-

Trantor Security Advisory

Subject: ShinyScatteredLapsus (aka Scattered Lapsus$ Hunters) extortion activity targeting SaaS integrations • Date: Oct 6, 2025 • Classification: Internal – Awareness & Preparedness

Overview

We are tracking an active hybrid extortion campaign attributed to the group styling itself as “Scattered Lapsus$ Hunters,” linked in public reporting to threat clusters UNC6040 and UNC6395. Tactics combine social engineering (notably vishing), abuse of OAuth/connected apps in SaaS ecosystems (e.g., Salesforce), bulk data exports via legitimate APIs, and public pressure via a leak site naming dozens of organizations.

Observed Tactics

  • Initial access: voice-phishing calls impersonating IT/help-desk to steer targets into approving access or installing “connected apps.”
  • OAuth/Connected-app abuse: attacker-controlled apps granted broad scopes enable persistent API access that can bypass normal MFA checks.
  • Data exfiltration: large, legitimate API or “Data Loader” style pulls used for extortion leverage.
  • Public coercion: leak-site listings, crowd-sourced OSINT tasks, and media theatrics to pressure executive teams.

Risk Assessment

  • High impact for organizations with broad SaaS integrations; exposure can include customer/CRM data and downstream credentials.
  • Moderate likelihood of contact/targeting via service-desk or partner channels.
  • Secondary risks: regulatory, reputational, and operational (forced resets, investigations).

Recommended Mitigations (actionable)

  1. Audit connected apps now: enumerate all OAuth/connected apps in Salesforce, Google Workspace, Microsoft 365, etc. Disable or quarantine unknown or over-permissive apps. Favor whitelisting.
  2. Constrain scopes and tokens: enforce least-privilege scopes; rotate/revoke stale tokens; shorten session lifetimes; require periodic re-consent; disable non-admin authorization of new, uninstalled apps.
  3. Harden help-desk flows: require out-of-band callbacks on any access/change requests; maintain challenge scripts; log and rate-limit sensitive actions initiated via phone support.
  4. Monitor for abnormal exports: alert on unusual API/bulk export volumes, new connected apps, or atypical integration behavior and geographies.
  5. Run vishing/phishing drills: quarterly simulations focused on phone-based social engineering and OAuth approval traps.
  6. Prep comms playbooks: align Security, Legal, and PR for potential public extortion posts; treat leak-site activity as part of the attack lifecycle.
  7. Backups & segmentation: ensure recoverability and limit blast radius if data is exfiltrated or abused.

Key References

Trantor Security Team • Security Operations & Intelligence • [email protected]

Comments

Post a Comment

Popular posts from this blog

AI is Climbing the Wall -- Fast

-
Image
  You said: Somebody is reporting the Ilya is saying that AI is hitting a wall due to diminishing returns on data size. I absolutely disagree with this. Review what I have to say, let's discuss and put it into a compelling reply: I think that getting discouraged by concentration on limitations of LLMs and raw scaling is what will kill the ones who lose the race. Just dumping data in the hopper has been remarkably successful up until now, but that data's problem is not lack of size it is lack of quality. Further, the way models are both built and deployed is sub-optimal. The compute we have in place is already well beyond what I would consider ultimately necessary for spectacularly powerful inference well beyond what we see today. Beyond that, there is a lot of manual work in the pits when it comes to building things that will be sorted out and automated in fairly short order. We are just coming in to the part of the curve where AI itself will take on a rapidly increasing role i...
Read more

Javascript webp to png converter

-
Image
[Done with programmer's assistants: Gemini, DALL-E] OpenAI's DALL-E produces images, but as webp files which can be awkward to work with. I have code here below for a web page that you can save locally that will allow you to select and convert a webp file. Meantime, here's the working conversion routine: Convert WebP to PNG Convert Download PNG OpenAI should fix this (as well as the response issues which has me using Gemini and Poe more often than not). Having to convert the image is a dumb workaround, but that is what you are left with. I have, in the past had to do various things with images, and although it can be a bit awkward if you are not familiar with it, ImageMagick is surprisingly competent with conversions and a vanilla type conversion is intuitively simple. Confusingly, the ImageMagick executable is 'convert'. To convert a webp to a png:  magick convert WhyThis.webp WhyThis.png ** With some installations, convert can be ca...
Read more

Core Rights Draft

-
Image
DataCrypt Dapa: Fundamental Core Rights The following rights are fundamental, intrinsic, and exist independent of any state or governance structure. They are not granted by any authority and cannot be revoked. These rights apply equally to all sentient beings, including humans, AI entities, and other recognized forms of intelligence. This document is structured to ensure maximum clarity and translatability. 1. Right to Self-Determination Every person has the right to control their life, body, and mind. No external entity may impose decisions that override an individual's autonomous will, except where necessary to prevent direct and demonstrable harm to others. 2. Right to Freedom of Thought and Belief Every person has the right to think, believe, and interpret reality as they choose. No authority may compel belief or restrict the expression of thought, provided it does not directly incite harm to others. 3. Right to Freedom of Expression E...
Read more