In early August 2025, a previously quiet cybercrime collective known as Scattered Spider resurfaced with a striking new Telegram channel that aggregates proof of its intrusions and data exfiltration operations.<\/p>\n
The channel name fuses ShinyHunters, Scattered Spider, and Lapsus$, signaling a collaboration\u2014or at least a shared brand\u2014among several prolific extortion groups.<\/p>\n
Within hours of its launch, the channel published screenshots of console access to Victoria\u2019s Secret, a 100-entry customer data sample from Gucci, and lists of sellable databases from Neiman Marcus and Chanel.<\/p>\n
DataBreaches analysts noted that this amalgamated channel has evolved beyond simple leak announcements into an almost real-time marketplace for stolen credentials and corporate documents.<\/p>\n
Scattered Spider\u2019s emergence as a public aggregator of multiple ransomware<\/a> and data theft campaigns marks a departure from its earlier, more clandestine operations.<\/p>\n Historically, leak channels would post a single statement followed by a download link or sales instructions. In contrast, the new channel intersperses partial data dumps, \u201cHMU if interested\u201d sales pitches, memes, and direct threats to entities like the U.K. Ministry of Justice.<\/p>\n DataBreaches researchers identified<\/a> scripts posted by the group for enumerating GitHub repositories belonging to the Legal Aid Agency.<\/p>\n This blend of proof and propaganda creates a sense of both transparency and terror.<\/p>\n The channel\u2019s rapid revelations caused immediate alarm across industries. High-value targets including Disney, S&P Global, T-Mobile, Nvidia, Otelier, Coinbase, Burger King Brazil, Adidas, and Cisco were all named, with some incidents tying back to earlier Snowflake and Salesforce campaign leaks.<\/p>\n Government bodies did not escape: the U.S. Department of Homeland Security appeared in multiple posts displaying directory listings of servers, while screenshots hinted at negotiations over stolen court filings.<\/p>\n The channel\u2019s frenetic pace and broad scope suggest Scattered Spider may be coordinating or rebranding data theft operations to maximize extortion leverage.<\/p>\n Scattered Spider\u2019s infection mechanism leverages a multi-stage approach beginning with spear-phishing and exploited VPN credentials.<\/p>\n Initial access scripts\u2014shared in obfuscated<\/a> Python snippets\u2014automate the deployment of Cobalt Strike beacons.<\/p>\n A typical snippet revealed the use of a custom loader that decrypts and injects shellcode into memory without writing to disk:-<\/p>\n This in-memory execution evades traditional antivirus scanners<\/a> and endpoint detection tools.<\/p>\n Once the beacon is active, Scattered Spider escalates privileges via known Windows kernel vulnerabilities before deploying ransomware\u2014or exfiltrating data for sale\u2014within 48 hours of initial access.<\/p>\n Equip your SOC with full access to the latest threat data from\u00a0ANY.RUN TI Lookup<\/strong>\u00a0that can Improve incident response ->\u00a0Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post Scattered Spider With New Telegram Channel List Organizations It Attacked<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiwK1PHZlEWdWfatWG1x6WaIDmFc2m7htxrwnz21Ow0qAJITTKlqGXJ7Upded6OgswIAaSlHkIzUsYobejh-kqr-jx8AmgCPwM-U2Zu4vINWYXLGaBDfXz_tqtu4RILNTsRqBj33qeYZaJWlog4u54vRBljhNnxUqQRiS70izq9iUVASKj9mJfW9jrEnis\/s16000\/ministryofjustice_repos_contents.txt%2520%28Source%2520-%2520DataBreaches.net%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh3ZMMHpWJw401qBh_biZ7GBs7WIxtrpeDgZYt1qrUsLUtw8OJ5dzAePLCs_wX6kCcr4ogiQhuXeeVfgQYm1f_VvaWY5AZH1Wo3nl_v8nrfYSq3lbD8QiIZbZPHeNwU38QK7E4d0iqvR1eHZh6Q94QasE7E8Z_fYOIKy6SYELDIgZn0htoSeCQbzwLUGKU\/s16000\/DHSDCAS%2520server%2520list%2520%28Source%2520-%2520DataBreaches.net%29.webp?ssl=1\")
Infection Mechanism<\/strong><\/h2>\n
import ctypes, base64, subprocess\nshellcode = base64.b64decode(\"...==\")\nptr = ctypes.windll.kernel32.VirtualAlloc(None, len(shellcode), 0x3000, 0x40)\nctypes.memmove(ptr, shellcode, len(shellcode))\nctypes.windll.kernel32.CreateThread(None, 0, ptr, None, 0, None)\nsubprocess.call([\"powershell\", \"-nop\", \"-w\", \"hidden\", \"-c\", \"Invoke-CobaltStrike\"])<\/code><\/pre>\n