ScatteredLAPSUS$Hunters
ScatteredLAPSUS$Hunters (SLH), also referred to in the provided content as scatteredlapsus$hunters, is a cyber extortion threat actor associated with leak-site operations, Telegram-based communications, and insider-focused tradecraft. The group was described as threatening Salesforce and its customers with data leaks unless payment was made, listing 39 companies on its leak site and ultimately leaking data from six: Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources. The content states the group used multiple distribution channels for leaked data, including an onion site, a clear-net forum, a separate clear-net leak site, Telegram messages, and download links referencing Limewire. After the initial leaks, the group reportedly claimed it could not leak additional data while keeping all 39 listings and samples online. The content also links SLH to activity against Resecurity. SLH announced that it had hacked Resecurity and taken internal chats, employee data, threat intelligence, client lists, and management files, but Resecurity stated the actors had been deceived by a honeypot populated with synthetic data. According to the content, Resecurity identified the probing activity in November 2025, set up a honeytrap account, logged more than 188,000 requests to the environment, and shared information with law enforcement and ISPs. DataBreaches reviewed the materials provided by SLH and found no evidence of real client data, concluding the claimed breach evidence was unconvincing. The group is also described as using insider recruitment as a tactic. The content states that SLH Telegram channels posted advertisements seeking insiders at targeted firms, and references a CrowdStrike-disclosed incident in which an employee provided screenshots to SLH for a $25,000 fee. Resecurity’s reporting in the content places SLH in the broader ecosystem of actors from “The Com,” which target large brands and government agencies for fame, financial gain, and influence. No nation-state attribution is directly stated in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned only as a named group in connection with a possible associate of Stuckin2019; no operational details are provided in the content.
ScatteredLapsus$Hunters is known for targeting big brands and government agencies, often leveraging insiders for cooperation. Their motives include gaining fame, financial gain through extortion, and achieving political power within their circles. They have been observed recruiting insiders and exploiting infostealer data.
SLH claimed to have compromised Resecurity and exfiltrated sensitive data, but evidence suggests they were deceived by a honeypot containing synthetic data. Their activity included attempts to dump large volumes of data and public boasting of their alleged success.
Extortion/data-leak operation tied to a Salesforce-themed leak site: threatened Salesforce and its customers with mass data leaks, published data from six named victim organizations, used Telegram for comms, and distributed stolen data via an onion leak site plus clear-net infrastructure (forum posts and a separate free download site).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.