Suspected ShinySP1der Ransomware Samples

    Tuesday, November 25, 2025 In: Threat Research Print

    Date: 11/25/2025

    Severity: High

    Summary

    We uncovered multiple malicious files during an investigation into the ShinySp1d3r ransomware, linked to the ShinyHunters group. The ransomware name appears as “ShinySp1d3r” or “Sh1nySp1d3r,” and we track the group as Bling Libra. Several samples contain an embedded URL, likely a placeholder for a future Tor-based leak site. Reports indicate the encryptor was built from scratch and is still under active development, with a Linux variant also expected. We continue searching for additional samples and indicators tied to this emerging ransomware family.

    Indicators of Compromise (IOC) List

    Hash : 

    670a269d935f1586d4f0e5bed685d15a38e6fa790f763e6ed5c9fdd72dce3cf2

    62dc6ed7c83769648b5c59ad9cc2a4e26daec96a952eb44c93fd45f2011a3444

    3bf53cddf7eb98d9cb94f9aa9f36c211a464e2c1b278f091d6026003050281de

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    sha256hash IN ("670a269d935f1586d4f0e5bed685d15a38e6fa790f763e6ed5c9fdd72dce3cf2","3bf53cddf7eb98d9cb94f9aa9f36c211a464e2c1b278f091d6026003050281de","62dc6ed7c83769648b5c59ad9cc2a4e26daec96a952eb44c93fd45f2011a3444")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-11-21-IOCs-for-ShinySp1d3r-ransomware.txt


    Tags

    MalwareThreat ActorRansomwareShinyspider(ShinySp1d3r, Sh1nySp1d3r)ShinyhunterBling Libra

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.