ShinyHunters and Scattered Spider launch ShinySp1d3r RaaS under Scattered LAPSUS$ Hunters brand
Threat Actor Meta
Summary
Hide ▲
Show ▼
ShinyHunters-linked actors are launching ShinySp1d3r, a new ransomware-as-a-service brand, shifting their extortion model toward running their own operation and affiliate ecosystem. That change matters because it reduces dependence on other gangs’ encryptors and signals a more organized, scalable extortion platform. The operation is being presented under the Scattered LAPSUS$ Hunters name and is tied to prior activity against Salesforce and Jaguar Land Rover (JLR).
Related Happenings
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
ShinyHunters Oracle PeopleSoft data theft and extortion campaign
Campaign
H score60
First: 10.06.2026 21:31
Last: 10.06.2026 21:31
Sources 1
About this happening:
**ShinyHunters**/**UNC6240** used **CVE-2026-35273** in **Oracle PeopleSoft Enterprise PeopleTools** as a **zero-day** to break into exposed systems, steal data, and extort victim...
ShinyHunters Oracle PeopleSoft data theft and extortion campaign
CampaignAbout this happening: **ShinyHunters**/**UNC6240** used **CVE-2026-35273** in **Oracle PeopleSoft Enterprise PeopleTools** as a **zero-day** to break into exposed systems, steal data, and extort victim...
Latest development: 29.06.2026 23:40
Nissan says attackers exploited an Oracle PeopleSoft vulnerability in a ShinyHunters-linked campaign and that the company was specifically targeted, with personal information for current and former employees in the United States, Canada, Mexico, and Brazil potentially exposed. Nissan says the material may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information, and the company has activated incident response, engaged external cybersecurity experts, secured affected systems, and is working with Oracle.
Silent Ransom Group US law firm IT impersonation campaign
Campaign
H score36
First: 29.05.2026 16:00
Last: 29.05.2026 16:00
Sources 1
About this happening:
**Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...
Silent Ransom Group US law firm IT impersonation campaign
CampaignAbout this happening: **Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...
Red Menshen telecom espionage campaign
Campaign
H score33
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
H score32
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Timeline
-
19.11.2025 15:01 2 articles · 7mo ago
ShinySp1d3r ransomware-as-a-service surfaces publicly
Initial DisclosureAn in-development ShinySp1d3r ransomware-as-a-service build from ShinyHunters and Scattered Spider-linked actors is publicly surfaced as a preview of a new extortion operation. The build is presented as a custom ransomware service created from scratch, branded under the Scattered LAPSUS$ Hunters name, and intended to replace earlier reliance on other gangs' encryptors while enabling attacks by the group and its affiliates.
Show sources
- Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters — www.bleepingcomputer.com — 19.11.2025 15:01
- Gainsight Expands Impacted Customer List Following Salesforce Security Alert — thehackernews.com — 27.11.2025 09:03