Scattered LAPSUS$ Hunters Is a Real Thing. Now What?
8–18–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, August 18, 2025, and we’re tracking new developments on the threat actors that we’ve been covering extensively on the show this year.
Scattered LAPSUS$ Hunters Is a Real Thing. Now What?
An article over at HackerNews details the ways in which three distinct threat actors are now partnering, citing the following:
“On August 8, a new Telegram channel conflating ShinyHunters, Scattered Spider, and LAPSUS$ called "scattered lapsu$ hunters" emerged, with the channel members also claiming to be developing a ransomware-as-a-service solution called ShinySp1d3r that they said will rival LockBit and DragonForce. Three days later, the channel was banned and removed by Telegram.”
As always, we’re here to focus on the so what and guide our cybersecurity investments in the ways that are poised to return the most value on our efforts, and to that end, I would say there are a couple of things we should bear in mind:
It should be no surprise that attackers are sharing best practices and pooling resources. Like us, they are very motivated to put their energy and attention into what works, and asking a buddy is something bad actors do, too.
Don’t get too caught up in the names. It’s cute, it sounds scary, some threat intel companies have great slides, but we don’t really know who is in what group or what prison or is just a re-brand of another threat actor working under another label. And none of that matters, because - as we’ve noted here before - attribution shouldn’t change how you defend. Speaking of which, the third, and perhaps most important lesson from this article is:
You have to defend against all of these attack techniques.
Before anyone feels too defeated, let me add a bit more color on that last point about defending against all the threats.
The way to tackle this problem is to pair the classical construct of both diversity of defense and defense in depth. You should have robust phishing protection that reduces that risk, but then you also need endpoint detection and response tools, and maybe some web filtering, and also some training, and an incident response plan.
There was an article in The Register late last week that claimed “At least a dozen ransomware gangs have incorporated kernel-level EDR killers into their malware arsenal, allowing them to bypass almost every major endpoint security tool on the market, escalate privileges, and ultimately steal and encrypt data before extorting victims into paying a ransom.”
That should give you a sense of what the playing field looks like, but with the reminder that the goal isn’t to eliminate all of these threats - that’s just not going to be possible. The goal, instead, should be to deter them where possible, detect them early, and disrupt them if they succeed before they can cause too much damage. Remember, you’re aiming for resilience, and your adversary here is looking for efficiency. Become a “hard target” - there’s real value in that now, and moving forward.
Fundraising
From a fundraising perspective, we saw nearly $15B in newly committed capital, including:
H.I.G. Capital raising $5.9b for its fourth direct lending fund;
JMI Equity raising $3.1b for its 12th software-focused growth equity fund; and
Pacific Avenue Capital Partners, a midmarket PE firm focused on carveouts and complex situations, raising $1.65b.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://thehackernews.com/2025/08/cybercrime-groups-shinyhunters.html
https://www.theregister.com/2025/08/14/edr_killers_ransomware/