Scattered Spider: Masters of Deception and Identity Abuse
- Suspected Origin
- United States and United Kingdom
- Motivation
- Financial Gain, Data Extortion
- Aliases
- Roasted 0ktapus, Octo Tempest, Storm-0875, UNC3944
- Target Sectors
- Telecommunications, Business Process Outsourcing (BPO), Technology, Financial Services, Retail, Hospitality, Gaming, Manufacturing, Managed Service Providers (MSPs), Insurance, Aviation
- Associated Malware
- ALPHV/BlackCat, DragonForce, RansomHub, Evilginx, Mimikatz, Raccoon Stealer, STONESTOP, POORTRY, TeamViewer, AnyDesk, ConnectWise, Splashtop, Ngrok, Teleport, WarzoneRAT
Overview
Scattered Spider, identified by MITRE ATT&CK as G1015, is a highly prolific and adaptable cybercriminal group. Also known by aliases such as Roasted 0ktapus, Octo Tempest, Storm-0875, UNC3944, and Muddled Libra, this group is believed to consist primarily of young, native English-speaking individuals operating from the United States and the United Kingdom. They are often associated with a broader hacking collective dubbed “The Community” or “The Com.”
Active since at least 2022, Scattered Spider is unequivocally financially motivated, focusing on data theft for extortion and the deployment of ransomware to maximize illicit gains. Initially, their targeting concentrated on customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies. However, by 2023, the group expanded its scope significantly to encompass gaming, hospitality, retail, managed service providers (MSPs), manufacturing, financial services, insurance, and aviation sectors. Their attacks often target high-revenue organizations, demonstrating a “big game hunting” approach. Scattered Spider’s operational tempo is consistently high, and they are known for their rapid adaptation of tactics, techniques, and procedures (TTPs) to evade detection.
Tactics & Techniques
Scattered Spider’s modus operandi revolves around sophisticated social engineering, leveraging human trust as their primary weapon to gain initial access.
Initial Access: The group conducts extensive reconnaissance, often scraping information from public sources like LinkedIn, company websites, and open-source intelligence tools to gather employee names, departments, internal jargon, and third-party vendor relationships. This detailed intelligence allows them to craft highly convincing social engineering lures. Common techniques include:
- Vishing and Smishing: Impersonating IT or help desk staff via phone calls (vishing) or SMS messages (smishing) to trick employees into revealing credentials or performing actions that grant access. They are adept at convincing help desk personnel to reset passwords or multi-factor authentication (MFA) tokens for targeted accounts.
- MFA Bypass: They employ several methods to circumvent MFA, including:
- MFA Fatigue (Push Bombing): Repeatedly sending MFA approval requests to a target’s device, hoping the user will eventually accept out of annoyance or confusion.
- SIM Swapping: Hijacking a victim’s phone number to intercept SMS-based MFA codes.
- Adversary-in-the-Middle (AiTM) Phishing: Utilizing sophisticated phishing frameworks like Evilginx, they register typosquatted domains mimicking legitimate corporate login portals (e.g.,
company-sso[.]com). These sites act as a transparent reverse proxy, capturing credentials and session cookies in real-time to bypass MFA entirely.
- Malicious Insiders: The group has also been linked to incidents involving bribing third-party workers to leak sensitive customer credentials.
Execution & Persistence: Once initial access is gained, Scattered Spider moves quickly to establish persistence and expand their foothold. They prefer “living off the land” (LOTL) techniques, abusing legitimate tools and system functionalities already present in the network to blend in and avoid detection.
- Remote Monitoring and Management (RMM) Tools: A hallmark of their persistence strategy is the abuse of legitimate commercial RMM software (e.g., TeamViewer, AnyDesk, ConnectWise/ScreenConnect, Splashtop, Ngrok, Teleport, FleetDeck, Pulseway). They often install multiple such tools to ensure redundant access.
- Identity Infrastructure Exploitation: They frequently target and exploit cloud and identity environments like Okta, AWS, Azure, and Office 365, gaining administrator access through help desk impersonation and MFA bypass. They can create new user identities, register their own MFA tokens, or add trusted locations within compromised environments.
Defense Evasion: Scattered Spider is highly skilled at evading security controls:
- Bring-Your-Own-Vulnerable-Driver (BYOVD): A sophisticated tactic involves deploying malicious or vulnerable signed drivers (such as STONESTOP and POORTRY) to gain kernel-level access, disable Endpoint Detection and Response (EDR) agents, and unregister security callbacks, effectively blinding security software.
- Adaptive TTPs: They frequently modify their TTPs and use proxy networks to disguise their origin, making it harder for defenders to track them. They have even been observed joining victim incident response calls to understand and adapt to defensive measures.
Lateral Movement & Privilege Escalation: The group utilizes a mix of native operating system tools and specialized malware for internal navigation:
- Living Off The Land (LOTL): Using tools like RDP, SSH, and PowerShell cmdlets (e.g.,
Get-ADUser) for lateral movement. - Credential Theft: Tools like Mimikatz, LaZagne, and Raccoon Stealer are used to dump credentials and hashes, aiming for domain administrator privileges.
- Cloud Environment Abuse: They enumerate cloud environments (e.g., AWS S3 buckets), create AWS EC2 instances, and use tools like
aws_consolerto create temporary federated credentials to obfuscate their activity and pivot within cloud infrastructure. - Virtualization Targeting: VMware vCenter and ESXi environments are common targets for lateral movement and ransomware deployment.
Data Exfiltration & Impact: Scattered Spider’s ultimate goal is financial gain, typically achieved through:
- Data Extortion (Double Extortion): They prioritize exfiltrating large volumes of sensitive data, often staging it in centralized locations (like MEGA) before threatening public disclosure if a ransom is not paid.
- Ransomware Deployment: The group acts as an initial access broker and affiliate for major Ransomware-as-a-Service (RaaS) operations, deploying payloads from groups like ALPHV/BlackCat, DragonForce, RansomHub, and Qilin.
Notable Campaigns
Scattered Spider has been linked to numerous high-profile incidents that underscore their capabilities and impact:
- Twilio Attack (2022): An early notable incident involved a supply chain attack against Twilio, which subsequently impacted customers like the Signal messaging app.
- Okta Compromises (2022): The group gained significant notoriety by obtaining Okta identity credentials and MFA codes, enabling supply chain attacks against Okta’s clients.
- MGM Resorts Incident (September 2023): In collaboration with ALPHV/BlackCat, Scattered Spider launched a devastating attack on MGM Resorts. They gained initial access through a 10-minute vishing call to the help desk, impersonating an employee identified via LinkedIn, and compromising Okta and Azure tenant environments. The attack resulted in a 10-day operational outage across MGM’s properties, disrupting slot machines, digital room keys, and online systems, and reportedly cost the company over $100 million. While MGM refused to pay the ransom, approximately 6 terabytes of data were stolen.
- Caesars Entertainment Breach (August 2023): Similar to the MGM attack, Scattered Spider targeted Caesars Entertainment by social engineering a third-party IT support vendor to gain access to their systems, including their Okta provider. Caesars reportedly paid a $15 million ransom, half of the original $30 million demand, to prevent the release of stolen customer data, including driver’s license and possibly Social Security numbers.
- UK Retailer Attacks (April-May 2025): The group was linked to a wave of attacks against major UK retailers, including Marks & Spencer, Co-op, and Harrods, deploying DragonForce ransomware and causing significant business disruption and financial losses.
- Aviation Sector Compromises (June-July 2025): Scattered Spider shifted its focus to the aviation sector, with incidents affecting Hawaiian Airlines, WestJet, and a data breach impacting six million Qantas customers.
- Snowflake Cloud Customer Hacks (2025): Members of Scattered Spider have been connected to hacks against nearly a hundred Snowflake cloud storage customers, leading to the theft of data from entities like AT&T and Ticketmaster.
- Cryptocurrency Exchange Incident (December 2024): Affiliated with ShinyHunters and TheCom, Scattered Spider was involved in a breach of a cryptocurrency exchange, leveraging bribed third-party workers in India to gain access to customer credentials and sensitive data.
Associated Malware & Tools
Scattered Spider primarily leverages off-the-shelf tools and legitimate software, often adapting them for malicious purposes, alongside select custom tools and ransomware payloads:
- Ransomware: ALPHV/BlackCat, DragonForce, RansomHub, Qilin.
- Phishing Frameworks: Evilginx (for adversary-in-the-middle phishing attacks).
- Credential Access Tools: Mimikatz, LaZagne, Raccoon Stealer (infostealer malware).
- Remote Access and Management Tools: TeamViewer, AnyDesk, ConnectWise (ScreenConnect), Splashtop, Ngrok, Teleport, FleetDeck, Pulseway, Zoho Assist, ITarian, ASG Remote Desktop, RustDesk.
- Defense Evasion Tools: STONESTOP and POORTRY (malicious signed drivers for BYOVD attacks).
- Lateral Movement/Reconnaissance Tools: Impacket,
aws_consoler(for AWS credential management), PowerShell cmdlets likeGet-ADUser, ADExplorer, ADRecon.ps1. - Remote Access Trojans (RATs): WarzoneRAT.
- Other: Tor (for C2 communications).
Current Status
Scattered Spider remains an exceptionally active and evolving threat actor. Despite arrests of suspected teenage members in early 2024, the group has shown remarkable resilience and continues to operate with a high tempo. They consistently adapt their TTPs, shifting their focus across various sectors such as retail, insurance, aviation, and financial services, often concentrating on one vertical before quickly pivoting to another.
Recent observations suggest that Scattered Spider is expanding its reach and tactics, moving beyond stealthy, credential-driven intrusions into more overt and chaotic extortion tactics. This includes collaborations within new decentralized extortion networks, such as “Scattered LAPSUS$ Hunters,” which aims to amplify reputational damage and leverage viral messaging. The group is also anticipated to adopt even more advanced techniques, with cybersecurity researchers suggesting a likely move towards AI-powered impersonation to make their social engineering attacks even harder to detect and defend against. Organizations across all sectors, particularly those with public-facing call centers, must remain vigilant against this persistent and innovative threat.
Related content
Akira Ransomware: A Persistent and Evolving Global Threat
Adversary ProfileCarbanak Threat Profile: Financial Apex Predators
Adversary ProfileINC Ransom (G1032) Threat Actor Profile: Operations, Tactics, and Evolution
Adversary ProfilePlay Ransomware (G1040) Threat Profile: Evolving Tactics and Global Impact
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call