Scattered LAPSUS Hunters Escalate With New Channel and Gainsight Breach

Scattered LAPSUS$ Hunters (SLH) has returned to the spotlight with new claims, alleged leaks, and a new Telegram channel, signaling a sharp rise in aggression. The group presents itself as a unified brand comprising Scattered Spider, LAPSUS$, and ShinyHunters. Their record shows social engineering, identity theft, and large SaaS supply chain breaches. Their latest activity shows a wider reach and a stronger need for public attention.

A New Telegram Channel

Today, SLH launched a new Telegram channel that provides insight into their current operations and intent.

Early posts include claims of 300 compromised organisations. They also state that their activity has produced higher revenue than several established ransomware groups like Qilin, Akira, and Cl0p.

SLH references other ransomware groups to shape their public image and influence how the broader ecosystem perceives them. Part of this is intentional provocation, a tactic they have employed in earlier operations. The comparisons also serve a strategic purpose: they aim to draw sustained attention from the media, security vendors, and the cybercriminal community, which can support future recruitment and potential affiliations.

The group publishes screenshots that appear to show alleged material from cybersecurity vendors (the group likes to taunt cybersecurity companies) and various large firms. These images include tool dashboards, forms, and employee directories.

SLH issues threats aimed at security researchers and commercial security companies. Alongside this, they name several firms as active targets.

A Major Supply Chain Breach Through Gainsight

Scattered Lapsus Hunters’s most serious claim involves a large-scale supply chain incident affecting the application provider Gainsight. Salesforce published a security advisory, stating that it has identified unusual activity in Gainsight-published applications installed and managed by customers. The advisory emphasizes that the issue does not stem from a vulnerability in the Salesforce platform itself; instead, it appears to be tied to the external connection of the third-party app.

Upon detecting the irregular activity, Salesforce revoked all active access and refresh tokens associated with the affected Gainsight applications and temporarily removed those applications from the AppExchange while the investigation continues. Customers who may have been impacted have been contacted directly.

• Gainsight has also released several updates through their status channels. They report that the activity under investigation originated from the application’s external connection, not from any flaw in the Salesforce platform. Gainsight has engaged Mandiant to support an independent forensic investigation and continues to work with Salesforce as both teams review the technical indicators.

• • Gainsight noted that customers can request the specific IP ranges and subnets used by the Gainsight Connector through a support ticket.

SLH claims that this alleged breach impacted approximately 300 companies. They further state that when combined with their earlier breach of Salesloft/Drift, their data-leak site will include nearly 1,000 organisations, including multiple Fortune 500 firms. Among those named for the Gainsight incident are companies such as Verizon, GitLab, F5, and SonicWall.

If these claims hold up under investigation, this event could rank among the most significant SaaS supply chain attacks of the year. It underlines a recurring tactic: attackers gaining access through trusted third-party integrations by misappropriating tokens or leveraging support-case secrets rather than exploiting direct product vulnerabilities.

Ransomware-as-a-Service Program on 24 November

The group now promotes its upcoming Ransomware-as-a-Service (RaaS) program. They plan to start it on 24 November. This aligns with their ongoing shift from pure data theft to a broader criminal enterprise. The timeline also matches their promise of a significant announcement. Even if the RaaS program ultimately proves small, the intent demonstrates a clear shift toward a more stable and scalable model.

It seems like their next data-leak site update will include material from both the Salesloft and Gainsight campaigns. As we mentioned above, the combined set approaches 1.0000 affected organisations. They indicated that they plan to list only established companies, with a focus on larger enterprises and Fortune 500 entities they consider “worth publishing.”

Why It Matters

The Gainsight incident highlights the risks associated with SaaS integrations and supply chain attacks. Many firms link dozens of apps to Salesforce and other cloud platforms. These apps often store tokens that give broad access. If attackers steal one of these tokens, they can enter many environments with clean logs and trusted paths.

The current situation also shows three key points:

1. Identity controls are still too easily bypassed through support teams or social engineering.
2. Many firms still grant broad token scopes to third-party apps.
3. Public leak sites force companies to respond fast, often under stress.

SLH is aware of all this and uses it to their advantage.

Defensive Steps

While details of the ongoing investigation remain limited, several safe steps can help reduce risk:

• Review all connected apps inside Salesforce and other cloud platforms. Remove unused or risky ones.
• Reset and rotate all OAuth and refresh tokens linked to third-party apps when an incident occurs.
• Limit scopes for integrations so they cannot read or export wide sets of data.
• Train support staff to spot social engineering attempts.
• Use strong approval workflows for password resets, MFA changes and user impersonation.
• Monitor for suspicious login patterns or abnormal token use.
• Keep incident response plans ready for sudden extortion or leak threats.
• Use supply chain visibility tools where possible. SOCRadar’s Supply Chain Intelligence module can help track third-party exposure and highlight early signs of upstream risk.

These measures do not prevent every attack, but they reduce the blast radius.

Conclusion

The next few weeks will likely bring more public posts from SLH. Their pattern suggests a large reveal after 24 November. This may include victim lists from both the Salesloft and Gainsight campaigns. It may also include early material from their RaaS service.

More supply chain events are possible. SLH has shown clear interest in SaaS platforms and identity paths. They prefer trusted links over direct exploitation. They also plan to keep pushing content to their public channels to stay relevant.

This group wants the spotlight. Their actions show a mix of skill, social engineering, and showmanship. As the 24 November announcement nears, security teams should treat their claims with caution but also prepare for real impact. The pattern is clear. SLH will keep using public channels, supply chain paths, and identity misuse to reach high-value targets across many sectors.