Bling Libra’s EaaS pivot and the SLSH playbook shift: what DFIR teams should do now
Unit 42’s 5‑minute read on October 20, 2025 documents three notable shifts tied to Scattered LAPSUS$ Hunters (SLSH): a formal push toward extortion‑as‑a‑service (EaaS), renewed insider recruitment, and chatter about a new ransomware brand, “SHINYSP1D3R.” Their guidance: build playbooks that handle data‑theft extortion the way many of us handle encryption‑driven ransomware today—verification, negotiation posture, and reputation impact included (Unit 42, Oct 20, 2025). (unit42.paloaltonetworks.com)
What changed in early October 2025
- EaaS advertisement (no encryption): On Oct 10, SLSH promoted an EaaS program analogous to RaaS but explicitly “no file encryption”—consistent with attempts to avoid law‑enforcement heat focused on encrypting crews (Unit 42). (unit42.paloaltonetworks.com)
- Insider recruitment redux: On Oct 5, SLSH solicited insiders, prioritizing call centers, gaming, hosting, SaaS, and telecom in the U.S., UK, AU, CA, and FR—also noted by ReliaQuest activity on X (Unit 42). (unit42.paloaltonetworks.com)
- “SHINYSP1D3R” claims: On Oct 4, the actors teased a ransomware effort; Unit 42 emphasizes it’s unclear whether development is real vs. psyops, though separate intel shops have tracked similar chatter since August (Unit 42; FalconFeeds reference via Unit 42; EclecticIQ analysis of ShinyHunters links and RaaS development). (unit42.paloaltonetworks.com)
Context: Unit 42’s earlier Oct 10 brief connects “Scattered LAPSUS$ Hunters” to a coalition of Bling Libra (ShinyHunters), Muddled Libra (Scattered Spider/UNC3944), and LAPSUS$—sometimes dubbed a “Trinity” within a broader e‑crime social milieu known as “The Com” (Unit 42, Oct 10). (unit42.paloaltonetworks.com)