The cyber threat landscape has seen a flurry of activity in the last 48 hours. From the emergence of a new ransomware “super-alliance” to state-sponsored actors deploying novel tools to bypass Microsoft’s security locks, the methods are becoming more sophisticated and aggressive.
Below is a detailed breakdown of the most critical new activities, including technical indicators for defenders.
🕷️ ShinySp1d3r: A New RaaS from the “Scattered LAPSUS$ Hunters”
Threat Type: Ransomware-as-a-Service (RaaS) | Status: Active / In Development
A new ransomware-as-a-service program has emerged from a high-profile alliance of threat actors. Dubbed ShinySp1d3r, this ransomware is the product of the Scattered LAPSUS$ Hunters (SLSH)—a collective that aggregates the branding and reputational assets of three notorious groups: Scattered Spider, ShinyHunters, and LAPSUS$.
Tactics, Techniques, & Procedures (TTPs)
- Operational Structure: SLSH operates as a loose federation rather than a rigid hierarchy, using Telegram as its primary command and recruitment hub. They position themselves as an “extortion-as-a-service” and RaaS entity.
- Targeting: Initially focused on Windows systems, the group is actively developing encryptors for Linux and ESXi environments, signaling a clear intent to target enterprise virtualized infrastructure.
- Monetization Shift: This marks a strategic pivot for SLSH, moving from pure data theft and extortion (EaaS) to a hybrid model that includes traditional file encryption (RaaS).
- Social Engineering: The group continues to rely on “social performativity”—leveraging their notorious brand history to intimidate victims and taunt cybersecurity vendors and law enforcement.
Indicators of Compromise (IOCs)
- Ransom Name: ShinySp1d3r
- Communication Channels: Telegram channels, specifically those referencing “scattered LAPSUS$ hunters” (e.g., “part 7”).
- Artifacts: Look for new wallpaper changes and ransom notes explicitly referencing “ShinySp1d3r” or the “SLSH” alliance.
🇷🇺 Water Gamayun: The “Silent Redirect” Attack Chain
Threat Type: State-Sponsored Espionage | Also Known As: EncryptHub
The Russia-aligned APT group Water Gamayun (also tracked as EncryptHub) has launched a sophisticated new campaign leveraging legitimate web infrastructure to deliver payloads.
Tactics, Techniques, & Procedures (TTPs)
- Initial Access: The group compromises legitimate websites and injects malicious JavaScript.
- Silent Redirect: When a victim visits the compromised site, the script performs a “silent redirect,” forcibly sending the user to a malicious domain controlled by the attackers.
- Payload Delivery: The final landing page hosts a double-extension RAR archive (e.g.,
document.pdf.rar) disguised as a PDF document. - Exploitation: The attack chain often involves the “MSC EvilTwin” technique (exploiting CVE-2025-26633), where a malicious
.mscfile is executed via the legitimate Microsoft Management Console to bypass security controls.
Indicators of Compromise (IOCs)
- Network: Traffic to domains hosting the redirect scripts or the final payload (e.g.,
103[.]246[.]147[.]17). - File Names: Archives masquerading as PDFs, often password-protected to evade automated scanning.
- Vulnerability: Execution of suspicious
.mscfiles in theen-USdirectory (indicative of the EvilTwin exploit).
🐱 ToddyCat: Bypassing Outlook Locks with “TCSectorCopy”
Threat Type: APT (Advanced Persistent Threat) | Target: Corporate Email
The ToddyCat APT has introduced a new custom toolkit focused on stealing corporate email data by bypassing standard Windows file locking mechanisms.
Tactics, Techniques, & Procedures (TTPs)
- New Tool: TCSectorCopy (xCopy.exe):
- Function: Steals Outlook
.OST(Offline Storage Table) files even when the Outlook application is running and the files are locked by the system. - Technique: The tool opens the physical disk as a read-only device and copies the target file sector-by-sector. This completely bypasses the Windows API file locks that usually prevent copying active database files.
- Extraction: Once the file is exfiltrated, they use XstReader (an open-source tool) to extract emails and attachments.
- Function: Steals Outlook
- New Tool: SharpTokenFinder:
- Function: Scans system memory to locate and steal Microsoft 365 OAuth 2.0 (JWT) tokens.
- Impact: Allows attackers to access cloud resources from outside the victim’s network without needing a password or MFA code.
🤖 IoT & Botnet Resurgence: ShadowV2 and RondoDox
Threat Type: Botnet / DDoS-as-a-Service | Target: IoT Devices
Two significant botnets have resurfaced, targeting unpatched Internet-of-Things (IoT) devices to build massive DDoS armies.
ShadowV2 (Mirai Variant)
- Activity: Recently observed during a global AWS outage, suggesting it was being “test-run” for larger attacks.
- Exploits: Targets a mix of ancient and new vulnerabilities, including CVE-2009-2765 (DD-WRT) and CVE-2024-10915 (D-Link NAS).
- IOCs:
- C2 Domain:
silverpath[.]shadowstresser[.]info - C2 IP:
81[.]88[.]18[.]108 - Payload:
binary.shdownloader script.
- C2 Domain:
RondoDox
- Activity: A “loader-as-a-service” botnet that uses an “exploit shotgun” approach.
- Capabilities: It weaponizes over 50 vulnerabilities across 30 different vendors (routers, DVRs, NVRs) to maximize infection rates.
- Behavior: Simultaneously fires multiple exploits at a target IP to find any weakness, rather than checking for specific versions first.
🎣 Phishing Frontiers: Smishing Triad & The Lighthouse Lawsuit
Threat Type: Phishing-as-a-Service (PhaaS) | Target: Global Consumers
Smishing Triad Expands to Egypt
- New Targets: The Chinese-speaking cybercriminal group Smishing Triad has expanded its operations to Egypt.
- Tactics: They are using the Panda phishing kit to impersonate major Egyptian service providers, including Fawry (payments), Egypt Post, and Careem (ride-hailing).
- Goal: Steal PII and payment data from mobile users via SMS lures.
Google Sues “Lighthouse”
- Event: Google has filed a civil lawsuit against the operators of Lighthouse, a massive Phishing-as-a-Service platform.
- Scale: The platform is alleged to have ensnared over 1 million victims worldwide.
- Impact: This legal action aims to dismantle the infrastructure used by thousands of low-level cybercriminals who rent the Lighthouse kit to launch their own scam campaigns.
