An early build of the new ShinySp1d3r ransomware-as-a-service has surfaced, created by the ShinyHunters group together with Scattered Spider and Lapsus$. The tool includes unique features for spreading, encryption, and analysis evasion.
The new ShinySp1d3r malware was discovered on VirusTotal, giving researchers the first chance to examine the emerging RaaS product. For the first time, ShinyHunters are not relying on external encryptors (such as BlackCat/ALPHV, Qilin, RansomHub, DragonForce) and are instead building their own from scratch.
The first mentions appeared on a Telegram channel where actors calling themselves Scattered Lapsus$ Hunters attempted to extort Salesforce and Jaguar Land Rover.
Each directory contains the ransom note R3ADME_1Vks5fYe.txt, and a malicious wallpaper is set to warn victims. ShinyHunters say Linux, ESXi, and a fast “lightning version” written in ASM are in development.
ShinyHunters, Scattered Spider, and Lapsus$ have united under the Scattered LAPSUS$ Hunters name. These groups are responsible for high-profile global breaches and data theft. RaaS platforms typically enable dozens of affiliates to conduct attacks, greatly amplifying the threat. Despite ShinyHunters’ statements that attacks on healthcare and CIS countries are forbidden, past experience shows such “rules” are often ignored by affiliates.
ShinySp1d3r shows that ShinyHunters aim to expand beyond data theft into full-scale ransomware operations. With custom encryption, multi-vector propagation, and advanced evasion features, ShinySp1d3r may become one of the most dangerous new threats of 2026.
