Scattered spider iocs Scattered Spider (2022): This group has conducted a number of high profile attacks including those against Caesars Entertainment and MGM Resorts International. -based financial services company were being targeted by several Advanced Persistent Threat (APT) groups – mostly notably Scattered Spider – in phishing campaigns that were specifically directed against the organization’s online presence. They use these techniques to take Aug 17, 2023 · Scattered Spider: The Modus Operandi. 6, 2024, and was traced back to Scattered Spider through The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) on recent activity by Scattered Spider threat actors against Commercial Facilities Sectors and subsectors with tactics, techniques and procedures obtained through FBI investigations as recently Исследователи EclecticIQ проанализировали работу вымогательского ПО SCATTERED SPIDER (Octo Tempest As we concluded our investigation, we determined that several of the TTPs observed had a historical connection to Scattered Spider, leading us to attribute the attack to that group with high confidence. Active IOCs May Aug 8, 2023 · Scattered Spider, or UNC3944, is a financially motivated threat actor known for its clever use of social engineering tactics to infiltrate target devices. Scattered Spider presents as a sophisticated and persistent threat to large organizations Apr 10, 2025 · Scattered Spider, a notorious hacker collective active since at least 2022, continues to launch increasingly sophisticated social engineering attacks aimed at stealing usernames, login credentials, and multifactor authentication (MFA) tokens. Feb 22, 2024 · Scattered Spider is a cybercrime group that conducts social engineering, ransomware, extortion and other advanced campaigns since 2022. A threat group called "Scattered Spider" is reportedly behind the Sept. Tools and Techniques Used by Scattered Spider Threat Group. May 23, 2024 · Interview The cyberattacks against Las Vegas casinos over the summer put a big target on the backs of prime suspects Scattered Spider, according to Mandiant CTO Charles Carmakal. Once credentials have been obtained, Scattered Spider use these to impersonate the admin and use sensitive data to gain access to the environment. -based companies that use services from IAM leader Okta. How IOCs are Used. It was behind the attack on the MGM Las Vegas Jun 12, 2024 · Another finding was that SCATTERED SPIDER, an affiliate of the ALPHV/BlackCat RaaS is also regularly known to use the BYOVD technique to bypass EDR systems. This actor often focuses their initial access efforts on IT service desk workers and These investigations appear to be tied to a financially-motivated campaign with links to an adversary CrowdStrike tracks as SCATTERED SPIDER. While these IOCs are subject to change as the group adapts, the following are based on information from CISA Nov 11, 2024 · 0ktapus (aka Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3 and Octo Tempest) is a financially motivated threat actor active since 2022, that has successfully targeted many of its victims’ cloud environments. UNC5537 Summary May 14, 2025 · Monitoring for specific IOCs can provide early warnings of Scattered Spider activity. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications. Cyble Research and Intelligence Labs (CRIL) researchers have examined a Termite ransomware binary and determined that Termite is essentially a rebranding of the notorious Babuk ransomware. Sep 14, 2023 · This activity overlaps with activity that has been reported in open sources as "0ktapus," "Scatter Swine," and "Scattered Spider. CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023. The Scattered Spider group has conducted at least 3 remarkable campaigns so far: Oktapus / March-July 2022: This campaign targeted employees of U. Apr 8, 2025 · Executive Summary. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs. 2M to 59 victims; Five Scattered Spider suspects indicted for phishing spree and crypto heists; Scattered Spider, BlackCat claw their way back from criminal underground; A tale of 2 casino ransomware attacks: One paid out, one did not "SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security" (Crowdstrike in January 2023 -- in fact, their big centerpiece at their booth for Black Hat 2023 was a 12' tall statue of their Scattered Spider avatar, before the MGM hack) Nov 15, 2023 · SUMMARY The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. May 2, 2025 · M&S may have been hacked by a group of notorious cyber-criminals known as Scattered Spider, some of whom are believed to be English-speaking teenagers. May 8, 2025 · Scattered Spider (also known as Roasting 0ktapus and Scatter Swine) is a financially motivated threat actor that has been actively operating since May 2022. May 17, 2023 · Google-owned Mandiant attributed the activity to a threat group it tracks under the name UNC3944, which is also known as Roasted 0ktapus and Scattered Spider. Nov 16, 2023 · Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is adept at social engineering and relies on phishing, multi-factor authentication A few days ago, on 13. A new version of Spectre RAT has been identified as part of their updated tactics. This new research outlines phishing campaigns often delivered via smishing in which the threat actor deploys phishing May 2, 2025 · M&S may have been hacked by a group of notorious cyber-criminals known as Scattered Spider, some of whom are believed to be English-speaking teenagers. North American group. M&S has enlisted the help of cybersecurity firms like CrowdStrike and Microsoft to mitigate the impact of the attack. The group utilizes multiple phishing kits, which are continually updated. Scattered Spider targets their victims with fake Okta and CMS pages. The group is known for its advanced techniques, including abusing Single Sign-On (SSO) systems, Cross-Tenant Synchronization within Microsoft Azure, and deploying open Nov 21, 2023 · Scattered Spider’s TTPs are highly significant to the wider threat landscape, as attacks are being aided by gaps in identification and insufficient help-desk user verification policies. 🔗 Network IOCs – Phishing and Infrastructure Domains 7-eleven-hr Nov 16, 2023 · Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks , as well as frequently modifying their TTPs. 根據微軟威脅情報團隊警告，Scattered Spider (又被稱為Octo Tempest) 駭客集團已添加最新攻擊手法，包括RansomHub和Qilin等勒索軟體皆是他們目前使用的攻擊武器。 Apr 29, 2025 · As to who those hackers might be: fingers are pointing at a rather fluid network of individuals called Scattered Spider (it also has other aliases). io, it is dedicated to empowering cybersecurity professionals, researchers, and enthusiasts with actionable intelligence and industry-leading expertise. For more than a week, the British retailer Mar 21, 2024 · Scattered Spider typically targets large organizations, especially technology and telecommunications companies. Plus, Terminator. IOCs serve multiple purposes in cybersecurity defense, including detection, investigation, and prevention: 1. Nov 23, 2023 · Insights of a Dangerously Proficient Social Engineering Group, Scattered Spider. Alert your IT service desk to investigate suspicious passwords and/or MFA resets over the last few months. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organisations. Our mission is simple: to keep you informed, prepared, and empowered […] Scattered Spider, also referred to as UNC3944, [1] is a hacking group mostly made up of teens and young adults believed to live in the United States and the United Kingdom. M&S may have been hacked by a group of notorious cyber-criminals known as Scattered Spider, some of whom are believed to be English-speaking teenagers. The attackers created over a hundred unique domains that mimic these Scattered Spider, a hacking group previously linked to cyberattacks on MGM Resorts and Clorox, has recently shifted its focus to the financial sector. Train employees to identify lookalike domains and sign-in pages. ” Oct 26, 2023 · The prolific threat actor known as Scattered Spider has been observed impersonating newly hired employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts and breach organizations across the world. This actor often focuses their initial access efforts on IT service desk workers and Sep 16, 2024 · How to leverage passive DNS history with Validin to uncover SCATTERED SPIDER phishing infrastructure. Nov 21, 2023 · Adversary Emulation Response to CISA Advisory (AA23-320A): Scattered Spider Published November 21, 2023. Threat Actor Profile – Scattered Spider Overview Scattered Spider (also known as UNC3944 and Roasted 0ktapus) is a relatively new, financially motivated threat group that has been active since at least May 2022. The data in this guide is most up to date as of publication. exe has also been deployed during ALPHV/BlackCat ransomware attacks in June 2023 as well as leveraged by Akira ransomware affiliates, who also have ties to Conti . Someone claiming to represent Scattered Spider told the Financial Times they wanted to rig the slot machines — a la Ocean’s Thirteen, which the rep said they’d never watched. However, recent activity indicates that this group has started targeting other sectors, including critical infrastructure organisations. Jun 17, 2024 · Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in; UnitedHealth CEO: 'Decision to pay ransom was mine' Miscreants are exploiting enterprise tech zero days more and more, Google warns; SaaS is another new frontier for UNC3944. The blog covers their TTPs, victims, arrests, and the role of cybercrime intelligence. A U. " Since 2022 and through early 2023, UNC3944 appeared to focus on accessing credentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim #1 Scattered Spider, a cybercriminal group, primarily targets commercial facilities' sectors and subsectors, specializing in data theft for extortion and utilizing BlackCat/ALPHV ransomware. The mitigations Jun 12, 2024 · In January 2024, 19-year-old Noah Michael Urban was arrested in Florida on charges of conspiracy to commit wire fraud, eight counts of wire fraud, and five counts of aggravated identity theft, ostensibly stemming from operations linked to Scattered Spider. Scattered Spider is a hacker collective that has been active since at least 2022. The attackers initially breached M&S in February, stealing sensitive information and credential files. Recent Scattered Spider TTPs New TTP - File Encryption More recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [T1486]. . Dec 5, 2022 · The attacks have been attributed with low confidence to hackers tracked as 'Scattered Spider,' who demonstrate persistence in maintaining access, reversing mitigations, evading detection, and Jul 19, 2024 · Scattered Spider 使用的勒索軟體攻擊手法 Photo Credit: Microsoft. They are persistent, stealthy, and swift in their operations. Significant brands targeted include Nike, T-Mobile, and Twitter/X among others. S. Nov 22, 2023 · Scattered Spider’s initial access vector was through the customer’s cloud environment, where it was able to gain access to an IT admin account using Okta single sign-on (SSO), having reset Possibly connected with the Scattered Spider group. Forecast. Jul 24, 2024 · Scattered Spider targets financial institutions, telecommunication organisations, and technology companies. Curated by the Threat Detection & Research team and other experts at Sekoia. Response to CISA Advisory (AA23-320A): Scattered Spider AttackIQ has released a new assessment template in response to the recently published CISA Advisory (AA23-320A) that disseminates known Scattered Spider’s Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations as recent as Aug 17, 2023 · Scattered Spider: The Modus Operandi. About us This blog is your trusted source for cutting-edge insights in CTI and SOC. It is well-known for launching sophisticated social engineering attacks to obtain usernames, login credentials, and multi-factor authentication (MFA) tokens. We predict, with high confidence, that attacks from Scattered Spider will persist into the long term (beyond one year). The group is known for its advanced techniques, including abusing Single Sign-On (SSO) systems, Cross-Tenant Synchronization within Microsoft Azure, and deploying open Nov 7, 2024 · 0ktapus (aka Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3 and Octo Tempest) is a financially motivated threat actor active since 2022, that has successfully targeted many of its victims’ cloud environments. Feb 9, 2024 · Scattered Spider is believed to be a group of European and US hackers in their teens and 20s who specialize in social engineering. Scattered Spider pivots and targets applications with remarkable precision, using access to internal IT documentation for extremely efficient lateral movement. The adversary's early campaigns predominantly targeted firms specializing in customer relationship management (CRM) and business-process outsourcing (BPO), as well as telecommunications and technology companies. Oct 30, 2023 · In Q3 of 2023, several high profile attacks against the gaming industry and other large enterprises were carried out by “Scattered Spider”, aka UNC3944, aka Scatter Swine aka, Muddled Libra, aka Roasted 0ktapus aka possibly sometimes BlackCatALPHV or Rhysida, aka a group of globally distributed teenagers… Attribution is hard in this industry. ” Combination of social, technical skills Aug 20, 2023 · Scattered Spiderは、UNC3944、Scatter Swine、Muddled Libra、Roasted 0ktapusとも呼ばれ、2022年5月から活動している金銭的動機に基づく攻撃者グループです。Scattered Spiderは、主に電気通信およびビジネス・プロセス・アウトソーシング（BPO）組織を標的としていることが確認されています。しかし、最近の活動 A group has been named in connection with the attack on the grocer’s IT network Jul 17, 2024 · The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Historically focused on telecommunications and business process outsourcing (BPO), the group has evolved to target high-leverage industries, including critical infrastructure and, more Jun 16, 2024 · A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash Apr 29, 2025 · Here's an updated and comprehensive list of Scattered Spider Indicators of Compromise (IOCs) and Indicators of Attack (IOAs). For more than a week, the British retailer May 14, 2024 · Scattered Spider has been actively targeting the global finance and insurance industries, according to new findings by cybersecurity specialists. Regularly check for and monitor lookalike domains. Educate employees about targeted phishing, smishing, and fishing. Observably, Scattered Spider threat actors have exfiltrated data [TA0010] after gaining access and Feb 22, 2024 · Scattered Spider is rapidly gaining notoriety and emerging as Cybercriminal group that demands close attention in the cybersecurity landscape. Scattered Spider is the designation given to a threat actor that's known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Category: Threat Actor Activity | Industry: Global | Source: CISA In a joint cybersecurity advisory, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) addressed the recent activities of Scattered Spider threat actors also tracked as Starfraud, UNC3944, Scatter Swine, and Muddled Libra. Chinese-based Dec 6, 2022 · Cybercrime ‘Scattered Spider’ Cybercrime Group Targets Mobile Carriers via Telecom, BPO Firms. Apr 8, 2025 · Alleged Scattered Spider SIM-swapper must pay back $13. If that describes your organization, the FBI and CISA recommend organizations implement mitigations to improve your organization’s cybersecurity to reduce the risk of compromise by Scattered Spider threat actors. For more than a week, the British retailer Jun 11, 2024 · The crew behind the Snowflake intrusions may have ties to Scattered Spider, aka UNC3944 – the notorious gang behind the mid-2023 Las Vegas casino security breaches. AttackIQ has released a new assessment template in response to the recently published CISA Advisory (AA23-320A) that disseminates known Scattered Spider’s Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations as recent as SCATTERED SPIDER is a prolific eCrime adversary who has conducted a range of financially-motivated activity since early 2022. Apr 9, 2025 · Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. Nov 16, 2023 · Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. The Google-owned security biz has been tracking the loosely knit crew - believed to be teens and twenty-somethings located in the US and UK - since 2022 when they Jun 17, 2024 · “He is a sim swapper and is allegedly involved with the infamous Scattered Spider group,” reads vx-underground’s post on X. 10 MGM Resorts cyberattack, which days later is still keeping systems offline across the conglomerate's more than 30 hotels May 21, 2024 · Three Popular Cyber Attacks Orchestrated by Scattered Spider 🔗︎. May 12, 2025 · Who is SCATTERED SPIDER? SCATTERED SPIDER (also tracked as Roasted 0ktapus, Octo Tempest and Storm-0875 by various security vendors) is a prolific eCrime group who has conducted a range of financially motivated activity since early 2022. Aug 17, 2023 · Scattered Spider: The Modus Operandi. Silent Push researchers have identified over 49 domains linked to PoisonSeed through WHOIS analysis and phishing kit fingerprints. The group has been associated with over 100 targeted attacks across various industries, including Jul 16, 2024 · Before the Feds crippled it in December, Scattered Spider used to rely on the ransomware payload of ALPHV/BlackCat – formerly the biggest dog in the ransomware kennel (along with LockBit) – so the adoption of RansomHub and Qilin by a group like Scattered Spider demonstrates how seriously the new guard is being taken. A game of cops and robbers is playing out between the FBI and Scattered Spider (aka UNC3944, 0ktapus, Roasted Oktapus, Scatter Swine, Octo Tempest, Muddled Libra), the cybercrime outfit a la mode Apr 29, 2025 · Ransomware attack by Scattered Spider has caused critical disruptions to M&S services. After compromising identity infrastructure, they pivot to server environments on-premises and in the cloud and deploy ransomware for financial gain. 30 subscribers in the B2BTechNews community. Scattered Spider is known for their social engineering skills and defense evasion technique. 3. “The more data government agencies can collect from incidents the more likely they are to find those mistakes and arrest the members of Scattered Spider. Apr 8, 2025 · Another notable recent development in Scattered Spider’s activity was the registration of a domain that was previously legitimately owned by Twitter, which is now known as X. 0 IOCs as of publication . Jul 15, 2024 · Learn how to track and defend against SCATTERED SPIDER, a prolific cybercriminal group that evolved from The Com community. "This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM Microsoft last year described the threat actor — known as UNC3944, Scattered Spider, Scatter Swine, Octo Tempest, and 0ktapus — as one of the most dangerous current adversaries. BleepingComputer refers to “ongoing outages” at M&S Aug 18, 2023 · Scattered Spider, also referred to as UNC3944, Scatter Swine, Muddled Libra, and Roasted Oktapus, is a financially motivated threat actor gro Saturday, April 26, 2025 Feb 10, 2023 · Over time, Scattered Spider has demonstrated persistence in maintaining access, reversing mitigations, evading detection, and pivoting to other valid targets when thwarted. “Most notably he is believed to be a key component of the MGM ransomware attack , and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider. Jan 15, 2025 · Scattered Spider typically starts its attacks with targeted social engineering, impersonating employees or executives to trick help desks into resetting credentials, thus bypassing MFA. May 6, 2024 · Scattered Spider uses lookalike domains to conduct phishing attacks. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Background on Scattered Spider Aug 16, 2023 · Background on Scattered Spider. Jun 11, 2024 · The crew behind the Snowflake intrusions may have ties to Scattered Spider, aka UNC3944 – the notorious gang behind the mid-2023 Las Vegas casino security breaches. Fletch is constantly monitoring the threat landscape. In December 2022, Scattered Spider was linked to a malicious campaign targeting telecommunication service providers and business process outsourcing (BPO) firms. The advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI Dec 14, 2023 · Notably, Octo Tempest's threat activity has overlapped with groups like 0ktapus, Scattered Spider, and UNC3944, a proficient social engineering group, prompting advisories from CISA in the previous month and Mandiant in September. This report provides an overview of its history, modus operandi, toolset and ongoing attacks, including IoCs and technical details. May 14, 2024 · Scattered Spider is still on the loose despite law enforcement efforts Both the FBI and CISA announced a crackdown on the group in the aftermath of the MGM Resorts cyber attack in September 2023 , which forced the group to shutdown their IT systems, leaving customers locked out of rooms and slot machines out of action. A typical Storm-0501 attack is fairly standard – not a lot of surprises. These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old T1053 - Scheduled Task/Job , T1056 - Input Capture , T1059 - Command and Scripting Interpreter , T1106 - Native API , T1115 - Clipboard Data , T1133 - External Remote Services , T1140 - Deobfuscate/Decode Files or Information , T1176 - Browser Extensions , T1190 - Exploit Public-Facing Application , T1195 - Supply Chain Compromise , T1496 - Resource Hijacking , T1564 - Hide Artifacts , T1219 May 2, 2025 · Trustwave SpiderLabs' in-depth research has found Scattered Spider, which is also known as UNC3944, Muddled Libra, 0ktapus, and Scattered Swine, to be exclusively motivated by financial gain. The group, also known as 0ktapus, Scattered Spider, and UNC3944, has been active since early 2022, initially targeting telecom and outsourcing companies with SIM swap attacks. Why would a hacking group like Scattered Spider attack M&S? It's believed a hacking group encrypted important Marks and Spencer systems using ransomware - a technique which means companies are forced to Dec 6, 2024 · The ransomware attack that hit supply chain management platform Blue Yonder and its customers last month was the work of a new ransomware group called “Termite. Aug 18, 2023 · Scattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022. Apr 29, 2025 · The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer that has crippled systems at the retailer and left its ecommerce operation in Apr 30, 2025 · Previous Scattered Spider findings have said participants in this group are surprisingly young, in their mid-20s, with some as young as 16. A place to share news and updates from the world of B2B Technology. SCYTHE has included Scattered Spider Cybercriminal Group IOCs in the form of a threat, for use in your SCYTHE Platform, as well as Sigma rules to aid in the detection of Scattered Spider. When that failed, they decided to Feb 3, 2024 · Scattered Spider is a loose-knit group of threat actors, many of them English-speaking, who specialize in social engineering attacks to breach a company's networks. Nov 16, 2023 · Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Scattered Spider—a cybercriminal group targeting commercial facilities sectors and subsectors. On September 10, 2024, Arda Büyükkaya from EclecticIQ published a thorough update on SCATTERED SPIDER (also called 0ktapus). May 14, 2024 · While specific IOCs related to the May 2024 campaign are unavailable, general indicators associated with Scattered Spider activity could include: Phishing emails with suspicious sender addresses Nov 21, 2023 · Scattered Spider’s TTPs are highly significant to the wider threat landscape, as attacks are being aided by gaps in identification and insufficient help-desk user verification policies. Aug 18, 2023 · Scattered Spider, also referred to as UNC3944, Scatter Swine, Muddled Libra, and Roasted Oktapus, is a financially motivated threat actor gro Saturday, April 26, 2025 Jun 16, 2024 · A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash May 1, 2025 · The Scattered Spider hacking group [5] [8] [11] [12], also known by various aliases such as 0ktapus and UNC3944, orchestrated a significant ransomware attack on Marks & Spencer (M&S) in early 2025. 12. Executive Summary. ]com and found it was owned by Twitter beginning on Aug. Nov 7, 2024 · 0ktapus (aka Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3 and Octo Tempest) is a financially motivated threat actor active since 2022, that has successfully targeted many of its victims’ cloud environments. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations. The Sekoia Threat Detection and Research (TDR) team wrote a comprehensive blog post about Scattered Spider; you can find a detailed description of it at this link . This report provides updated technical details with IOCs and TTPs. By Trellix · August 17, 2023 This story was also written by Phelix Oluoch. This attack, which exploited vulnerabilities in M&S’s security systems, led to substantial operational disruptions and financial losses for the Apr 29, 2025 · Here's an updated and comprehensive list of Scattered Spider Indicators of Compromise (IOCs) and Indicators of Attack (IOAs). A game of cops and robbers is playing out between the FBI and Scattered Spider (aka UNC3944, 0ktapus, Roasted Oktapus, Scatter Swine, Octo Tempest, Muddled Libra), the cybercrime outfit a la mode Feb 10, 2023 · Over time, Scattered Spider has demonstrated persistence in maintaining access, reversing mitigations, evading detection, and pivoting to other valid targets when thwarted. [ 2 ] [ 3 ] The group gained notoriety for their involvement in the hacking and extortion of Caesars Entertainment and MGM Resorts International , two of the largest casino Nov 17, 2023 · Given Scattered Spider’s boldness and history of high-profile attacks on prominent organizations such as Okta, MGM and Caesars casinos, MailChimp, Twilio, DoorDash, and Riot Games, it’s not surprising the FBI/CISA issued a CSA to help counter the threat this group poses. 2023, CISA published a cybersecurity advisory for the Russian Foreign Intelligence Service (SVR), which globally exploits the Jetbrains TeamCity CVE-2023–42793. Nov 21, 2023 · Scattered Spider, also known by other names like Octo Tempest, 0ktapus, and UNC3944, has emerged as a significant threat in the cybersecurity landscape. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some Sep 12, 2024 · Scattered Spider is a cybercriminal group that has gained notoriety for its focused attacks on cloud environments, particularly those in the insurance and financial industries. Sep 20, 2023 · Scattered Spider is a financially motivated threat actor group that has been active since May 2022. Apr 29, 2025 · Information from BleepingComputer indicates that Scattered Spider was most likely behind the hack on Marks & Spencer. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as Apr 29, 2025 · Scattered Spider moves beyond the UK, places crosshairs on US companies Get Keeper Personal for just $1. The store was hit by a hack on Easter Monday, the aftermath of which is still being felt by British and Irish customers. Scattered Spider employs social engineering techniques, such as phishing, push bombing, and SIM swap Apr 8, 2025 · Scattered Spider is an active hacker collective targeting various high-profile brands and services in 2025. This ransomware gang is known for its sophisticated attacks across various sectors, including telecom, hospitality, retail, and financial services. 6, 2024, and was traced back to Scattered Spider through The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) on recent activity by Scattered Spider threat actors against Commercial Facilities Sectors and subsectors with tactics, techniques and procedures obtained through FBI investigations as recently Oct 26, 2023 · Microsoft has published a detailed profile of a native English-speaking threat actor with advanced social engineering capabilities it tracks as Octo Tempest, aka Scattered Spider, that targets Nov 17, 2023 · Scattered Spider is an affiliate of BlackCat (ALPHV) Ransomware-as-a-Service (RaaS) group, and they use their TTPs and ransomware payloads in their attacks. Apr 4, 2025 · Scattered Spider primarily focuses on large-scale ransomware attacks against corporate targets and has not been observed engaging in cryptocurrency wallet phishing. Historically, Scattered Spider has mainly gained initial access to the victim environment via theft of administrative credentials by email and SMS phishing attacks or the use of stealware. Check out SnowflakeSFA’s Threat Board for any updates or join Fletch to be in the know for every threat. This blog will discuss the ongoing campaign in greater detail, highlighting the various techniques used by the adversary to gain and maintain access, and evade detection and response, as well as what Aug 17, 2023 · Scattered Spider: The Modus Operandi. A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping, cybersecurity firm CrowdStrike warns. This cybercriminal group employs sophisticated techniques including social engineering, data theft, and ransomware to target banks and insurance companies. These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old T1053 - Scheduled Task/Job , T1056 - Input Capture , T1059 - Command and Scripting Interpreter , T1106 - Native API , T1115 - Clipboard Data , T1133 - External Remote Services , T1140 - Deobfuscate/Decode Files or Information , T1176 - Browser Extensions , T1190 - Exploit Public-Facing Application , T1195 - Supply Chain Compromise , T1496 - Resource Hijacking , T1564 - Hide Artifacts , T1219 Apr 8, 2025 · Executive Summary. Apr 29, 2025 · The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Silent Push tracked the registration records of the domain twitter-okta[. Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022. 67/month, Keeper Family for just $3. Scattered Spider has leveraged various malware and tools in its campaigns, including both publicly available and legitimate tools. Sep 27, 2024 · More recently, Microsoft spotted it deploying Embargo's ransomware payload, and separately compared it to more established, financially motivated groups such as Octo Tempest (Scattered Spider) and Manatee Tempest (Evil Corp). By Feb 23, 2024 · This technical report includes Indicators of Compromise (IoCs) and enables cybersecurity professionals to detect and mitigate threats associated with Scattered Spider's activities. The group is yet to receive a Microsoft designation but will fall into the Tempest (financially motivated) category once registered. The consensus among researchers is that the group is comprised of relatively young threat actors reported to be between 17 and 22 years old, native Scattered Spider are known for their use of identity-based techniques, specialising in account takeover through stolen credentials, phishing, and advanced social engineering such as help desk scams. Our team published IOC’s on the group in early 2023 . Oct 24, 2024 · response to activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. Scattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022. Our research indicates that the group often registers lookalike domains 12-24 hours before an attack, mimicking the target organization or its services. 54/month, and Keeper Business for just $7/month Apr 16, 2025 · Challenge: Stopping phishing attacks using only IOCs . Once inside, Scattered Spider avoids specialized malware and instead relies on reliable remote management tools to maintain access. Explore the severe impact of the incident on M&S, including contactless payment failures, online delivery delays, and significant stock shortages in physical locations. Strengthen your environment against the published Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with Scattered Spider. 22, but changed hands on Oct. Nov 17, 2023 · “Scattered Spider is very skilled, but even the most skilled actors make mistakes,” Liska said. ”. anpog veu pgmh dkxqpq uldvkb yuyy svbymj zglvahb wsqkj fbmanfg