In mid-2025, a new surge of targeted intrusions, attributed to the threat group known variously as Scattered Spider, Octo Tempest, UNC3944, Muddled Libra, and 0ktapus, began impacting multiple industries. Complicating defenses further, Scattered Spider’s recent tactics blend on-premises and cloud identity exploitation, attacking critical Entra Connect servers to cross domain boundaries. Once initial access is achieved, Scattered Spider pivots rapidly to reconnaissance, enumeration of Active Directory attributes, and credential dumping, frequently using tools like Mimikatz and AADInternals. From unusual password reset alerts in virtual machines (MDC) to detection of DCSync attempts (MDI) and suspicious elevate-access operations (MDC), defenders can monitor high-fidelity signals across endpoints, identities, and cloud workloads. Initially identified by unusual SMS-based phishing campaigns leveraging adversary-in-the-middle (AiTM) domains, these operators have since refined their approach to combine sophisticated social engineering with stealthy network exploitation. Once administrative privileges are obtained, the group deploys custom scripts that modify the ADFS configuration database, injecting malicious service hooks. Continued vigilance through advanced hunting queries for anomalous ADFS configuration changes enables SOC teams to detect and remediate these persistence mechanisms before attackers can fully exploit them. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A critical subtopic in Scattered Spider’s arsenal is its use of ADFS persistent backdoors to guarantee long-term access. By leveraging entra ID APIs, the adversary ensures that any authentication event triggers a silent elevation of privileges, effectively bypassing multifactor authentication checks. Concurrently, the attackers establish persistence via trusted backdoors and leverage ngrok or Chisel tunnels to maintain covert communications with compromised assets. These hooks execute automatically upon user authentication, granting attackers elevated privileges without further credential prompts. Microsoft analysts noted that these campaigns typically commence with a carefully crafted spear-phishing message or direct service-desk impersonation via phone, email, or messaging platforms. Shortly after these initial moves, Microsoft researchers observed the deployment of DragonForce ransomware, with a distinct focus on VMware ESX hypervisor environments. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Their primary goal remains financial gain through extortion or ransomware deployment, often after months of reconnaissance and credential harvesting. This code disables automatic certificate renewal to prevent inadvertent removal of the backdoor and registers a service principal name linked to attacker-controlled credentials. Detection of these tactics, techniques, and procedures (TTPs) has been thoroughly mapped across Microsoft Defender’s XDR ecosystem.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Jul 2025 11:05:12 +0000