Scattered LAPSUS$ Hunters conducted Salesforce data theft extortion, leaked alleged PII from six companies across aviation, energy, and retail, and advertised an extortion-as-a-service (EaaS) model and insider recruitment on Telegram. The group also claimed development of a new ransomware called SHINYSP1D3R and signaled a potential pause in activity; #ScatteredLAPSUS$Hunters #SHINYSP1D3R
Keypoints
- Scattered LAPSUS$ Hunters set an extortion deadline of Oct 10, 2025, and subsequently leaked data allegedly belonging to six companies in aviation, energy, and retail.
- Leaked data reportedly included personally identifiable information (names, DOBs, emails, phone numbers, frequent flyer numbers), raising identity-theft and fraud concerns.
- Unit 42 observed the threat actors’ data leak site (DLS) appeared defaced and inaccessible at the time of investigation.
- The group advertised an extortion-as-a-service (EaaS) program that mimics ransomware-as-a-service but without file encryption to potentially avoid law enforcement attention.
- Rapid recruitment posts sought insider access at call centers, gaming companies, hosting providers, SaaS, and telecoms in the U.S., UK, Australia, Canada, and France.
- The actors claimed development of a new ransomware named “SHINYSP1D3R,” though its existence and maturity remain unconfirmed.
- Unit 42 recommends organizations prepare EaaS-specific incident response playbooks, retain third-party experts for negotiations and data verification, and seek proactive threat assessments if targeted.
MITRE Techniques
- [T1591] Gather Victim Identity Information – Threat actors leaked and advertised personally identifiable information (names, dates of birth, email addresses, phone numbers, frequent flyer numbers) as extortion leverage: ‘leaked data allegedly includes various types of personally identifiable information (PII) such as names, dates of birth, email addresses, phone numbers and frequent flyer numbers.’
- [T1490] Inhibit System Recovery – Advertising an extortion model without file encryption to coerce payment through data exposure rather than operational disruption: ‘no file encryption.’
- [T1204] User Execution – Recruitment of insiders to gain access at targeted organizations (call centers, gaming, hosting, SaaS, telecom) implies leveraging insider actions or social engineering to obtain access: ‘advertisement seeking insider access at organizations across a variety of industries.’
- [T1586] Compromise Infrastructure – Use of a dedicated data leak site (DLS) and Telegram channel to publish stolen data and communicate with victims and affiliates: ‘data leak site (DLS) associated with the threat actors’ and ‘Telegram channel (SLSH 6.0 part 3) used by the threat actors.’
- [T1496] Resource Hijacking (Extortion) – Launching an extortion-as-a-service (EaaS) program to monetize stolen data and offer services to other criminals: ‘launch of their extortion-as-a-service (EaaS) program…similar to a typical ransomware-as-a-service (RaaS) program with a clear difference: no file encryption.’
Indicators of Compromise
- [Data Leak Site ] DLS context – references to a clearnet data leak site used to publish stolen data; site appeared defaced as of Oct 17, 2025 (no specific URL provided).
- [Channel/Platform ] Telegram channel context – SLSH 6.0 part 3 channel used for announcements, recruitment, and EaaS advertising; screenshots referenced from Oct 4–11, 2025.
- [Malware Name ] Ransomware context – claimed new ransomware name SHINYSP1D3R mentioned in Telegram posts on Oct 4, 2025.
- [Victim Data Types ] PII context – examples of stolen data types: names, dates of birth, email addresses, phone numbers, frequent flyer numbers (six alleged victim organizations across aviation, energy, retail).
Read more: https://unit42.paloaltonetworks.com/scattered-lapsus-hunters-updates/