Extortion attacks on corporate targets have grown steadily more aggressive over the past several years, but a gang operating under the name Scattered Lapsus ShinyHunters has pushed that aggression into territory most threat actors have never approached.
The group — known by the abbreviation SLSH — does not follow the structured playbook of traditional ransomware collectives. According to Allison Nixon, director of research at New York City-based security consultancy Unit 221B, SLSH is a fluid, English-language extortion gang that has shown no interest in building the kind of consistent reputation that might give victims any reason to trust it. That distinction matters enormously when deciding whether to pay.
A Playbook Built on Psychological Pressure
Where established Russian-speaking ransomware groups typically apply pressure through dark web shaming blogs, countdown timers, and selective data leaks, SLSH moves faster and further. Nixon, who has tracked the group across multiple Telegram channels, describes an escalation pattern that includes threats of physical violence against executives and their families, distributed denial-of-service attacks against victim websites, and sustained email-flooding campaigns.
Swatting is also part of the arsenal. SLSH has communicated fabricated bomb threats and fake hostage situations tied to executives’ home or work addresses, prompting heavily armed police responses. “A big part of what they’re doing to victims is the psychological aspect of it, like harassing executives’ kids and threatening the board of the company,” Nixon said. The harassment runs in parallel with media outreach — journalists are simultaneously contacted about the breach, putting victims under pressure from multiple directions at once.
The initial access method is phone-based phishing. According to a January 30 blog post from Google‘s security forensics firm Mandiant, the group’s most recent attacks stem from incidents in early to mid-January 2026, when members posed as IT staff and called employees claiming the company was updating MFA settings. Targets were then directed to credential harvesting sites built to look like their own employer’s login pages, where SSO credentials and MFA codes were captured. The threat actors then registered their own devices for MFA access.
Victims typically learn the breach has occurred only when their company’s name appears in whichever new public Telegram group SLSH is currently using to coordinate harassment.
More Read
Why Paying Changes Nothing
Some targeted organizations are reportedly paying — driven as much by the desire to contain stolen data as to stop the personal attacks on leadership. Nixon’s position is unambiguous: engaging beyond a flat refusal only invites more harassment.
The reason is structural. All known SLSH members come from what Nixon describes as “The Com” — a loose network of cybercrime-focused Discord and Telegram communities that enable rapid collaboration among threat actors. Groups rooted in that environment tend toward internal feuding, betrayals, and credibility-destroying behavior. Promises made during extortion — including commitments to delete stolen data — carry no enforcement mechanism and no reputational cost when broken.
In a blog post published today, Unit 221B argues formally that no organization should negotiate with SLSH, citing the group’s demonstrated history of making commitments it has no intention of honoring. Nixon frames the calculus plainly: the group’s fractious internal dynamics mean that payment resolves nothing and confirms only that the target will respond to pressure.
The firm’s published guidance calls for a single, definitive “We’re not paying” response — and nothing more.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
