Scattered spider iocs This blog will discuss the ongoing campaign in greater detail, highlighting the various techniques used by the adversary to gain and maintain access, and evade detection and response, as well as what Aug 17, 2023 · Scattered Spider: The Modus Operandi. By Feb 23, 2024 · This technical report includes Indicators of Compromise (IoCs) and enables cybersecurity professionals to detect and mitigate threats associated with Scattered Spider's activities. The group, also known as 0ktapus, Scattered Spider, and UNC3944, has been active since early 2022, initially targeting telecom and outsourcing companies with SIM swap attacks. Response to CISA Advisory (AA23-320A): Scattered Spider AttackIQ has released a new assessment template in response to the recently published CISA Advisory (AA23-320A) that disseminates known Scattered Spider’s Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations as recent as Aug 17, 2023 · Scattered Spider: The Modus Operandi. Dec 5, 2022 · The attacks have been attributed with low confidence to hackers tracked as 'Scattered Spider,' who demonstrate persistence in maintaining access, reversing mitigations, evading detection, and Jul 19, 2024 · Scattered Spider 使用的勒索軟體攻擊手法 Photo Credit: Microsoft. Feb 9, 2024 · Scattered Spider is believed to be a group of European and US hackers in their teens and 20s who specialize in social engineering. It is well-known for launching sophisticated social engineering attacks to obtain usernames, login credentials, and multi-factor authentication (MFA) tokens. Jul 24, 2024 · Scattered Spider targets financial institutions, telecommunication organisations, and technology companies. The blog covers their TTPs, victims, arrests, and the role of cybercrime intelligence. CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023. SCYTHE has included Scattered Spider Cybercriminal Group IOCs in the form of a threat, for use in your SCYTHE Platform, as well as Sigma rules to aid in the detection of Scattered Spider. Alert your IT service desk to investigate suspicious passwords and/or MFA resets over the last few months. A U. The store was hit by a hack on Easter Monday, the aftermath of which is still being felt by British and Irish customers. Scattered Spider presents as a sophisticated and persistent threat to large organizations Apr 10, 2025 · Scattered Spider, a notorious hacker collective active since at least 2022, continues to launch increasingly sophisticated social engineering attacks aimed at stealing usernames, login credentials, and multifactor authentication (MFA) tokens. Aug 18, 2023 · Scattered Spider, also referred to as UNC3944, Scatter Swine, Muddled Libra, and Roasted Oktapus, is a financially motivated threat actor gro Saturday, April 26, 2025 Jun 16, 2024 · A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash May 1, 2025 · The Scattered Spider hacking group [5] [8] [11] [12], also known by various aliases such as 0ktapus and UNC3944, orchestrated a significant ransomware attack on Marks & Spencer (M&S) in early 2025. 0 IOCs as of publication . Why would a hacking group like Scattered Spider attack M&S? It's believed a hacking group encrypted important Marks and Spencer systems using ransomware - a technique which means companies are forced to Dec 6, 2024 · The ransomware attack that hit supply chain management platform Blue Yonder and its customers last month was the work of a new ransomware group called “Termite. This actor often focuses their initial access efforts on IT service desk workers and Sep 16, 2024 · How to leverage passive DNS history with Validin to uncover SCATTERED SPIDER phishing infrastructure. We predict, with high confidence, that attacks from Scattered Spider will persist into the long term (beyond one year). io, it is dedicated to empowering cybersecurity professionals, researchers, and enthusiasts with actionable intelligence and industry-leading expertise. Regularly check for and monitor lookalike domains. This ransomware gang is known for its sophisticated attacks across various sectors, including telecom, hospitality, retail, and financial services. Fletch is constantly monitoring the threat landscape. The Scattered Spider group has conducted at least 3 remarkable campaigns so far: Oktapus / March-July 2022: This campaign targeted employees of U. Scattered Spider is the designation given to a threat actor that's known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping, cybersecurity firm CrowdStrike warns. ”. The Sekoia Threat Detection and Research (TDR) team wrote a comprehensive blog post about Scattered Spider; you can find a detailed description of it at this link . The group is yet to receive a Microsoft designation but will fall into the Tempest (financially motivated) category once registered. The group utilizes multiple phishing kits, which are continually updated. Strengthen your environment against the published Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with Scattered Spider. This report provides an overview of its history, modus operandi, toolset and ongoing attacks, including IoCs and technical details. Threat Actor Profile – Scattered Spider Overview Scattered Spider (also known as UNC3944 and Roasted 0ktapus) is a relatively new, financially motivated threat group that has been active since at least May 2022. Forecast. Nov 16, 2023 · Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Silent Push researchers have identified over 49 domains linked to PoisonSeed through WHOIS analysis and phishing kit fingerprints. Oct 24, 2024 · response to activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. Historically, Scattered Spider has mainly gained initial access to the victim environment via theft of administrative credentials by email and SMS phishing attacks or the use of stealware. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organisations. A game of cops and robbers is playing out between the FBI and Scattered Spider (aka UNC3944, 0ktapus, Roasted Oktapus, Scatter Swine, Octo Tempest, Muddled Libra), the cybercrime outfit a la mode Feb 10, 2023 · Over time, Scattered Spider has demonstrated persistence in maintaining access, reversing mitigations, evading detection, and pivoting to other valid targets when thwarted. ]com and found it was owned by Twitter beginning on Aug. Oct 30, 2023 · In Q3 of 2023, several high profile attacks against the gaming industry and other large enterprises were carried out by “Scattered Spider”, aka UNC3944, aka Scatter Swine aka, Muddled Libra, aka Roasted 0ktapus aka possibly sometimes BlackCatALPHV or Rhysida, aka a group of globally distributed teenagers… Attribution is hard in this industry. Tools and Techniques Used by Scattered Spider Threat Group. This attack, which exploited vulnerabilities in M&S’s security systems, led to substantial operational disruptions and financial losses for the Apr 29, 2025 · Here's an updated and comprehensive list of Scattered Spider Indicators of Compromise (IOCs) and Indicators of Attack (IOAs). About us This blog is your trusted source for cutting-edge insights in CTI and SOC. Chinese-based Dec 6, 2022 · Cybercrime ‘Scattered Spider’ Cybercrime Group Targets Mobile Carriers via Telecom, BPO Firms. May 8, 2025 · Scattered Spider (also known as Roasting 0ktapus and Scatter Swine) is a financially motivated threat actor that has been actively operating since May 2022. Nov 23, 2023 · Insights of a Dangerously Proficient Social Engineering Group, Scattered Spider. 6, 2024, and was traced back to Scattered Spider through The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) on recent activity by Scattered Spider threat actors against Commercial Facilities Sectors and subsectors with tactics, techniques and procedures obtained through FBI investigations as recently Исследователи EclecticIQ проанализировали работу вымогательского ПО SCATTERED SPIDER (Octo Tempest As we concluded our investigation, we determined that several of the TTPs observed had a historical connection to Scattered Spider, leading us to attribute the attack to that group with high confidence. Scattered Spider employs social engineering techniques, such as phishing, push bombing, and SIM swap Apr 8, 2025 · Scattered Spider is an active hacker collective targeting various high-profile brands and services in 2025. May 17, 2023 · Google-owned Mandiant attributed the activity to a threat group it tracks under the name UNC3944, which is also known as Roasted 0ktapus and Scattered Spider. While these IOCs are subject to change as the group adapts, the following are based on information from CISA Nov 11, 2024 · 0ktapus (aka Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3 and Octo Tempest) is a financially motivated threat actor active since 2022, that has successfully targeted many of its victims’ cloud environments. Apr 4, 2025 · Scattered Spider primarily focuses on large-scale ransomware attacks against corporate targets and has not been observed engaging in cryptocurrency wallet phishing. Nov 22, 2023 · Scattered Spider’s initial access vector was through the customer’s cloud environment, where it was able to gain access to an IT admin account using Okta single sign-on (SSO), having reset Possibly connected with the Scattered Spider group. If that describes your organization, the FBI and CISA recommend organizations implement mitigations to improve your organization’s cybersecurity to reduce the risk of compromise by Scattered Spider threat actors. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications. 54/month, and Keeper Business for just $7/month Apr 16, 2025 · Challenge: Stopping phishing attacks using only IOCs . They use these techniques to take Aug 17, 2023 · Scattered Spider: The Modus Operandi. Scattered Spider (2022): This group has conducted a number of high profile attacks including those against Caesars Entertainment and MGM Resorts International. After compromising identity infrastructure, they pivot to server environments on-premises and in the cloud and deploy ransomware for financial gain. Jan 15, 2025 · Scattered Spider typically starts its attacks with targeted social engineering, impersonating employees or executives to trick help desks into resetting credentials, thus bypassing MFA. The consensus among researchers is that the group is comprised of relatively young threat actors reported to be between 17 and 22 years old, native Scattered Spider are known for their use of identity-based techniques, specialising in account takeover through stolen credentials, phishing, and advanced social engineering such as help desk scams. Scattered Spider pivots and targets applications with remarkable precision, using access to internal IT documentation for extremely efficient lateral movement. Nov 21, 2023 · Scattered Spider, also known by other names like Octo Tempest, 0ktapus, and UNC3944, has emerged as a significant threat in the cybersecurity landscape. 22, but changed hands on Oct. Jun 11, 2024 · The crew behind the Snowflake intrusions may have ties to Scattered Spider, aka UNC3944 – the notorious gang behind the mid-2023 Las Vegas casino security breaches. IOCs serve multiple purposes in cybersecurity defense, including detection, investigation, and prevention: 1. Apr 8, 2025 · Executive Summary. Cyble Research and Intelligence Labs (CRIL) researchers have examined a Termite ransomware binary and determined that Termite is essentially a rebranding of the notorious Babuk ransomware. A new version of Spectre RAT has been identified as part of their updated tactics. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs. It was behind the attack on the MGM Las Vegas Jun 12, 2024 · Another finding was that SCATTERED SPIDER, an affiliate of the ALPHV/BlackCat RaaS is also regularly known to use the BYOVD technique to bypass EDR systems. Our team published IOC’s on the group in early 2023 . Once inside, Scattered Spider avoids specialized malware and instead relies on reliable remote management tools to maintain access. Active IOCs May Aug 8, 2023 · Scattered Spider, or UNC3944, is a financially motivated threat actor known for its clever use of social engineering tactics to infiltrate target devices. Once credentials have been obtained, Scattered Spider use these to impersonate the admin and use sensitive data to gain access to the environment. May 2, 2025 · M&S may have been hacked by a group of notorious cyber-criminals known as Scattered Spider, some of whom are believed to be English-speaking teenagers. Nov 17, 2023 · “Scattered Spider is very skilled, but even the most skilled actors make mistakes,” Liska said. 30 subscribers in the B2BTechNews community. Explore the severe impact of the incident on M&S, including contactless payment failures, online delivery delays, and significant stock shortages in physical locations. Executive Summary. AttackIQ has released a new assessment template in response to the recently published CISA Advisory (AA23-320A) that disseminates known Scattered Spider’s Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations as recent as SCATTERED SPIDER is a prolific eCrime adversary who has conducted a range of financially-motivated activity since early 2022. -based financial services company were being targeted by several Advanced Persistent Threat (APT) groups – mostly notably Scattered Spider – in phishing campaigns that were specifically directed against the organization’s online presence. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as Apr 29, 2025 · Scattered Spider moves beyond the UK, places crosshairs on US companies Get Keeper Personal for just $1. -based companies that use services from IAM leader Okta. Feb 22, 2024 · Scattered Spider is a cybercrime group that conducts social engineering, ransomware, extortion and other advanced campaigns since 2022. 🔗 Network IOCs – Phishing and Infrastructure Domains 7-eleven-hr Nov 16, 2023 · Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks , as well as frequently modifying their TTPs. May 6, 2024 · Scattered Spider uses lookalike domains to conduct phishing attacks. Background on Scattered Spider Aug 16, 2023 · Background on Scattered Spider. 12. However, recent activity indicates that this group has started targeting other sectors, including critical infrastructure organisations. On September 10, 2024, Arda Büyükkaya from EclecticIQ published a thorough update on SCATTERED SPIDER (also called 0ktapus). Apr 9, 2025 · Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. Aug 17, 2023 · Scattered Spider: The Modus Operandi. ” Oct 26, 2023 · The prolific threat actor known as Scattered Spider has been observed impersonating newly hired employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts and breach organizations across the world. These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old T1053 - Scheduled Task/Job , T1056 - Input Capture , T1059 - Command and Scripting Interpreter , T1106 - Native API , T1115 - Clipboard Data , T1133 - External Remote Services , T1140 - Deobfuscate/Decode Files or Information , T1176 - Browser Extensions , T1190 - Exploit Public-Facing Application , T1195 - Supply Chain Compromise , T1496 - Resource Hijacking , T1564 - Hide Artifacts , T1219 Apr 8, 2025 · Executive Summary. Sep 27, 2024 · More recently, Microsoft spotted it deploying Embargo's ransomware payload, and separately compared it to more established, financially motivated groups such as Octo Tempest (Scattered Spider) and Manatee Tempest (Evil Corp). Curated by the Threat Detection & Research team and other experts at Sekoia. Nov 21, 2023 · Adversary Emulation Response to CISA Advisory (AA23-320A): Scattered Spider Published November 21, 2023. Someone claiming to represent Scattered Spider told the Financial Times they wanted to rig the slot machines — a la Ocean’s Thirteen, which the rep said they’d never watched. May 14, 2024 · Scattered Spider is still on the loose despite law enforcement efforts Both the FBI and CISA announced a crackdown on the group in the aftermath of the MGM Resorts cyber attack in September 2023 , which forced the group to shutdown their IT systems, leaving customers locked out of rooms and slot machines out of action. Our research indicates that the group often registers lookalike domains 12-24 hours before an attack, mimicking the target organization or its services. Jul 15, 2024 · Learn how to track and defend against SCATTERED SPIDER, a prolific cybercriminal group that evolved from The Com community. The adversary's early campaigns predominantly targeted firms specializing in customer relationship management (CRM) and business-process outsourcing (BPO), as well as telecommunications and technology companies. exe has also been deployed during ALPHV/BlackCat ransomware attacks in June 2023 as well as leveraged by Akira ransomware affiliates, who also have ties to Conti . The group is known for its advanced techniques, including abusing Single Sign-On (SSO) systems, Cross-Tenant Synchronization within Microsoft Azure, and deploying open Nov 21, 2023 · Scattered Spider’s TTPs are highly significant to the wider threat landscape, as attacks are being aided by gaps in identification and insufficient help-desk user verification policies. This report provides updated technical details with IOCs and TTPs. Educate employees about targeted phishing, smishing, and fishing. 根據微軟威脅情報團隊警告，Scattered Spider (又被稱為Octo Tempest) 駭客集團已添加最新攻擊手法，包括RansomHub和Qilin等勒索軟體皆是他們目前使用的攻擊武器。 Apr 29, 2025 · As to who those hackers might be: fingers are pointing at a rather fluid network of individuals called Scattered Spider (it also has other aliases). Scattered Spider is known for their social engineering skills and defense evasion technique. North American group. Plus, Terminator. BleepingComputer refers to “ongoing outages” at M&S Aug 18, 2023 · Scattered Spider, also referred to as UNC3944, Scatter Swine, Muddled Libra, and Roasted Oktapus, is a financially motivated threat actor gro Saturday, April 26, 2025 Feb 10, 2023 · Over time, Scattered Spider has demonstrated persistence in maintaining access, reversing mitigations, evading detection, and pivoting to other valid targets when thwarted. Nov 7, 2024 · 0ktapus (aka Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3 and Octo Tempest) is a financially motivated threat actor active since 2022, that has successfully targeted many of its victims’ cloud environments. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations. This new research outlines phishing campaigns often delivered via smishing in which the threat actor deploys phishing May 2, 2025 · M&S may have been hacked by a group of notorious cyber-criminals known as Scattered Spider, some of whom are believed to be English-speaking teenagers. Apr 29, 2025 · Information from BleepingComputer indicates that Scattered Spider was most likely behind the hack on Marks & Spencer. 3. This cybercriminal group employs sophisticated techniques including social engineering, data theft, and ransomware to target banks and insurance companies. Apr 8, 2025 · Another notable recent development in Scattered Spider’s activity was the registration of a domain that was previously legitimately owned by Twitter, which is now known as X. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some Sep 12, 2024 · Scattered Spider is a cybercriminal group that has gained notoriety for its focused attacks on cloud environments, particularly those in the insurance and financial industries. The group is known for its advanced techniques, including abusing Single Sign-On (SSO) systems, Cross-Tenant Synchronization within Microsoft Azure, and deploying open Nov 7, 2024 · 0ktapus (aka Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3 and Octo Tempest) is a financially motivated threat actor active since 2022, that has successfully targeted many of its victims’ cloud environments. This actor often focuses their initial access efforts on IT service desk workers and These investigations appear to be tied to a financially-motivated campaign with links to an adversary CrowdStrike tracks as SCATTERED SPIDER. For more than a week, the British retailer May 14, 2024 · Scattered Spider has been actively targeting the global finance and insurance industries, according to new findings by cybersecurity specialists. Check out SnowflakeSFA’s Threat Board for any updates or join Fletch to be in the know for every threat. Our mission is simple: to keep you informed, prepared, and empowered […] Scattered Spider, also referred to as UNC3944, [1] is a hacking group mostly made up of teens and young adults believed to live in the United States and the United Kingdom. Significant brands targeted include Nike, T-Mobile, and Twitter/X among others. Aug 18, 2023 · Scattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022. 6, 2024, and was traced back to Scattered Spider through The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) on recent activity by Scattered Spider threat actors against Commercial Facilities Sectors and subsectors with tactics, techniques and procedures obtained through FBI investigations as recently Oct 26, 2023 · Microsoft has published a detailed profile of a native English-speaking threat actor with advanced social engineering capabilities it tracks as Octo Tempest, aka Scattered Spider, that targets Nov 17, 2023 · Scattered Spider is an affiliate of BlackCat (ALPHV) Ransomware-as-a-Service (RaaS) group, and they use their TTPs and ransomware payloads in their attacks. Sep 14, 2023 · This activity overlaps with activity that has been reported in open sources as "0ktapus," "Scatter Swine," and "Scattered Spider. "This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM Microsoft last year described the threat actor — known as UNC3944, Scattered Spider, Scatter Swine, Octo Tempest, and 0ktapus — as one of the most dangerous current adversaries. The attackers created over a hundred unique domains that mimic these Scattered Spider, a hacking group previously linked to cyberattacks on MGM Resorts and Clorox, has recently shifted its focus to the financial sector. Nov 16, 2023 · Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is adept at social engineering and relies on phishing, multi-factor authentication A few days ago, on 13. 10 MGM Resorts cyberattack, which days later is still keeping systems offline across the conglomerate's more than 30 hotels May 21, 2024 · Three Popular Cyber Attacks Orchestrated by Scattered Spider 🔗︎. May 14, 2024 · While specific IOCs related to the May 2024 campaign are unavailable, general indicators associated with Scattered Spider activity could include: Phishing emails with suspicious sender addresses Nov 21, 2023 · Scattered Spider’s TTPs are highly significant to the wider threat landscape, as attacks are being aided by gaps in identification and insufficient help-desk user verification policies. Apr 8, 2025 · Alleged Scattered Spider SIM-swapper must pay back $13. M&S may have been hacked by a group of notorious cyber-criminals known as Scattered Spider, some of whom are believed to be English-speaking teenagers. Apr 29, 2025 · The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. " Since 2022 and through early 2023, UNC3944 appeared to focus on accessing credentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim #1 Scattered Spider, a cybercriminal group, primarily targets commercial facilities' sectors and subsectors, specializing in data theft for extortion and utilizing BlackCat/ALPHV ransomware. A threat group called "Scattered Spider" is reportedly behind the Sept. . For more than a week, the British retailer Mar 21, 2024 · Scattered Spider typically targets large organizations, especially technology and telecommunications companies. Recent Scattered Spider TTPs New TTP - File Encryption More recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [T1486]. The attackers initially breached M&S in February, stealing sensitive information and credential files. S. A game of cops and robbers is playing out between the FBI and Scattered Spider (aka UNC3944, 0ktapus, Roasted Oktapus, Scatter Swine, Octo Tempest, Muddled Libra), the cybercrime outfit a la mode Apr 29, 2025 · Ransomware attack by Scattered Spider has caused critical disruptions to M&S services. The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. The data in this guide is most up to date as of publication. 67/month, Keeper Family for just $3. The advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI Dec 14, 2023 · Notably, Octo Tempest's threat activity has overlapped with groups like 0ktapus, Scattered Spider, and UNC3944, a proficient social engineering group, prompting advisories from CISA in the previous month and Mandiant in September. For more than a week, the British retailer Jun 11, 2024 · The crew behind the Snowflake intrusions may have ties to Scattered Spider, aka UNC3944 – the notorious gang behind the mid-2023 Las Vegas casino security breaches. UNC5537 Summary May 14, 2025 · Monitoring for specific IOCs can provide early warnings of Scattered Spider activity. “Most notably he is believed to be a key component of the MGM ransomware attack , and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider. Train employees to identify lookalike domains and sign-in pages. Category: Threat Actor Activity | Industry: Global | Source: CISA In a joint cybersecurity advisory, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) addressed the recent activities of Scattered Spider threat actors also tracked as Starfraud, UNC3944, Scatter Swine, and Muddled Libra. 2M to 59 victims; Five Scattered Spider suspects indicted for phishing spree and crypto heists; Scattered Spider, BlackCat claw their way back from criminal underground; A tale of 2 casino ransomware attacks: One paid out, one did not "SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security" (Crowdstrike in January 2023 -- in fact, their big centerpiece at their booth for Black Hat 2023 was a 12' tall statue of their Scattered Spider avatar, before the MGM hack) Nov 15, 2023 · SUMMARY The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. Silent Push tracked the registration records of the domain twitter-okta[. Apr 29, 2025 · The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer that has crippled systems at the retailer and left its ecommerce operation in Apr 30, 2025 · Previous Scattered Spider findings have said participants in this group are surprisingly young, in their mid-20s, with some as young as 16. The group has been associated with over 100 targeted attacks across various industries, including Jul 16, 2024 · Before the Feds crippled it in December, Scattered Spider used to rely on the ransomware payload of ALPHV/BlackCat – formerly the biggest dog in the ransomware kennel (along with LockBit) – so the adoption of RansomHub and Qilin by a group like Scattered Spider demonstrates how seriously the new guard is being taken. M&S has enlisted the help of cybersecurity firms like CrowdStrike and Microsoft to mitigate the impact of the attack. May 12, 2025 · Who is SCATTERED SPIDER? SCATTERED SPIDER (also tracked as Roasted 0ktapus, Octo Tempest and Storm-0875 by various security vendors) is a prolific eCrime group who has conducted a range of financially motivated activity since early 2022. Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022. By Trellix · August 17, 2023 This story was also written by Phelix Oluoch. The mitigations Jun 12, 2024 · In January 2024, 19-year-old Noah Michael Urban was arrested in Florida on charges of conspiracy to commit wire fraud, eight counts of wire fraud, and five counts of aggravated identity theft, ostensibly stemming from operations linked to Scattered Spider. Historically focused on telecommunications and business process outsourcing (BPO), the group has evolved to target high-leverage industries, including critical infrastructure and, more Jun 16, 2024 · A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash Apr 29, 2025 · Here's an updated and comprehensive list of Scattered Spider Indicators of Compromise (IOCs) and Indicators of Attack (IOAs). Scattered Spider has leveraged various malware and tools in its campaigns, including both publicly available and legitimate tools. A place to share news and updates from the world of B2B Technology. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. When that failed, they decided to Feb 3, 2024 · Scattered Spider is a loose-knit group of threat actors, many of them English-speaking, who specialize in social engineering attacks to breach a company's networks. They are persistent, stealthy, and swift in their operations. May 23, 2024 · Interview The cyberattacks against Las Vegas casinos over the summer put a big target on the backs of prime suspects Scattered Spider, according to Mandiant CTO Charles Carmakal. Jun 17, 2024 · Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in; UnitedHealth CEO: 'Decision to pay ransom was mine' Miscreants are exploiting enterprise tech zero days more and more, Google warns; SaaS is another new frontier for UNC3944. In December 2022, Scattered Spider was linked to a malicious campaign targeting telecommunication service providers and business process outsourcing (BPO) firms. 2023, CISA published a cybersecurity advisory for the Russian Foreign Intelligence Service (SVR), which globally exploits the Jetbrains TeamCity CVE-2023–42793. A typical Storm-0501 attack is fairly standard – not a lot of surprises. Sep 20, 2023 · Scattered Spider is a financially motivated threat actor group that has been active since May 2022. Scattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022. Observably, Scattered Spider threat actors have exfiltrated data [TA0010] after gaining access and Feb 22, 2024 · Scattered Spider is rapidly gaining notoriety and emerging as Cybercriminal group that demands close attention in the cybersecurity landscape. The Google-owned security biz has been tracking the loosely knit crew - believed to be teens and twenty-somethings located in the US and UK - since 2022 when they Jun 17, 2024 · “He is a sim swapper and is allegedly involved with the infamous Scattered Spider group,” reads vx-underground’s post on X. Scattered Spider targets their victims with fake Okta and CMS pages. [ 2 ] [ 3 ] The group gained notoriety for their involvement in the hacking and extortion of Caesars Entertainment and MGM Resorts International , two of the largest casino Nov 17, 2023 · Given Scattered Spider’s boldness and history of high-profile attacks on prominent organizations such as Okta, MGM and Caesars casinos, MailChimp, Twilio, DoorDash, and Riot Games, it’s not surprising the FBI/CISA issued a CSA to help counter the threat this group poses. These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old T1053 - Scheduled Task/Job , T1056 - Input Capture , T1059 - Command and Scripting Interpreter , T1106 - Native API , T1115 - Clipboard Data , T1133 - External Remote Services , T1140 - Deobfuscate/Decode Files or Information , T1176 - Browser Extensions , T1190 - Exploit Public-Facing Application , T1195 - Supply Chain Compromise , T1496 - Resource Hijacking , T1564 - Hide Artifacts , T1219 May 2, 2025 · Trustwave SpiderLabs' in-depth research has found Scattered Spider, which is also known as UNC3944, Muddled Libra, 0ktapus, and Scattered Swine, to be exclusively motivated by financial gain. ” Combination of social, technical skills Aug 20, 2023 · Scattered Spiderは、UNC3944、Scatter Swine、Muddled Libra、Roasted 0ktapusとも呼ばれ、2022年5月から活動している金銭的動機に基づく攻撃者グループです。Scattered Spiderは、主に電気通信およびビジネス・プロセス・アウトソーシング（BPO）組織を標的としていることが確認されています。しかし、最近の活動 A group has been named in connection with the attack on the grocer’s IT network Jul 17, 2024 · The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Nov 16, 2023 · Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Scattered Spider—a cybercriminal group targeting commercial facilities sectors and subsectors. Scattered Spider is a hacker collective that has been active since at least 2022. How IOCs are Used. “The more data government agencies can collect from incidents the more likely they are to find those mistakes and arrest the members of Scattered Spider. dxprkq hzgtxv ltsg hpxku qhup spvt pzdw dapgcgh ghp oelh