Scattered Spider-ShinyHunters-Lapsus$ collective advertises RaaS launch
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Scattered Spider-ShinyHunters-Lapsus$ collective is advertising an upcoming ransomware-as-a-service (RaaS) offering, signaling a possible shift toward a more scalable criminal service model. The planned launch date was said to be November 24, 2025, which matters because it could broaden the group's reach beyond direct intrusions into affiliate-style operations. The announcement also suggests the collective is trying to turn its brand into a monetized ecosystem with wider extortion potential.
Related Happenings
RSAC Innovation Sandbox 2026 finalists and $5M SAFE funding
Commercial Activity
First: 22.03.2026 13:40
Last: 22.03.2026 13:40
Sources 1
About this happening:
The **RSAC Innovation Sandbox** named **10 AI-focused cybersecurity finalists** and paired each one with a **$5 million uncapped SAFE**, adding direct capital to emerging security...
RSAC Innovation Sandbox 2026 finalists and $5M SAFE funding
Commercial ActivityAbout this happening: The **RSAC Innovation Sandbox** named **10 AI-focused cybersecurity finalists** and paired each one with a **$5 million uncapped SAFE**, adding direct capital to emerging security...
BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
Campaign
First: 11.02.2026 00:17
Last: 11.02.2026 00:17
Sources 1
About this happening:
**BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...
BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
CampaignAbout this happening: **BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...
ShinyHunters Salesforce extortion campaign against global companies in 2025
Campaign
First: 15.01.2026 17:45
Last: 15.01.2026 17:45
Sources 1
About this happening:
The **ShinyHunters** campaign now includes a **Qantas** breach disclosed after the airline found a **June 30, 2025** intrusion in a **third-party platform** used by one customer s...
ShinyHunters Salesforce extortion campaign against global companies in 2025
CampaignAbout this happening: The **ShinyHunters** campaign now includes a **Qantas** breach disclosed after the airline found a **June 30, 2025** intrusion in a **third-party platform** used by one customer s...
Scattered LAPSUS$ Hunters shifts from borrowed encryptors to ShinySp1d3r RaaS
Threat Actor Meta
First: 26.11.2025 19:22
Last: 26.11.2025 19:22
Sources 1
About this happening:
**Scattered LAPSUS$ Hunters (SLSH)** has shifted from using other gangs’ encryptors to launching **ShinySp1d3r**, giving the group its own **ransomware-as-a-service** brand and gr...
Scattered LAPSUS$ Hunters shifts from borrowed encryptors to ShinySp1d3r RaaS
Threat Actor MetaAbout this happening: **Scattered LAPSUS$ Hunters (SLSH)** has shifted from using other gangs’ encryptors to launching **ShinySp1d3r**, giving the group its own **ransomware-as-a-service** brand and gr...
ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps
Campaign
First: 21.11.2025 07:32
Last: 21.11.2025 07:32
Sources 1
How related:
In a Salesforce security advisory, also published on November 20, the firm noted it had identified unusual activity involving Gainsight-published applications connected to Salesforce.
About this happening:
The **ShinyHunters (UNC6240)** campaign targeting **Gainsight-published applications connected to Salesforce** is expanding a multi-organization SaaS integration abuse pattern tha...
ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps
CampaignHow related: In a Salesforce security advisory, also published on November 20, the firm noted it had identified unusual activity involving Gainsight-published applications connected to Salesforce.
About this happening: The **ShinyHunters (UNC6240)** campaign targeting **Gainsight-published applications connected to Salesforce** is expanding a multi-organization SaaS integration abuse pattern tha...
Timeline
-
21.11.2025 12:15 2 articles · 6mo ago
Scattered Spider-ShinyHunters-Lapsus$ collective advertises RaaS launch
Initial DisclosureThe Scattered Spider-ShinyHunters-Lapsus$ collective, also referred to as Scattered Lapsus$ Hunters, advertised an upcoming ransomware-as-a-service offering allegedly launching on November 24, 2025. The actors also threatened a dedicated leak site for the Salesloft and Gainsight campaigns and claimed the data set could cover almost 1000 companies, including large organizations named from the Gainsight campaign.
Show sources
- New Gainsight Supply Chain Hack Could Affect Salesforce Customers — www.infosecurity-magazine.com — 21.11.2025 12:15
- New Gainsight Supply Chain Hack Could Affect Salesforce Customers — www.infosecurity-magazine.com — 21.11.2025 12:15