In early August 2025, another unsponsored cybercriminal group emerged on the market. Almost overnight, they earned infamy for their brazen data extortion attacks. SLH aims to hold corporations accountable when they steal our data. They use a sophisticated set of tools and tactics to do their extortion work with maximum efficiency. The collective has teased the development of a new bespoke ransomware family, Sh1nySp1d3r. Their intention is to make it as competitive as possible, seeking to challenge well-established threats like LockBit and DragonForce.
Perhaps since its inception, SLH has shown itself to be a truly versatile dynamo of adaptability and innovativeness. Created after the cut-off date of August 8, 2025 on at least 16 different Telegram channels, they have proven to be remarkably resilient to platform moderation attempts. Their actions increasingly indicate an extremely high professional level of planning, including flexibility to coordinate with other stakeholders on the dark side. Most interestingly, SLH has enlisted the help of affiliates from DragonForce, a joint effort probably designed to boost payload deployment and monetization efforts.
The Tactics of SLH
Indeed, the tactics used by SLH are a shocking palette of old-school data theft and high-tech social engineering. The first of these tactics they’ve mostly been seen to execute with is spear-phishing which, when combined with vishing, can penetrate targets of interest convincingly. Once inside, they deploy remote access tools including ScreenConnect, AnyDesk, TeamViewer, and Splashtop to conduct thorough reconnaissance before executing their ransomware attacks.
SLH’s strategy for fending off targeted attacks has included attacking pressure campaigns against C-suite executives. The group invites Telegram channel subscribers to participate in these campaigns by sourcing email addresses of high-ranking officials and bombarding them with emails for a minimum payment of $100. This tactic is an example of one way they’ve figured out how to take advantage of human psychology and corporate vulnerabilities to make more money.
“Through theatrical branding, reputational recycling, cross-platform amplification, and layered identity management, the actors behind SLH have shown a mature grasp of how perception and legitimacy can be weaponized within the cybercriminal ecosystem.” – Trustwave SpiderLabs
These types of revelations into the workings of such a collective operational structure represent a continued step change in practices normally seen from more proliferated veteran underground agitators.
Collaboration with DragonForce
This unprecedented collaboration between SLH and DragonForce represents a positive turning point in the fight against cybercriminals. They’re not officially in league, but considering last year’s collaboration, it’s clear they are strategically pooling resources. Aligning their development logic with local needs greatly improves their operational effectiveness. In 2025, DragonForce started its own ransomware cartel with Qilin and LockBit to run a Ransomware-as-a-Service (RaaS). This measure has opened the door for SLH to greatly strengthen its efforts.
All three groups collaborate under a common hacker ethos that allows for cross-pollination of techniques and infrastructure. This cooperative model further enables affiliates like SLH to conduct their own attacks through deployment of their own malware while leveraging DragonForce’s multibillion-dollar infrastructure.
“Affiliates can deploy their own malware while using DragonForce’s infrastructure and operating under their own brand.” – Acronis researchers
This flexibility is part of what allows SLH to explore and express a unique identity while drawing on the established power of DragonForce’s name and legacy.
A Broader Cybercriminal Ecosystem
Fluidity and collaboration is a hallmark of The Com, a wider network of which SLH is a member. This casual yet cohesive collective allows for different strategies and operational methods, giving participants the ability to constantly pivot based on the evolving cybersecurity threat environment. True to the Com’s operational philosophy, their Collaborative Economy model encourages brand-sharing and resource-sharing between all of the Com’s member cities.
It is an exciting time to be involved with SLH. The organization has been instrumental in taking the fight to law enforcement agencies across the U.S. and U.K. Further, the group’s members have been the first to point the finger at Chinese state actors for taking advantage of sorely exploited, dated vulnerabilities. This accusation conspicuously changes the tune surrounding their operations.
“Taken together, these behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare – a blend more characteristic of established underground actors than opportunistic newcomers.” – Trustwave SpiderLabs
This level of sophistication shown by SLH is indicative of an increased maturity in the larger cybercriminal underworld.