Scattered Spider Upgraded Their Tactics to Abuse Legitimate Tools to Evade Detection and Maintain Persistence

Rapid7 analysts identified a novel persistence mechanism during recent incident investigations, revealing the group’s adoption of Teleport, an infrastructure access platform not previously associated with Scattered Spider operations. The group’s primary attack vector remains social engineering, particularly through help desk impersonation where attackers pose as IT support staff to trick employees into revealing credentials or installing remote access software. The cybercriminal group known as Scattered Spider has significantly evolved its attack methodologies, demonstrating alarming sophistication in exploiting legitimate administrative tools to maintain persistent access to compromised networks. After obtaining administrative-level cloud access through initial social engineering campaigns, attackers strategically installed Teleport agents on compromised Amazon EC2 servers to establish persistent remote command-and-control channels. The implementation of Teleport as a persistence mechanism demonstrates the group’s understanding of cloud infrastructure management and their ability to blend malicious activities with legitimate administrative functions. This technique represents considerable advancement in operational capabilities, providing sustained remote shell access even when initial user credentials or VPN access points are discovered and revoked by security teams. By utilizing standard administrative software rather than custom malware, Scattered Spider significantly reduces detection likelihood by traditional security monitoring systems that typically flag suspicious executables or network communications. Also tracked under aliases including UNC3944, Scatter Swine, and Muddled Libra, this financially motivated threat actor has been actively targeting large enterprises since May 2022, with particular focus on telecommunications, cloud technology companies, and recently expanding into retail, finance, and airline sectors. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The most significant tactical upgrade observed involves Scattered Spider’s sophisticated use of Teleport, a legitimate open-source infrastructure management tool. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This human-centric approach has proven devastatingly effective, as demonstrated by high-profile breaches including the MGM Resorts casino attack in 2023, which resulted in approximately 6 terabytes of stolen data and over $100 million in damages.

This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 05 Jul 2025 09:45:13 +0000


Cyber News related to Scattered Spider Upgraded Their Tactics to Abuse Legitimate Tools to Evade Detection and Maintain Persistence

Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack - The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an ...
1 year ago Darkreading.com Scattered Spider
Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack - The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an ...
1 year ago Darkreading.com Scattered Spider
Scattered Spider hackers shift focus to aviation, transportation firms - Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a classification of threat actors that are adept at using social engineering attacks, phishing, ...
1 week ago Bleepingcomputer.com Qilin Dragonforce Ransomhub Scattered Spider
Scattered Spider Upgraded Their Tactics to Abuse Legitimate Tools to Evade Detection and Maintain Persistence - Rapid7 analysts identified a novel persistence mechanism during recent incident investigations, revealing the group’s adoption of Teleport, an infrastructure access platform not previously associated with Scattered Spider operations. The ...
3 days ago Cybersecuritynews.com Scattered Spider
Hackers behind UK retail attacks now targeting US companies - Scattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) is a term used to describe a fluid collective of threat actors known for breaching many high-profile organizations worldwide in sophisticated ...
1 month ago Bleepingcomputer.com Scattered Spider Dragonforce
As the FBI Closes In, Scattered Spider Attacks Finance, Insurance Orgs - Scattered Spider hackers have been tearing through the finance and insurance sectors, all while authorities are preparing legal actions to stop them. A game of cops and robbers is playing out between the FBI and Scattered Spider, the cybercrime ...
1 year ago Darkreading.com Scattered Spider
Scattered Spider Employs Sophisticated Attacks to Steal Login Credentials & MFA Tokens - To counter this threat, Silent Push has developed Indicators of Future Attack (IOFA) feeds that track Scattered Spider infrastructure, including recently observed domains like “klv1.it.com” targeting Klaviyo and multiple others ...
2 months ago Cybersecuritynews.com Scattered Spider
Researchers Expose Scattered Spider's Tools, Techniques and Key Indicators - Scattered Spider, a sophisticated cyber threat group known for aggressive social engineering and targeted phishing, is broadening its scope, notably targeting aviation alongside enterprise environments. During a targeted investigation, Check Point ...
4 hours ago Cybersecuritynews.com Scattered Spider
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
1 week ago Cybersecuritynews.com
Scattered Spider Malware Targeting Klaviyo, HubSpot, and Pure Storage Services - Security teams should be particularly vigilant for suspicious authentication attempts, unknown devices connecting to corporate networks, and unusual account activity patterns that might indicate successful credential theft through Scattered ...
1 month ago Cybersecuritynews.com Scattered Spider
Scattered Spider Attacking Finance & Insurance Industries - Hackers very frequently target the finance and insurance sectors due to the large volumes of sensitive data that they own. These areas manage huge quantities of valuable as well as critical financial information, personal identities, and intellectual ...
1 year ago Gbhackers.com Scattered Spider
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Scattered Spider Hackers Actively Attacking Aviation and Transportation Firms - Charles Carmakal, Chief Technology Officer at Mandiant Consulting-Google Cloud, confirmed that his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered ...
1 week ago Cybersecuritynews.com Scattered Spider
Scattered Spider member pleads guilty to identity theft, wire fraud charges | The Record from Recorded Future News - Urban, who goes by the alias "Sosa," “Elijah,” and “King Bob” was "part of a group of loosely organized individuals who engage in account takeovers and [stole] cryptocurrency from online exchanges" from August 2022 through ...
3 months ago Therecord.media Scattered Spider
Scattered Spider Attacking Tech Companies Using Phishing Frameworks Like Evilginx and Social Engineering Methods - Fluent English-speaking callers, often working “evening shifts” that coincide with Western office hours, posed as CFOs or IT staff to persuade help-desk agents to reset multi-factor authentication (MFA) tokens, providing Evilginx with the final ...
1 week ago Cybersecuritynews.com Scattered Spider
20 Best Endpoint Management Tools - 2025 - What is Good?What Could Be Better?Comprehensive endpoint security against many threats.The user interface may overwhelm some users.Machine learning for real-time threat detection.Integration with existing systems may be complex.A central management ...
3 months ago Cybersecuritynews.com
Marks & Spencer breach linked to Scattered Spider ransomware attack - Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a group of threat actors that are adept at using social engineering attacks, phishing, ...
2 months ago Bleepingcomputer.com Scattered Spider
How To Use YARA Rules To Identify Financial Sector Targeted Attacks - By analyzing multiple samples from the same malware family, security teams can create YARA rules that identify various iterations of the threat, even as attackers attempt to modify their code to evade detection. By scanning network traffic for ...
2 months ago Cybersecuritynews.com Hunters
8 Tips on Leveraging AI Tools Without Compromising Security - Forecasts like the Nielsen Norman Group estimating that AI tools may improve an employee's productivity by 66% have companies everywhere wanting to leverage these tools immediately. How can companies employ these powerful AI/ML tools without ...
1 year ago Darkreading.com
Detecting And Responding To New Nation-State Persistence Techniques - This article explores the changing landscape of nation-state persistence, advanced detection strategies, and effective response frameworks to help organizations defend against these evolving threats. Nation-state cyber threats have evolved ...
2 months ago Cybersecuritynews.com
Twisted Spider's Dangerous CACTUS Ransomware Attack - In a sophisticated cyber campaign, the group Twisted Spider, also recognized as Storm-0216, has joined forces with the cybercriminal faction Storm-1044. Employing a strategic method, they target specific endpoints through the deployment of an initial ...
1 year ago Cysecurity.news Cactus
The Dangers of Remote Management & Monitoring Tools for Cybersecurity - Remote monitoring and management (RMM) tools are used by business organizations to manage and monitor their enterprise IT infrastructure from a central location. However, the increasing sophistication of hackers and cybercriminals has caused both ...
2 years ago Csoonline.com
Top Ransomware Actors Actively Attacking Financial Sector, 406 Incidents Publicly Disclosed - Several of the documented incidents involved manipulation of legitimate administrative tools like BgInfo and Sysinternals utilities to establish persistence without triggering security alerts-a technique Flashpoint researchers have attributed ...
2 months ago Cybersecuritynews.com Lazarus Group Scattered Spider Ransomhub LockBit Akira
Hackers Exploit Legitimate Inno Setup Installer to Use as a Malware Delivery Vehicle - By leveraging legitimate frameworks like Inno Setup, attackers can distribute malware through various channels including phishing campaigns, compromised software repositories, and malicious advertisements without triggering immediate suspicion from ...
3 days ago Cybersecuritynews.com
Comprehensive Guide to Fraud Detection, Management, & Analysis - To mitigate risks, businesses can use risk management strategies, including fraud detection software, company policies, and staff ranging from risk managers and trust officers to fraud analysts. Affiliate Fraud - Affiliates in a marketing arrangement ...
1 year ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)