ShinySp1d3r

ShinySp1d3r is an in-development ransomware and ransomware-as-a-service (RaaS) platform associated with the Scattered LAPSUS$ Hunters / SLSH ecosystem, with reporting linking its operators to ShinyHunters, Scattered Spider, and LAPSUS$. Public reporting states the malware has appeared in the wild and that the operation was announced in late 2025 as a joint effort intended to rival established ransomware groups such as LockBit and DragonForce. Multiple sources describe it as a custom ransomware family, with some reporting that SLSH members had previously relied on third-party encryptors including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce before promoting ShinySp1d3r as their own service.

High-confidence reporting indicates the ransomware currently works on Windows, with operators claiming Linux and ESXi versions were planned or close to release. Reported capabilities include file encryption; ETW event log suppression; termination of processes and services to facilitate encryption; overwriting free disk space with random data; encryption of open network shares; and propagation or remote deployment via service creation, deployViaSCM, deployViaWMI, attemptGPODeployment, and startup script generation. One report states the malware is a modified version of HellCat ransomware enhanced with AI tools, but attribution of that claim comes from operator statements and should be treated cautiously.

The malware is consistently tied in reporting to financially motivated extortion activity by SLSH and related branding such as Scattered LAPSUS$ Hunters. The surrounding threat activity includes insider recruitment, social engineering, voice phishing, cloud/SaaS compromise, and data theft/extortion campaigns, including Salesforce-related supply-chain intrusions involving Gainsight and Salesloft Drift. Reporting also links the broader alliance to targeting large enterprises, including telecommunications, software, gaming, retail, hospitality, cloud/hosting, and call-center/BPO environments, with some sources noting focus on organizations with annual revenue above $500 million.

Known observables directly mentioned in the content include the user-agent string "Salesforce-Multi-Org-Fetcher/1.0" and IP address 3.239.45.43, both associated with related SLSH/Gainsight unauthorized-access activity rather than the encryptor itself. Overall, ShinySp1d3r is best characterized as an emerging Windows ransomware family and RaaS offering linked to the SLSH criminal alliance, combining encryption capability with the group’s established data-theft and extortion operations.