Scattered LAPSUS$ Hunters Pivot to EaaS, Launch Insider Recruitment Campaign After Salesforce Extortion

Researchers at Palo Alto Networks’ Unit 42 have observed a surge in activity from Scattered LAPSUS$ Hunters — a cybercrime group linked to the Bling Libra syndicate — signaling a strategic pivot toward extortion-as-a-service (EaaS) operations and renewed insider recruitment campaigns.

The latest findings detail how Scattered LAPSUS$ Hunters is building on its high-profile Salesforce data theft extortion campaign while experimenting with new monetization models and even hinting at the development of a new ransomware called SHINYSP1D3R.

Unit 42’s analysis notes that “since early October 2025, we have observed several notable developments within a Telegram channel (SLSH 6.0 part 3) used by the threat actors.”

Following their October 10 ransom deadline, Scattered LAPSUS$ Hunters allegedly leaked stolen data from six organizations across the aviation, energy, and retail sectors, including personally identifiable information (PII) such as names, dates of birth, phone numbers, and frequent flyer details.

When Unit 42 investigators attempted to revisit the group’s data leak site (DLS), they found it defaced with an unknown message, preventing confirmation of whether the leaked information remained available online.

Shortly after the leaks, the group claimed to have halted new disclosures, writing that “nothing else will be leaked.” The post cryptically added, “the things we have cannot be leaked for obvious reasons.”

Unit 42 suggests that the “obvious reasons” may relate to law enforcement pressure or the sensitivity of the stolen data.

On October 10, 2025, just hours before their ransom deadline, Scattered LAPSUS$ Hunters publicly teased the launch of their own extortion-as-a-service (EaaS) platform — an apparent rebranding of the traditional ransomware-as-a-service (RaaS) model but without file encryption.

The pivot, according to Unit 42, could help the group avoid detection and prosecution by focusing solely on data theft and extortion, rather than encryption-based attacks that typically attract international law enforcement action.

In another Telegram post dated October 5, 2025, the group revived its insider access recruitment program, seeking employees willing to sell access credentials across multiple industries.

Unit 42’s analysis highlights that Scattered LAPSUS$ Hunters are particularly targeting call centers, gaming companies, hosting providers, SaaS, and telecom organizations in the U.S., UK, Australia, Canada, and France.

This approach closely aligns with tactics previously documented in Muddled Libra (aka Scattered Spider) campaigns, where insiders were leveraged for SIM swap operations and corporate network access.

Perhaps the most intriguing revelation in Unit 42’s monitoring is the mention of a new ransomware family allegedly under development. On October 4, 2025, the group posted on its Telegram channel about a project called “SHINYSP1D3R.”

While it remains unclear whether SHINYSP1D3R is a genuine threat or a psychological operation meant to generate fear and hype, its mention coincides with earlier sightings by Falconfeeds in August 2025 of a similar alias circulating in underground forums.

Unit 42 analysts caution that the absence of encryption activity from the group to date supports the theory that this ransomware may serve as a branding exercise rather than an operational tool — possibly to attract affiliates to their new EaaS program.

Related Posts:

• Hacker Alliance Demands Ransom: Scattered LAPSUS$ Hunters Claim 1 Billion Records Stolen from Salesforce
• Inside Hunters International Group: How a Retailer Became the Latest Ransomware Victim
• Beyond Email: Why Your Microsoft Teams Chat Is Now a Phishing Danger Zone
• Trinity of Chaos: How LAPSUS$, Scattered Spider, and ShinyHunters Forged a Cybercrime Alliance
• $60 Million and Counting: Microsoft Rewards Bug Bounty Hunters