Summary
On November 21, 2025, CrowdStrike, a leading company in the cybersecurity industry, announced that it had successfully neutralized an “insider” attempt to gain access to its systems. This incident goes beyond being an isolated case, signaling a radical shift in the operational strategy of the threat group identifying itself as “Scattered LAPSUS$ Hunters (SLH)“.
Our cyber threat intelligence analyst team’s analysis indicates that the group is transitioning away from the “affiliate” model associated with other ransomware gangs (ALPHV, Qilin, etc.) and moving toward its own Ransomware-as-a-Service (RaaS) infrastructure, the “ShinySp1d3r” platform. CrowdStrike’s initiative and subsequent aggressive “Initial Access” collection activities reveal the group’s desire to make a high-profile impact prior to this new restructuring.
The Scattered LAPSUS$ Hunters threat group contacted an employee in an attempt to infiltrate the CrowdStrike network, demanding network access in exchange for $25,000. According to allegations, the employee accepted the offer and began collaborating with the attackers, sharing screenshots from internal systems. However, before the attackers could fully obtain the promised critical access information, CrowdStrike security teams detected the situation.
- Technical Target: The attackers’ primary target was to obtain SSO (Single Sign-On) authorization cookies. These cookies could bypass MFA (multi-factor authentication) layers and provide direct access to cloud resources and customer data.
- Defense Success: CrowdStrike’s UEBA (User Entity and Behavior Analytics) systems detected the employee’s attempt to share screenshots with external sources and abnormal network activity. This situation once again proves the importance of supporting the human factor with technological monitoring.
This failed attempt/breach pushed the SLH group into a strategic phase of “panic” and “acceleration”, and the group began publishing louder and more extensive access purchase announcements via Telegram channels (“Part 7“).
In-Depth Technical Analysis
What Do Access Requests Indicate?
The specific technical evidence requested by the group from “Initial Access Broker” (IAB) networks reveals how they multiplied their attack elements and the persistence methods they targeted. The intelligence value of the technical requirements listed in the advertisements is as follows:
1. Linux and Hybrid Cloud Focus
The group specifically requests access to LDAP configuration files on Linux systems.
The attackers’ focus is not solely on MS AD (MS Windows Active Directory) environments. “/etc/openldap/ldap.conf” files can often contain server addresses and unencrypted bind-password information in misconfigured environments. This request indicates that the attackers aim to increase their lateral movement capabilities via Linux-based servers.
2. “Living off the Land” and SSH Persistence
The group requests private keys with the “.pem” extension instead of password-based access.
While password attempts can be easily detected by SIEM products, logins using a valid SSH key may be perceived as legitimate administrator traffic. This method proves that attackers plan to remain undetected on the network for an extended period (dwell time) before distributing ransomware (payload).
3. Pricing Policy and Attack Vector
Offering a 25% commission for Active Directory (AD) access and a 10% commission for Okta/AWS access confirms that the group’s ultimate goal is system locking (ransomware) rather than data theft. Domain Admin privileges on AD are the fastest and most reliable way to distribute ransomware.
Target Profiling and Sectors at Risk
SLH adopts a “Big Game Hunting” strategy, excluding companies with revenues below $5,000,000 from its target scope.
- Priority Sectors: Telecommunications providers, large-scale gaming companies, call centers (BPO), and server hosting services.
- Geographic Scope: “Five Eyes” countries (United States, United Kingdom, Canada, Australia, New Zealand) are priority targets.
Intelligence Note: The fact that companies based in Russia (RF), China (PRC), and North Korea (DPRK) are on the “prohibited list” suggests that the group avoids conflict with law enforcement in these regions or receives operational support from them.
Recommended Defense Actions
Organizations are advised to promptly implement the following measures in light of the lessons learned from the CrowdStrike incident and the ShinySp1d3r threat:
- SSH Key Management and Control: The “.pem” and “authorized_keys” files in the server infrastructure should be scanned, and orphaned or outdated SSH keys should be revoked.
- LDAP Security: Access permissions (chmod/chown) for configuration files such as “ldap.conf” on Linux servers should be tightened according to the least privilege principle.
- Insider Monitoring: For VPN and VDI sessions, not only login logs but also behavioral anomalies during the session (large data transfers, use of screen capture tools, etc.) should be monitored. In today’s wild cyber world, using a UEBA solution should no longer be a luxury.
- Supply Chain Awareness: Token permissions for any third-party integrations should be reviewed, and unnecessary API permissions should be removed. In addition, third-party provider risks should not be overlooked; for this, a bundled solution such as the “Cyberthint Unified CTI & DRP Platform“, which offers threat intelligence and digital risk protection, should be used.
Conclusion
Scattered LAPSUS$ Hunters is evolving from a loose structure consisting solely of young hackers into an organized crime group (ShinySp1d3r) that manages its own infrastructure. Their failures in the CrowdStrike incident have not deterred them; on the contrary, they have increased their operational tempo.
It is anticipated that activity in the cyber threat landscape will increase after November 24, 2025, with the group launching its new RaaS model.
