ZeroFox Intelligence Flash Report - Powerful New RaaS from Scattered Lapsu$ Hunters

ZeroFox Intelligence Flash Report - Powerful New RaaS from Scattered Lapsu$ Hunters

Product Serial: F-2025-11-21a

TLP:CLEAR

In this Flash report, ZeroFox researchers report on a new ransomware encryptor from Scattered Lapsus$ Hunters. This in-development build represents a leap in capability for SLSH and suggests a successful merger into a fully functional collective.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• On November 19, 2025, reports surfaced of the emergence of an in-development build of new ransomware-as-a-service (RaaS) platform “ShinySp1d3r”. The new RaaS build is the result of a collaboration between notorious ransomware and digital extortion (R&DE) collectives Scattered Spider, Lapsus$, and ShinyHunters.
• The threat actors, known collectively as Scattered Lapsus$ Hunters (SLSH), have been responsible for at least 51 cyberattacks over the past year as both individual groups and as a collective.
• While the ShinySp1d3r encryptor has some features common to other encryptors, it also boasts features that have never been seen before in the RaaS space.
• The development of ShinySp1d3r represents a leap in capability for SLSH and suggests a successful merger into a fully functional collective.