ShinySp1d3r ransomware encryptor development and build analysis
Malware Activity
Summary
Hide ▲
Show ▼
The ShinySp1d3r ransomware encryptor has surfaced in sample form, giving defenders visibility into its Windows build, propagation methods, and file-encryption behavior. The build matters because it shows an in-development RaaS moving toward a full operator-controlled deployment model. The analysis also indicates planned Linux and ESXi versions, suggesting the malware family is being expanded across multiple environments.
Related Happenings
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Reynolds ransomware BYOVD defense-evasion activity
Malware Activity
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Reynolds ransomware BYOVD defense-evasion activity
Malware ActivityAbout this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware Activity
First: 22.01.2026 20:00
Last: 22.01.2026 20:00
Sources 1
About this happening:
Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware ActivityAbout this happening: Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...
GlassWorm campaign returns in repeated waves across extension marketplaces
Campaign
First: 01.01.2026 17:18
Last: 01.01.2026 17:18
Sources 1
About this happening:
**GlassWorm** is an ongoing **supply-chain attack** targeting developers through the **OpenVSX** and **Microsoft Visual Studio Marketplace** extension ecosystems. In the latest co...
GlassWorm campaign returns in repeated waves across extension marketplaces
CampaignAbout this happening: **GlassWorm** is an ongoing **supply-chain attack** targeting developers through the **OpenVSX** and **Microsoft Visual Studio Marketplace** extension ecosystems. In the latest co...
Latest development: 17.03.2026 23:42
GlassWorm renewed its supply-chain campaign with a coordinated wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX this month, including 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. Attackers compromised GitHub accounts to force-push malicious commits, then published obfuscated packages and extensions that queried a Solana blockchain C2 channel every five seconds and delivered a Node.js-based JavaScript infostealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Scattered LAPSUS$ Hunters shifts from borrowed encryptors to ShinySp1d3r RaaS
Threat Actor Meta
First: 26.11.2025 19:22
Last: 26.11.2025 19:22
Sources 1
How related:
Last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.
About this happening:
**Scattered LAPSUS$ Hunters (SLSH)** has shifted from using other gangs’ encryptors to launching **ShinySp1d3r**, giving the group its own **ransomware-as-a-service** brand and gr...
Scattered LAPSUS$ Hunters shifts from borrowed encryptors to ShinySp1d3r RaaS
Threat Actor MetaHow related: Last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.
About this happening: **Scattered LAPSUS$ Hunters (SLSH)** has shifted from using other gangs’ encryptors to launching **ShinySp1d3r**, giving the group its own **ransomware-as-a-service** brand and gr...
Timeline
-
19.11.2025 15:01 2 articles · 6mo ago
ShinySp1d3r encryptor sample surfaces
Initial DisclosureAn in-development ShinySp1d3r ransomware-as-a-service build surfaced for analysis after being uploaded to VirusTotal, with the platform tied to ShinyHunters and Scattered Spider-linked actors and presented as a new operator-controlled extortion operation. The Windows encryptor was built from scratch and includes ChaCha20 encryption with RSA-2048 protection for the private key, process-killing behavior, Shadow Volume Copy deletion, lateral movement options through service creation, WMI execution, and GPO startup scripts, a hardcoded ransom note named R3ADME_1Vks5fYe.txt, and planned Linux, ESXi, and CLI variants.
Show sources
- Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters — www.bleepingcomputer.com — 19.11.2025 15:01
- Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ — krebsonsecurity.com — 26.11.2025 19:22