ShinyHunters and Scattered Spider launch ShinySp1d3r RaaS under Scattered LAPSUS$ Hunters brand
Threat Actor Meta
Summary
Hide ▲
Show ▼
ShinyHunters-linked actors are launching ShinySp1d3r, a new ransomware-as-a-service brand, shifting their extortion model toward running their own operation and affiliate ecosystem. That change matters because it reduces dependence on other gangs’ encryptors and signals a more organized, scalable extortion platform. The operation is being presented under the Scattered LAPSUS$ Hunters name and is tied to prior activity against Salesforce and Jaguar Land Rover (JLR).
Related Happenings
Red Menshen telecom espionage campaign
Campaign
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
ShinyHunters Salesforce extortion campaign against global companies in 2025
Campaign
First: 15.01.2026 17:45
Last: 15.01.2026 17:45
Sources 1
About this happening:
The **ShinyHunters** campaign now includes a **Qantas** breach disclosed after the airline found a **June 30, 2025** intrusion in a **third-party platform** used by one customer s...
ShinyHunters Salesforce extortion campaign against global companies in 2025
CampaignAbout this happening: The **ShinyHunters** campaign now includes a **Qantas** breach disclosed after the airline found a **June 30, 2025** intrusion in a **third-party platform** used by one customer s...
Rising encryptionless extortion incidents against enterprises in 2025
Target Trend
First: 15.01.2026 17:45
Last: 15.01.2026 17:45
Sources 1
About this happening:
**Encryptionless extortion** surged in **2025** as attackers increasingly skipped ransomware encryption and instead stole data to pressure victims across **enterprise environments...
Rising encryptionless extortion incidents against enterprises in 2025
Target TrendAbout this happening: **Encryptionless extortion** surged in **2025** as attackers increasingly skipped ransomware encryption and instead stole data to pressure victims across **enterprise environments...
Timeline
-
19.11.2025 15:01 2 articles · 6mo ago
ShinySp1d3r ransomware-as-a-service surfaces publicly
Initial DisclosureAn in-development ShinySp1d3r ransomware-as-a-service build from ShinyHunters and Scattered Spider-linked actors is publicly surfaced as a preview of a new extortion operation. The build is presented as a custom ransomware service created from scratch, branded under the Scattered LAPSUS$ Hunters name, and intended to replace earlier reliance on other gangs' encryptors while enabling attacks by the group and its affiliates.
Show sources
- Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters — www.bleepingcomputer.com — 19.11.2025 15:01
- Gainsight Expands Impacted Customer List Following Salesforce Security Alert — thehackernews.com — 27.11.2025 09:03