Scattered LAPSUS$ Hunters shifts from borrowed encryptors to ShinySp1d3r RaaS
Threat Actor Meta
Summary
Hide ▲
Show ▼
Scattered LAPSUS$ Hunters (SLSH) has shifted from using other gangs’ encryptors to launching ShinySp1d3r, giving the group its own ransomware-as-a-service brand and greater control over extortion operations. The group is widely described as an amalgam of Scattered Spider, LAPSUS$, and ShinyHunters, so the move reflects a broader ecosystem consolidation rather than a single-ransomware pivot. The change can strengthen affiliate recruitment, monetization, and operational autonomy across a wider victim base.
Related Happenings
Labyrinth Chollima split into three North Korean hacking groups
Threat Actor Meta
First: 30.01.2026 17:40
Last: 30.01.2026 17:40
Sources 1
About this happening:
**Labyrinth Chollima** has been split into **three tracked North Korean groups**, reshaping how defenders map a major DPRK cyber ecosystem and its target set. **Golden Chollima**...
Labyrinth Chollima split into three North Korean hacking groups
Threat Actor MetaAbout this happening: **Labyrinth Chollima** has been split into **three tracked North Korean groups**, reshaping how defenders map a major DPRK cyber ecosystem and its target set. **Golden Chollima**...
Black Basta rebranding of Conti in the ransomware ecosystem
Threat Actor Meta
First: 16.01.2026 21:00
Last: 16.01.2026 21:00
Sources 1
About this happening:
**Black Basta** is being described as a **rebranding of Conti**, underscoring how major ransomware crews can repackage personnel and infrastructure into new operations. That linea...
Black Basta rebranding of Conti in the ransomware ecosystem
Threat Actor MetaAbout this happening: **Black Basta** is being described as a **rebranding of Conti**, underscoring how major ransomware crews can repackage personnel and infrastructure into new operations. That linea...
Nefilim ransomware extortion campaign targeting high-revenue businesses
Campaign
First: 22.12.2025 11:46
Last: 22.12.2025 11:46
Sources 1
About this happening:
A **Nefilim** ransomware campaign now includes the **U.S. Department of Justice** charging **Volodymyr Viktorovich Tymoshchuk** for allegedly serving as an administrator of the op...
Nefilim ransomware extortion campaign targeting high-revenue businesses
CampaignAbout this happening: A **Nefilim** ransomware campaign now includes the **U.S. Department of Justice** charging **Volodymyr Viktorovich Tymoshchuk** for allegedly serving as an administrator of the op...
FBI seizes BreachForums domains
Law Enforcement
First: 26.11.2025 19:22
Last: 26.11.2025 19:22
Sources 1
How related:
On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion.
About this happening:
On **October 5, 2025**, the **FBI** seized the domains associated with **BreachForums**, disrupting a criminal marketplace used to traffic **stolen data** and facilitate **extorti...
FBI seizes BreachForums domains
Law EnforcementHow related: On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion.
About this happening: On **October 5, 2025**, the **FBI** seized the domains associated with **BreachForums**, disrupting a criminal marketplace used to traffic **stolen data** and facilitate **extorti...
Scattered Spider-ShinyHunters-Lapsus$ collective advertises RaaS launch
Threat Actor Meta
First: 21.11.2025 12:15
Last: 21.11.2025 12:15
Sources 1
About this happening:
The **Scattered Spider-ShinyHunters-Lapsus$ collective** is advertising an upcoming **ransomware-as-a-service (RaaS)** offering, signaling a possible shift toward a more scalable...
Scattered Spider-ShinyHunters-Lapsus$ collective advertises RaaS launch
Threat Actor MetaAbout this happening: The **Scattered Spider-ShinyHunters-Lapsus$ collective** is advertising an upcoming **ransomware-as-a-service (RaaS)** offering, signaling a possible shift toward a more scalable...
Timeline
-
26.11.2025 19:22 2 articles · 6mo ago
Scattered LAPSUS$ Hunters launches ShinySp1d3r ransomware-as-a-service
Campaign Scope UpdateScattered LAPSUS$ Hunters announced a new ransomware-as-a-service operation called ShinySp1d3r, marking a shift from its earlier pattern of using encryptors from other ransomware families such as ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. The move gives the group a branded ransomware offering it can package, recruit around, and use for extortion operations.
Show sources
- Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ — krebsonsecurity.com — 26.11.2025 19:22
- Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ — krebsonsecurity.com — 26.11.2025 19:22