A new “super-group” alliance has birthed the ShinySp1d3r ransomware, nation-state actors are directly guiding physical missile strikes via cyber intrusions, and critical infrastructure in the US and South Korea faces escalated targeting.

🕷️ ShinySp1d3r: The “Scattered LAPSUS$ Hunters” Alliance

Threat Type: Ransomware-as-a-Service (RaaS) | Status: Active / In Development

A new ransomware-as-a-service program has emerged from a high-profile alliance of threat actors. Dubbed ShinySp1d3r, this ransomware is the product of the Scattered LAPSUS$ Hunters (SLSH)—a collective that aggregates the branding and reputational assets of three notorious groups: Scattered Spider, ShinyHunters, and LAPSUS$.

Tactics, Techniques, & Procedures (TTPs)

• Operational Structure: SLSH operates as a loose federation rather than a rigid hierarchy, using Telegram as its primary command and recruitment hub. They position themselves as an “extortion-as-a-service” and RaaS entity.
• Targeting: The group has explicitly threatened high-value targets, including threats to deploy ransomware against infrastructure in New York City and New York State.
• Development Cycle:
  • Current: A functional Windows encryptor is actively being deployed.
  • Upcoming: Linux and ESXi encryptors are reportedly in late-stage development, signaling an intent to target enterprise virtualized environments.
• Behavior: The group relies heavily on “social performativity”—using their reputation and public fear (leveraging the brand history of LAPSUS$ and Scattered Spider) to intimidate victims into rapid payments.

Indicators of Compromise (IOCs)

• Ransom Name: ShinySp1d3r
• Communication Channels: Telegram channels, specifically “scattered LAPSUS$ hunters part 7”.
• Artifacts: Look for new wallpaper changes and ransom notes explicitly referencing “ShinySp1d3r” or the “SLSH” alliance.

🚨 INC Ransom: Takedown of US Emergency Alert System

Threat Type: Ransomware | Target: CodeRED Emergency Alert System

The INC Ransom group has claimed responsibility for a significant attack on the CodeRED emergency alert system, a critical platform used by local governments across the US to notify residents of disasters.

Attack Timeline & Impact

• Initial Access: November 1, 2025.
• Encryption Deployed: November 10, 2025.
• Data Exfiltration: 1.15 TB of data stolen.
• Proof of Compromise: The group published csv files containing client-related data on their dark web leak site to verify the breach.

Tactics, Techniques, & Procedures (TTPs)

• Initial Access: INC Ransom typically exploits known vulnerabilities in external-facing devices (e.g., Citrix NetScaler CVE-2023-3519) or uses spear-phishing to harvest credentials.
• Lateral Movement: They abuse RDP (Remote Desktop Protocol) for lateral movement and use legitimate tools (LOLBins) like wmic.exe and PSExec (often disguised as winupd) to execute commands across the network.
• Data Staging: Legitimate archiving tools like 7-Zip are used to compress stolen data before exfiltration.
• Defense Evasion: The group is known to delete Volume Shadow Copies to prevent recovery without keys.

⚔️ The New Warfare: Cyber-Enabled Kinetic Targeting

Threat Type: Nation-State / Hybrid Warfare | Source: Amazon Threat Intelligence

A groundbreaking report from Amazon has defined a new category of warfare: Cyber-Enabled Kinetic Targeting. This goes beyond “hybrid warfare”; it describes scenarios where cyber intrusions are specifically used to guide physical military strikes (missiles, drones) in the real world.

Key Case Studies

• Imperial Kitten (Iran/IRGC):
  • Target: Maritime vessels.
  • Method: Compromised the Automatic Identification System (AIS) and onboard CCTV cameras of ships.
  • Kinetic Result: The cyber data (location, visual confirmation) was used to target Houthi missile strikes against specific commercial vessels.
• MuddyWater (Iran/MOIS):
  • Target: Israeli infrastructure.
  • Method: Hacked into CCTV cameras in Jerusalem.
  • Kinetic Result: Real-time visual intelligence from these cameras was used to coordinate and adjust physical attacks.

Strategic Implication

Defenders must now treat “reconnaissance” intrusions (like CCTV or sensor hacks) not just as privacy breaches, but as potential preludes to physical destruction.

🇰🇷 Qilin Ransomware: The “Korean Leaks” Campaign

Threat Type: RaaS / State-Sponsored Hybrid | Target: South Korean Financial Sector

Qilin Ransomware has launched a massive campaign dubbed “Korean Leaks,” compromising 28 South Korean companies (primarily asset management firms) via a single Managed Service Provider (MSP).

The North Korea Connection

• Collaboration: Intelligence suggests Moonstone Sleet, a North Korean state-sponsored actor, is working as an affiliate for Qilin.
• Motive: This blurs the line between financial crime and state disruption, allowing North Korea to monetize attacks while destabilizing South Korean financial infrastructure.

Tactics, Techniques, & Procedures (TTPs)

• Vector: Supply chain compromise via a shared MSP.
• Encryption: Domain-wide encryption of victim networks.
• Extortion: Double extortion—files are encrypted, and sensitive financial data (over 2TB stolen) is leaked if ransoms are not paid.

🇷🇺 RomCom: GRU Unit 29155 Targets US Engineering

Threat Type: State-Sponsored Espionage | Target: US Civil Engineering

For the first time, the Russia-linked threat actor RomCom (attributed to GRU Unit 29155) has been observed using the widespread SocGholish malware network to deliver targeted payloads.

Attack Chain

1. Initial Access: User visits a compromised website and sees a “Fake Browser Update” (SocGholish).
2. Loader Delivery: Instead of standard crimeware, SocGholish delivers a RomCom-controlled loader.
3. Payload: The loader installs Mythic Agent, a powerful post-exploitation framework.
4. Targeting: The specific victim was a US-based civil engineering firm, likely chosen for its involvement in Ukraine-related infrastructure projects.

🐱 ToddyCat: Advanced Token Theft Tools

Threat Type: APT (Advanced Persistent Threat) | Target: Corporate Email & Cloud Access

The ToddyCat APT has introduced a new custom toolkit focused on bypassing Microsoft security controls to steal email data without triggering standard alerts.

New Tool: TCSectorCopy

• Function: Steals Outlook .OST (Offline Storage Table) files even when Outlook is running and files are locked.
• Technique: It opens the disk as a read-only device and copies the file sector-by-sector, completely bypassing the Windows file lock API.
• Extraction: Once copied, they use XstReader to extract emails.

New Tool: SharpTokenFinder

• Function: Scans system memory to locate and steal Microsoft 365 OAuth 2.0 (JWT) tokens.
• Impact: Allows attackers to access cloud resources from outside the victim’s network without needing a password or MFA code.