Scattered Lapsus$ Hunters appear to be evolving their operational playbook, with Palo Alto Network’s Unit 42 detecting early indicators of tactical shifts via monitored Telegram activity.
Unit 42 has shared insights based on observations it has made via the hackers’ Telegram channel since early October 2025.
One of the developments is the refence to the launch of their extortion-as-a-service (EaaS) program.
This program would be similar to ransomware-as-a-service (RaaS) but with no file encryption.
The Unit 42 author noted that the shift could be in an attempt to “fly under the radar of law enforcement attention.”
We have seen law enforcement take a proactive approach to tackling cybercrime in recent months, with members of the Scattered Spider-linked group arrested in the UK over the summer. Two teens were also arrested in connection with the Kido cyber-attack, also linked to Scattered Spider.
Unit 42 also noted the potential emergence of new ransomware linked to the group. It found Telegram posts referring to talking about and testing new ransomware which is believed to be dubbed SHINYSP1D3R.
These posts, made on October 4, were also linked to observations previously noted by Falconfeeds in August 2025.
While new ransomware development is concerning, Unit 42 noted that it is unclear if it is still under development or if it is simply a false claim.
Similarly, it remains relatively uncertain if the EaaS program advertised by the threat actors will be as lucrative of a business model as they likely hope it would be, according to Unit 42.
The researchers noted that they had recently attempted to access the data leak site (DLS) associated with the threat actors, and noticed the website had what appeared to be a defacement message posted.
This meant that they were unable to determine if any victim data was still listed.
Scattered LAPSUS$ Hunters had previously listed the deadline for impacted organizations to make a ransom payment as 11:59 PM ET on October 10, 2025.
It is understood that data linked to at least six companies has been leaked.
However, on October 11, 2025, a day after the posted deadline and the release of data for the six organizations, the threat actors stated that “nothing else will be leaked.”
Scattered Spider, ShinyHunters and LAPSUS$ are associated with The Com, a loosely organized online criminal network involving thousands of English-speaking individuals.
Earlier in September, the group was among those who supposedly said they would be shutting down their operations. However, many observed this as either a PR stunt or an attempt to lie low in the face of escalating law enforcement interest.
