scattered lapsus$ hunters

Ransomware group profile

48Victims

United StatesSource country

57Impact score

Also Known As

Scattered Lapsus$ Hunters

SLSH

Scattered Lapsus$ Hunters (SLH)

Description

ShinySp1d3r is a ransomware-as-a-service platform that emerged in mid-2025, developed by the Scattered LAPSUS$ Hunters collective. This group aims to achieve financial gain through custom-built ransomware, employing advanced social engineering tactics and a double extortion model to pressure victims into compliance.

Key insights

•Utilizes a custom, Go-based ransomware encryptor leveraging ChaCha20 and RSA-2048 encryption methods.
•Employs tactics such as vishing, SIM swapping, and insider recruitment for initial access.
•Targets a diverse range of sectors including healthcare, education, and manufacturing.
•Incorporates techniques to evade detection by manipulating logging processes and overwriting memory buffers.
•Implements a double extortion strategy involving both data encryption and exfiltration.
•Deploys across multiple platforms, including Windows, Linux, and VMware ESXi.

Industries

Education Energy & Utilities Financial Services Government & Defense Hospitality Manufacturing Other Professional Services Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For scattered lapsus$ hunters · Based on incidents in selected period

2threat level

Aggressiveness5/ 10

Lethality0/ 10

Criticality0.8/ 10

Status Breakdown

Negotiating2.1%1

Claimed16.7%8

First seenOct 2025

Last seenOct 2025

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for scattered lapsus$ hunters in the selected period

48Total attacks

48peak in Oct

48avg / month

Intelligence

IOCs, YARA/Sigma rules, and related families for scattered lapsus$ hunters

670a269d935f1586d4f0e5bed685d15a38e6fa790f763e6ed5c9fdd72dce3cf2
3bf53cddf7eb98d9cb94f9aa9f36c211a464e2c1b278f091d6026003050281de
62dc6ed7c83769648b5c59ad9cc2a4e26daec96a952eb44c93fd45f2011a3444

View full IOC feed3 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for scattered lapsus$ hunters

Other

T1486

T1490

T1078

T1562

T1059

T1021

T1021.001

T1547

T1080

T1047

T1489

T1203

Victims(48)

Company	Domain	Country	Industry	Status	Discovered
Engie Resources	—	—	Energy & Utilities	Claimed	8 months ago
Telstra	—	AU Australia	Technology	Claimed	8 months ago
S&P Global	spglobal.com	US United States	Technology	Claimed	8 months ago
CIC Vietnam	—	VN Vietnam	Professional Services	Claimed	8 months ago
Red Hat, Inc.	—	US United States	Technology	Claimed	8 months ago
Puma	—	—	Retail & E-Commerce	Claimed	8 months ago
Albertsons (Jewel Osco, etc)	—	US United States	Retail & E-Commerce	Claimed	8 months ago
Toyota Motor Corporations	—	JP Japan	Manufacturing	Claimed	8 months ago
1-800Accountant	—	—	Financial Services	Unknown	8 months ago
IKEA	—	US United States	Retail & E-Commerce	Unknown	8 months ago
Chanel	—	—	Retail & E-Commerce	Unknown	8 months ago
TransUnion	—	US United States	Financial Services	Unknown	8 months ago
Pandora	pandora.net	DK Denmark	Retail & E-Commerce	Unknown	8 months ago
Cisco	—	US United States	Technology	Unknown	8 months ago
Google Adsense	—	US United States	Technology	Unknown	8 months ago
Air France-KLM	—	FR France	Transportation	Unknown	8 months ago
Saksfifth	—	US United States	Retail & E-Commerce	Unknown	8 months ago
CarMax	—	US United States	Retail & E-Commerce	Unknown	8 months ago
Qantas Airways Limited	—	AU Australia	Hospitality	Unknown	8 months ago
TripleA	aaa.com	US United States	Hospitality	Unknown	8 months ago

Page 1 of 3

Affected countries(16)

Countries where this group has been reported to target or leak victims.

🇦🇹Austria 🇦🇺Australia 🇧🇷Brazil 🇨🇦Canada 🇩🇪Germany 🇫🇷France 🇬🇧United Kingdom 🇭🇺Hungary 🇮🇳India 🇮🇹Italy 🇯🇵Japan 🇲🇽Mexico 🇳🇿New Zealand 🇸🇬Singapore 🇺🇸United States 🇻🇳Vietnam