ShinySp1d3r ransomware encryptor development and build analysis
Malware Activity
Summary
Hide ▲
Show ▼
The ShinySp1d3r ransomware encryptor has surfaced in sample form, giving defenders visibility into its Windows build, propagation methods, and file-encryption behavior. The build matters because it shows an in-development RaaS moving toward a full operator-controlled deployment model. The analysis also indicates planned Linux and ESXi versions, suggesting the malware family is being expanded across multiple environments.
Related Happenings
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
H score36
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
H score11
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Reynolds ransomware BYOVD defense-evasion activity
Malware Activity
H score31
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Reynolds ransomware BYOVD defense-evasion activity
Malware ActivityAbout this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Timeline
-
19.11.2025 15:01 2 articles · 7mo ago
ShinySp1d3r encryptor sample surfaces
Initial DisclosureAn in-development ShinySp1d3r ransomware-as-a-service build surfaced for analysis after being uploaded to VirusTotal, with the platform tied to ShinyHunters and Scattered Spider-linked actors and presented as a new operator-controlled extortion operation. The Windows encryptor was built from scratch and includes ChaCha20 encryption with RSA-2048 protection for the private key, process-killing behavior, Shadow Volume Copy deletion, lateral movement options through service creation, WMI execution, and GPO startup scripts, a hardcoded ransom note named R3ADME_1Vks5fYe.txt, and planned Linux, ESXi, and CLI variants.
Show sources
- Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters — www.bleepingcomputer.com — 19.11.2025 15:01
- Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ — krebsonsecurity.com — 26.11.2025 19:22