Scattered Spider, also known by aliases such as UNC3944, Octo Tempest, 0ktapus, Muddled Libra, and Scatter Swine, has rapidly evolved into one of the most formidable cybercriminal groups in recent years. Emerging in 2022, this collective has transitioned from basic phishing schemes to sophisticated, multi-stage ransomware operations targeting critical infrastructure across the United States and the United Kingdom. Their latest strategies involve hypervisor-level attacks and the deployment of new ransomware variants, marking a significant escalation in their capabilities and the potential impact of their operations.
Background and Composition
Scattered Spider is a financially motivated cybercriminal collective comprising primarily native English-speaking individuals, including young adults and teenagers from the United States, United Kingdom, and Canada. The group is believed to be affiliated with a larger underground community known as The Com or The Community, linked to various criminal activities such as extortion, money laundering, cryptocurrency theft, and SIM swapping operations. Unlike traditional state-sponsored advanced persistent threats (APTs) or highly technical ransomware groups, Scattered Spider operates as a decentralized network of individual threat actors collaborating through encrypted communication channels. This structure has proven resilient, allowing the group to continue operations despite multiple high-profile arrests throughout 2024 and 2025.
Key Characteristics and Capabilities
The group’s primary strengths lie in their sophisticated understanding of Western business practices and exceptional social engineering capabilities. Their native English proficiency, combined with extensive reconnaissance efforts, enables them to convincingly impersonate employees and IT personnel during voice-based attacks. This linguistic and cultural advantage has been instrumental in their success against English-speaking targets. Scattered Spider employs a living off the land (LotL) approach, preferring to exploit legitimate administrative tools rather than deploying custom malware. This methodology significantly reduces their detection footprint while allowing them to blend seamlessly with normal network activity.
Evolution of Tactics, Techniques, and Procedures
Historical TTPs (2022-2023)
Initially, Scattered Spider focused on SIM swapping attacks and credential theft targeting telecommunications and business process outsourcing (BPO) companies. They employed broad phishing campaigns, including SMS phishing (smishing) and email phishing, to obtain initial access. Once inside, they utilized publicly available tools for reconnaissance and lateral movement, such as Mimikatz for credential extraction and Ngrok for remote web server access via internet tunneling. Their operations often culminated in data exfiltration and extortion, with threats to leak sensitive information if ransom demands were not met.
New Tactics and Techniques in 2025
Hypervisor-Level Attacks
In 2025, Scattered Spider has shifted its focus toward targeting virtualization infrastructure, particularly VMware vSphere environments and ESXi hypervisors. This evolution allows them to bypass traditional endpoint detection and response (EDR) tools, maximizing the impact of their ransomware deployments. Their hypervisor attack methodology follows a consistent pattern:
1. Initial Access: Gaining entry through social engineering tactics, such as impersonating employees to deceive IT help desks into resetting passwords or transferring multi-factor authentication (MFA) tokens.
2. Pivoting: Moving from compromised Active Directory environments to VMware vCenter Server Appliances.
3. Control Acquisition: Enabling SSH access on ESXi hosts, resetting root passwords, and performing disk-swap attacks to extract critical databases like NTDS.dit.
This approach is particularly devastating because it allows attackers to encrypt entire virtual environments from the hypervisor level, rendering in-guest security solutions powerless. A single compromised ESXi server can host dozens or hundreds of virtual machines, making this an extremely efficient attack vector.
Abuse of Identity and Access Management Systems
Scattered Spider has developed increasingly sophisticated methods for exploiting identity and access management systems. Their current techniques include:
– Cross-Tenant Synchronization (CTS) Abuse: Within Microsoft Entra ID environments, allowing them to maintain persistence even after their original access is revoked.
– Federated Identity Provider Exploitation: Adding malicious identity providers to victim single sign-on (SSO) tenants and activating automatic account linking. This technique enables them to sign into any account by controlling arbitrary values for SSO account attributes, effectively bypassing traditional authentication controls.
Cloud Environment Targeting
Recent campaigns have shown an increased focus on cloud storage environments, particularly targeting Snowflake Data Cloud instances. The group has been observed running thousands of queries against Snowflake environments to exfiltrate large volumes of data in short timeframes. This shift toward cloud storage targeting aligns with their broader strategy of maximizing data theft for extortion purposes. Their cloud operations also include the systematic abuse of Amazon Web Services (AWS) Systems Manager Inventory for lateral movement discovery, as well as the creation of new cloud instances specifically for data collection and exfiltration purposes.
Enhanced Evasion and Persistence Techniques
Scattered Spider has refined their evasion techniques to include:
– Proxy Networks: Consistent use to hamper detection and response efforts.
– Machine Name Rotation: Regularly changing machine names to avoid detection.
– Fake Social Media Profiles: Creating profiles to backstop newly created user identities within victim environments, adding an additional layer of legitimacy to their impersonation efforts.
The group now systematically monitors victim communications through platforms like Slack, Microsoft Teams, and Exchange Online to detect security response activities. This intelligence gathering allows them to adapt their tactics in real-time and often results in them joining incident response calls to gather information about defensive measures.
Recent High-Profile Attacks
Scattered Spider’s recent activities have targeted major organizations across various sectors:
– Retail: In 2025, the group orchestrated sophisticated cyber attacks on major global brands, including UK retailer Marks & Spencer (M&S). The breach at M&S caused substantial financial damage, wiping up to £300 million from operating profits and over £600 million from its market value. The group extensively researched employees to execute social engineering attacks, setting up fake websites and hiring individuals to impersonate staff to gain internal access.
– Insurance: Recent incidents targeting the U.S. insurance industry bear all the hallmarks of Scattered Spider activity. The group has been observed breaching multiple U.S. companies in the insurance sector using tactics such as social engineering schemes targeting help desks and call centers. Companies like Philadelphia Insurance Companies (PHLY) and Erie Insurance have disclosed cyberattacks impacting their systems, with PHLY discovering unauthorized access on June 9, 2025, and Erie Insurance reporting unusual network activity on June 7, 2025.
– Critical Infrastructure: The group has been actively targeting critical infrastructure sectors in the U.S. through VMware-centric attacks. These campaigns leverage advanced social engineering rather than traditional software vulnerabilities, with attackers impersonating employees to trick IT help desks into resetting Active Directory passwords, gaining initial access, and escalating privileges to access and compromise VMware vCenter Server Appliances.
Mitigation Strategies
Given the evolving tactics of Scattered Spider, organizations are advised to implement the following mitigation strategies:
1. Phishing-Resistant Multi-Factor Authentication (MFA): Adopt MFA methods that are resistant to phishing, such as FIDO/WebAuthn, to prevent unauthorized access.
2. Limit and Monitor Remote Access: Restrict remote access to essential personnel and continuously monitor for suspicious login behavior.
3. Network Segmentation: Implement network segmentation to limit lateral movement within the network.
4. Regular Patching: Ensure all systems are up-to-date with the latest security patches to mitigate known vulnerabilities.
5. Employee Training: Conduct regular training sessions to educate employees about social engineering tactics and encourage vigilance against phishing attempts.
6. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a breach.
By understanding the evolving tactics of Scattered Spider and implementing robust security measures, organizations can better defend against this persistent and sophisticated threat actor.
