Bling Libra’s EaaS pivot and the SLSH playbook shift: what DFIR teams should do now
Unit 42’s 5-minute read on October 20, 2025 documents three notable shifts tied to Scattered LAPSUS$ Hunters (SLSH): a formal push toward extortion-as-a-service (EaaS), renewed insider recruitment, and chatter about a new ransomware brand, “SHINYSP1D3R.” Their guidance: build playbooks that handle data-theft extortion the way many of us handle encryption-driven ransomware today-verification, negotiation posture, and reputation impact included (Unit 42, Oct 20, 2025). (unit42.paloaltonetworks.com)
What changed in early October 2025
- EaaS advertisement (no encryption): On Oct 10, SLSH promoted an EaaS program analogous to RaaS but explicitly “no file encryption”-consistent with attempts to avoid law-enforcement heat focused on encrypting crews (Unit 42). (unit42.paloaltonetworks.com)
- Insider recruitment redux: On Oct 5, SLSH solicited insiders, prioritizing call centers, gaming, hosting, SaaS, and telecom in the U.S., UK, AU, CA, and FR-also noted by ReliaQuest activity on X (Unit 42). (unit42.paloaltonetworks.com)
- “SHINYSP1D3R” claims: On Oct 4, the actors teased a ransomware effort; Unit 42 emphasizes it’s unclear whether development is real vs. psyops, though separate intel shops have tracked similar chatter since August (Unit 42; FalconFeeds reference via Unit 42; EclecticIQ analysis of ShinyHunters links and RaaS development). (unit42.paloaltonetworks.com)
Context: Unit 42’s earlier Oct 10 brief connects “Scattered LAPSUS$ Hunters” to a coalition of Bling Libra (ShinyHunters), Muddled Libra (Scattered Spider/UNC3944), and LAPSUS$-sometimes dubbed a “Trinity” within a broader e-crime social milieu known as “The Com” (Unit 42, Oct 10). (unit42.paloaltonetworks.com)