransomware, which is a newly observed threat. SLSH’s recent messages also publicly name multiple intended targets such as CrowdStrike, Unit 42, and CrunchLabs, a trend that ZeroFox has previously observed.

• Though such statements are likely exaggerated for publicity and intimidation, they contribute to SLSH’s aggressive messaging campaigns and declared willingness to target critical infrastructure.

Notably, ZeroFox observed the threat actor "KaruHunter$ FCK ZZx" promoting SLSH’s newly shared Telegram channel link, likely indicating a developing alliance between the two groups. This activity aligns with an earlier post by KaruHunter$ FCK ZZx on November 15, 2025—which stated, "Will we be joining the operation in 2026 with shinyhunter"—further suggesting potential collaborative intent.

• KaruHunters is a reputable threat actor who frequently posts on the dark web forum DarkForums and is known for multiple breaches targeting governments, corporations, and private targets worldwide.

SLSH’s recent activity on Telegram almost certainly indicates clear intent to continue and likely escalate its previously observed operations, such as conducting data breaches and data leaks, publicly exposing corporations, and actively recruiting insiders. Although initially expected to resurface in 2026—as per the group’s messaging—it is very likely that SLSH will continue operations in the coming weeks. SLSH will almost certainly target organizations based in the United States and Europe, while also focusing its recruitment efforts in Australia, Canada, and France. The geographical locations of these potential recruits is very likely to be perceived by the group as the most financially lucrative while also having the potential to cause the most disruption and gain the most exposure.

Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege. 
• Implement network segmentation to separate resources by sensitivity and/or function. 
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently. 
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.
• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web (DDW) forums. 
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 7:00 AM (EST) on November 27, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.