ShinySp1d3r

ShinySp1d3r is an in-development ransomware and ransomware-as-a-service (RaaS) platform associated with the Scattered LAPSUS$ Hunters (SLSH) collective, with reporting linking its operators to ShinyHunters, Scattered Spider, and LAPSUS$. Public reporting states the malware was announced in 2025 and that samples have appeared in the wild while development was still ongoing. Multiple sources describe it as a custom ransomware family intended to support SLSH’s own affiliate program and reduce reliance on third-party ransomware operations previously used by the group, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce.

Reported capabilities include file encryption on Windows, planned or observed development for Linux and VMware ESXi environments, and features designed to encrypt ESXi systems. Additional reported functionality includes ETW event log suppression, termination of processes to facilitate encryption, overwriting free disk space with random data, searching for and encrypting open network shares, and propagation or remote deployment via service creation and mechanisms described as deployViaSCM, deployViaWMI, attemptGPODeployment, startup script generation, and network-share propagation. Some reporting describes it as a modified version of HellCat ransomware enhanced with AI tools, but that attribution is based on actor-linked claims.

The malware is tied in reporting to the broader SLSH criminal ecosystem, which has been linked to data theft, extortion, insider recruitment, and social-engineering-heavy intrusions, including Salesforce-related campaigns and cloud-focused compromises. Reporting names the actor "Rey" as a promoter or administrator connected to the operation and states ShinySp1d3r was publicly announced through Telegram channels used by SLSH. High-confidence context from the provided content indicates the platform was still under active development in late 2025, initially worked on Windows, and was expected to expand to Linux and ESXi. No stable ransom note, file extension, or other malware-specific IOC set is directly provided in the content, but related reporting mentions the user agent string "Salesforce-Multi-Org-Fetcher/1.0" and IP address 3.239.45[.]43 in adjacent SLSH intrusion activity rather than as direct ShinySp1d3r malware indicators.