CISA and FBI Shared Tactics, Techniques, and Procedures of Scattered Spider Hacker Group

CISA analysts identified that Scattered Spider has recently expanded its arsenal to include DragonForce ransomware alongside traditional data exfiltration techniques, marking a significant escalation in the group’s threat profile. Scattered Spider’s most distinctive characteristic lies in its sophisticated social engineering approach, which CISA researchers noted has evolved to include what they term “push bombing” attacks alongside traditional subscriber identity module (SIM) swap techniques. This threat actor has significantly evolved since its initial identification, now targeting large companies and their contracted information technology help desks with increasingly sophisticated social engineering techniques and ransomware deployment capabilities. Scattered Spider represents a particularly dangerous evolution in cybercrime, combining traditional social engineering with advanced technical capabilities to breach high-value targets across commercial facilities and critical infrastructure sectors. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released an updated joint cybersecurity advisory detailing the sophisticated tactics employed by the Scattered Spider cybercriminal group, also known as UNC3944, Oktapus, and Storm-0875. Rather than deploying broad phishing campaigns, Scattered Spider conducts extensive reconnaissance using business-to-business websites, social media platforms, and open-source intelligence gathering to identify high-value targets within organizations. The threat actors demonstrate remarkable adaptability, frequently modifying their tactics, techniques, and procedures to evade detection while maintaining persistent access to compromised networks. The threat actors demonstrate exceptional operational security awareness by actively monitoring targeted organizations’ internal communications through compromised Slack, Microsoft Teams, and Exchange Online accounts. The threat actors meticulously gather personally identifiable information from various sources, including commercial intelligence tools and database leaks, to craft convincing impersonation scenarios. The group’s operations extend beyond simple data theft, encompassing comprehensive data extortion schemes that leverage both stolen information and ransomware encryption to maximize financial impact on victims. Recent investigations revealed the use of RattyRAT, a Java-based remote access trojan designed for persistent, stealth access and internal reconnaissance, alongside established information stealers like Raccoon Stealer and VIDAR Stealer. The group’s initial access methodology relies heavily on multilayered social engineering campaigns targeting both employees and IT support personnel. This surveillance capability allows them to join incident response calls and proactively adapt their tactics in response to defensive measures, making traditional threat hunting approaches significantly less effective. This technique is complemented by the deployment of legitimate remote monitoring and management tools such as TeamViewer, Screenconnect, and newly identified tools like Teleport.sh and AnyDesk, which blend seamlessly with normal IT operations. The group’s persistence strategy involves registering their own multifactor authentication tokens after successfully compromising user accounts, effectively establishing backdoor access that survives password resets.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 04:50:18 +0000


Cyber News related to CISA and FBI Shared Tactics, Techniques, and Procedures of Scattered Spider Hacker Group

Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack - The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an ...
1 year ago Darkreading.com Scattered Spider
Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack - The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an ...
1 year ago Darkreading.com Scattered Spider
CISA and FBI Shared Tactics, Techniques, and Procedures of Scattered Spider Hacker Group - CISA analysts identified that Scattered Spider has recently expanded its arsenal to include DragonForce ransomware alongside traditional data exfiltration techniques, marking a significant escalation in the group’s threat profile. Scattered ...
3 weeks ago Cybersecuritynews.com Scattered Spider Dragonforce
Scattered Spider is running a VMware ESXi hacking spree - This allows Scattered Spider to scan the network devices for IT documentation that would provide high-value targets, like the names of domain or VMware vSphere administrators, and security groups that can provide administrative permissions over the ...
4 weeks ago Bleepingcomputer.com Scattered Spider
Scattered Spider hackers shift focus to aviation, transportation firms - Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a classification of threat actors that are adept at using social engineering attacks, phishing, ...
1 month ago Bleepingcomputer.com Qilin Dragonforce Ransomhub Scattered Spider
As the FBI Closes In, Scattered Spider Attacks Finance, Insurance Orgs - Scattered Spider hackers have been tearing through the finance and insurance sectors, all while authorities are preparing legal actions to stop them. A game of cops and robbers is playing out between the FBI and Scattered Spider, the cybercrime ...
1 year ago Darkreading.com Scattered Spider
Global Authorities Share IoCs and TTPs of Scattered Spider Behind Major ESXi Ransomware Attacks - The joint advisory, released by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), ...
3 weeks ago Cybersecuritynews.com Scattered Spider Dragonforce
Hackers behind UK retail attacks now targeting US companies - Scattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) is a term used to describe a fluid collective of threat actors known for breaching many high-profile organizations worldwide in sophisticated ...
3 months ago Bleepingcomputer.com Scattered Spider Dragonforce
Scattered Spider Employs Sophisticated Attacks to Steal Login Credentials & MFA Tokens - To counter this threat, Silent Push has developed Indicators of Future Attack (IOFA) feeds that track Scattered Spider infrastructure, including recently observed domains like “klv1.it.com” targeting Klaviyo and multiple others ...
4 months ago Cybersecuritynews.com Scattered Spider
Researchers Expose Scattered Spider's Tools, Techniques and Key Indicators - Scattered Spider, a sophisticated cyber threat group known for aggressive social engineering and targeted phishing, is broadening its scope, notably targeting aviation alongside enterprise environments. During a targeted investigation, Check Point ...
1 month ago Cybersecuritynews.com Scattered Spider
Scattered Spider Hackers Actively Attacking Aviation and Transportation Firms - Charles Carmakal, Chief Technology Officer at Mandiant Consulting-Google Cloud, confirmed that his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered ...
1 month ago Cybersecuritynews.com Scattered Spider
Scattered Spider is targeting victims' Snowflake data storage for quick exfiltration | The Record from Recorded Future News - The Scattered Spider cybercriminal group is targeting victims’ data storage tools after gaining initial access by impersonating contracted information technology (IT) help desks. In “many” incidents, Scattered Spider was seen searching for an ...
3 weeks ago Therecord.media Dragonforce Scattered Spider
Scattered Spider Malware Targeting Klaviyo, HubSpot, and Pure Storage Services - Security teams should be particularly vigilant for suspicious authentication attempts, unknown devices connecting to corporate networks, and unusual account activity patterns that might indicate successful credential theft through Scattered ...
3 months ago Cybersecuritynews.com Scattered Spider
Scattered Spider member pleads guilty to identity theft, wire fraud charges | The Record from Recorded Future News - Urban, who goes by the alias "Sosa," “Elijah,” and “King Bob” was "part of a group of loosely organized individuals who engage in account takeovers and [stole] cryptocurrency from online exchanges" from August 2022 through ...
4 months ago Therecord.media Scattered Spider
Scattered Spider Attacking Finance & Insurance Industries - Hackers very frequently target the finance and insurance sectors due to the large volumes of sensitive data that they own. These areas manage huge quantities of valuable as well as critical financial information, personal identities, and intellectual ...
1 year ago Gbhackers.com Scattered Spider
Microsoft Details Scattered Spider TTPs Observed in Recent Attack Chains - Cyber Security News - In mid-2025, a new surge of targeted intrusions, attributed to the threat group known variously as Scattered Spider, Octo Tempest, UNC3944, Muddled Libra, and 0ktapus, began impacting multiple industries. Complicating defenses further, Scattered ...
1 month ago Cybersecuritynews.com Scattered Spider Dragonforce
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
1 year ago Securityaffairs.com
US Congress Report Calls for Privacy Reforms After FBI Surveillance 'Abuses' - The FBI and the Biden administration at large have lobbied Congress to reauthorize the 702 program as is, ignoring calls for reform that have grown louder since the beginning of the year, manifesting this month in the form of a comprehensive privacy ...
1 year ago Wired.com
Scattered Spider Upgraded Their Tactics to Abuse Legitimate Tools to Evade Detection and Maintain Persistence - Rapid7 analysts identified a novel persistence mechanism during recent incident investigations, revealing the group’s adoption of Teleport, an infrastructure access platform not previously associated with Scattered Spider operations. The ...
1 month ago Cybersecuritynews.com Scattered Spider
Marks & Spencer breach linked to Scattered Spider ransomware attack - Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a group of threat actors that are adept at using social engineering attacks, phishing, ...
3 months ago Bleepingcomputer.com Scattered Spider
BlackCat Ransomware Raises Ante After FBI Disruption - The U.S. Federal Bureau of Investigation disclosed today that it infiltrated the world's second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gang's darknet website, and released ...
1 year ago Krebsonsecurity.com
Scattered Spider Attacking Tech Companies Using Phishing Frameworks Like Evilginx and Social Engineering Methods - Fluent English-speaking callers, often working “evening shifts” that coincide with Western office hours, posed as CFOs or IT staff to persuade help-desk agents to reset multi-factor authentication (MFA) tokens, providing Evilginx with the final ...
1 month ago Cybersecuritynews.com Scattered Spider
Twisted Spider's Dangerous CACTUS Ransomware Attack - In a sophisticated cyber campaign, the group Twisted Spider, also recognized as Storm-0216, has joined forces with the cybercriminal faction Storm-1044. Employing a strategic method, they target specific endpoints through the deployment of an initial ...
1 year ago Cysecurity.news Cactus
FBI: ALPHV ransomware raked in $300 million from over 1,000 victims - The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation. In the joint advisory published today in collaboration ...
1 year ago Bleepingcomputer.com LockBit Noescape
CISA pledges to resolve issues with threat sharing system after watchdog report - On Friday, the Department of Homeland Security’s Office of the Inspector General published a report on Automated Indicator Sharing (AIS) — which was used to spread cyber threat intelligence and was mandated as part of a 2015 law. The nation’s ...
10 months ago Therecord.media

Cyber Trends (last 7 days)