Scattered Spider
Scattered Spider: The Group Currently Scattering UK Retail Organizations
This report expands on our previous research into the DragonForce ransomware cartel, which publicly claimed responsibility for the string of disruptive attacks on UK retail organizations between April and May 2025. While DragonForce handled the ransomware deployment and data-leak extortion phases, forensic and behavioral evidence indicates that another entity — Scattered Spider — played a critical enabling role behind the scenes.
Scattered Spider’s activities demonstrate how modern threat ecosystems are increasingly collaborative. They serve as a bridge between social engineering specialists and ransomware operators, using human deception and cloud compromise to create access pipelines for affiliates. Their tradecraft reflects a growing convergence between access brokers and ransomware-as-a-service (RaaS) collectives — where one group infiltrates, another monetizes, and both share profits.
This analysis offers a comprehensive view of Scattered Spider’s origins, evolution, technical methods, and the widening impact of identity-centric intrusions. Understanding their playbook is crucial for defenders seeking to address today’s most human-driven cybersecurity threat.
Who Is Scattered Spider?
Scattered Spider — also tracked as Roasted 0ktapus, Scatter Swine, UNC3944, and Octo Tempest — is a financially motivated cyber-criminal collective active since mid-2022. It operates with the fluidity of a decentralized group, leveraging social engineering, cloud manipulation, and identity theft to breach some of the most well-defended enterprises.
The group initially rose to prominence after compromising several telecommunications and BPO providers in the U.S., exploiting weak help-desk protocols and manipulating employees through social channels like Telegram and Discord. Their early SIM-swapping campaigns allowed them to hijack MFA codes and compromise high-value corporate accounts.
Unlike traditional threat actors focused solely on malware development, Scattered Spider’s strength lies in human interaction and persistence. They meticulously research their targets on LinkedIn and other platforms, impersonate internal IT staff, and convince employees to grant access or reset credentials. Once inside, they pivot laterally through cloud platforms such as Azure AD, AWS, and Google Workspace, searching for privileged tokens and administrative accounts.
By 2024, their sophistication had matured. They began functioning as both an access broker — selling compromised credentials to other threat groups — and a direct participant in coordinated ransomware campaigns. Their ability to merge social engineering with technical precision makes them one of the most adaptive cyber-criminal entities of the decade.
Evolution Timeline
| Year | Focus & Milestones |
|---|---|
| 2022 | Launched initial campaigns against telecom and BPO firms via phishing and SIM-swapping, exploiting trust in customer support workflows. These intrusions provided early access to enterprise communications data and two-factor authentication systems. |
| 2023 | Expanded to target cloud service providers and cryptocurrency platforms. Adopted OAuth token abuse for persistent cloud access. Early experiments with credential phishing kits marked a move toward automation and scaling. |
| 2024 | Entered collaborations with DragonForce and BlackCat/ALPHV. Introduced the POORTRY kernel driver to terminate endpoint protection services, evading detection. Began blending identity compromise with ransomware preparation. |
| 2025 | Pivoted toward UK retail and aviation, leveraging insider recruitment campaigns on Telegram. Implemented MFA fatigue automation (“push bombing”) to overwhelm users and extract logins. These campaigns signaled the full maturity of their social-technical hybrid model. |
Each milestone represents a shift in operational scope — from small-scale social scams to corporate infiltration, from opportunism to partnership with structured ransomware ecosystems.
Victimology
Scattered Spider’s victims reflect a diverse global footprint. Their campaigns have targeted telecommunications, cloud services, financial, retail, and aviation sectors, with a consistent focus on organizations managing sensitive identity or payment data.
- August 2022 – U.S. Cloud Communications Breach: 163 customers impacted; one-time passwords (OTP) and SMS traffic exfiltrated. This incident marked their transition from SIM-swapping to full network intrusion.
- December 2022 – Telecom/BPO Campaign: Targeted mobile-carrier infrastructure and third-party support centers to steal customer records and internal documentation.
- 2023 – Crypto & Outsourcing Firms: Compromised API keys and administrative portals using cloud misconfigurations; correlated TTPs tied multiple breaches to UNC3944.
- 2025 – UK Retail Wave: Major retailers including Marks & Spencer, Harrods, and Co-op faced system disruptions, credential theft, and ransomware staging. These events exposed how the group’s identity compromise operations fuel large-scale extortion.
The group’s pattern of infiltration through human targets — rather than direct system exploitation — distinguishes them from most ransomware affiliates. Their attack chain begins in conversation, not code.
Malware, Toolset & Tactics
Scattered Spider’s arsenal reflects a dual emphasis: social engineering precision and post-exploitation automation.
- Social Engineering: Telegram phishing, fake IT support calls, SIM-swapping, and MFA fatigue (“push bombing”) campaigns remain their signature tactics. They often mimic help-desk agents and exploit urgency or confusion among employees.
- POORTRY Driver: A malicious kernel-mode driver designed to terminate EDR processes and evade security monitoring. Signed with a stolen Microsoft WHQL certificate, it exemplifies their access to underground signing-certificate markets.
- STONESTOP Utility: A user-mode loader that installs and manages the POORTRY driver. It allows modular control of persistence and privilege escalation.
- Cloud Exploitation: Abuse of OAuth tokens, misconfigured API keys, and Azure/AWS privilege escalation. The group frequently hijacks service accounts to bypass MFA controls.
- Persistence: Legitimate remote-management tools such as AnyDesk, LogMeIn, and ConnectWise Control, alongside VPN credential theft, allow continued access long after initial compromise.
- Data Exfiltration: Rclone, MEGAsync, FileZilla, and Dropbox are used for large-scale data transfers; cloud buckets (e.g., AWS S3) often serve as temporary exfil destinations.
- Access Brokering: Stolen credentials and cloud tokens are monetized via private Telegram channels and dark-web marketplaces.
Their modus operandi is modular and scalable: a human intrusion opens the door; automation ensures exploitation, persistence, and profit.
Operational Scope & Impact by Sector (2022–2025)
Approximate distribution of observed incidents:
- Retail: 30% — Credential compromise and ransomware staging in point-of-sale systems.
- Telecom: 25% — Continued exploitation of SIM-swap workflows and call-center access.
- Finance: 15% — Targeting fintech, online banking portals, and credit platforms.
- Cloud Services: 10% — Abuse of shared tenants, OAuth persistence, and token replay.
- Critical Infrastructure: 8% — Limited but growing interest in logistics, energy, and aviation sectors.
This cross-sector exposure underscores the versatility of Scattered Spider’s intrusion model — adaptable to any industry where remote access and cloud identity are central.
Malicious Recruitment Campaign – August 2025
In August 2025, TI analysts discovered a series of Telegram posts advertising insider recruitment programs. These messages sought employees within telecoms, gaming companies, financial firms, and cloud hosting providers.
The tone was casual but persuasive: “Looking for someone with AnyDesk or VPN access. Quick pay, no risk. DM for details.” Payments offered ranged from $3,000 to $10,000 USD, depending on the access level. Employees were asked to share VPN credentials, VDI/Citrix sessions, or RMM software connections, which were then resold or exploited by ransomware affiliates.
This insider-recruitment model reflects a strategic shift from technical to trust-based compromise. By embedding within legitimate access channels, Scattered Spider circumvents even the most hardened perimeter defenses. The campaign also highlights the professionalization of cybercrime — where “employees-for-hire” function as subcontractors in the ransomware economy.
Vulnerabilities Exploited
| CVE ID | Score | Description | Published | Products Affected |
|---|---|---|---|---|
| CVE-2015-2291 | 7.8 | Intel Ethernet diagnostics driver IOCTL flaw allowing kernel-level code execution. | Aug 09 2017 | Windows drivers (iqvw32/64.sys) |
| CVE-2021-35464 | 9.8 | ForgeRock AM Java deserialization remote code execution via /ccversion/* endpoint. | Jul 22 2021 | ForgeRock Access Management < 7.0 |
| CVE-2024-37085 | 6.8 | VMware ESXi authentication bypass through Active Directory group recreation. | Jun 25 2024 | VMware ESXi hosts |
These vulnerabilities are leveraged opportunistically — not exploited en masse — to maintain or expand footholds after social engineering succeeds.
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|---|
| Impact | T1496 – Resource Hijacking |
| Defense Evasion | T1134.001 – Token Impersonation / Theft |
| Privilege Escalation | T1068 – Exploitation for Privilege Escalation |
| Persistence | T1053 – Scheduled Task / Job |
| Execution | T1059 – Command & Scripting Interpreter |
| Initial Access | T1566 – Phishing |
This mapping reinforces that Scattered Spider excels at defense evasion and initial access, leveraging human and identity vectors more than malware payloads.
Notable Recent Attacks
| Date | Victim / Sector | Outcome |
|---|---|---|
| 2023 | MGM & Caesars Leisure | Ransomware deployment; Caesars reportedly paid ≈ $15 million for decryption and non-disclosure. |
| 2024 | U.S. Payments Giant NCR | BlackCat/POORTRY driver use caused major POS outages and service disruption. |
| Apr–May 2025 | UK Retail (DragonForce wave) | Credential reuse and data exfiltration; ransomware executed via Scattered Spider-provided access. |
| 2025 Q3 | Aviation & Insurance sectors | Active intrusions under investigation by FBI and CISA; suspected overlap with DragonForce affiliates. |
These incidents show a steady escalation in operational scale and sophistication, transitioning from telecom breaches to coordinated multi-industry attacks.
Indicators of Compromise (IOCs)
| Type | Value | Last Seen |
|---|---|---|
| IPv4 | 98.100.141.70 | Apr 30 2025 |
| URL | http://138.68.27.0 | Apr 30 2025 |
| IPv4 | 198.44.136.180 | Apr 30 2025 |
| IPv4 | 195.206.107.147 | Apr 30 2025 |
| IPv4 | 188.166.92.55 | Apr 30 2025 |
Security teams should cross-reference these indicators with internal telemetry for potential beaconing, VPN log anomalies, or exfiltration attempts.
Defensive Recommendations
To mitigate threats posed by Scattered Spider and similar access brokers, organizations should implement the following measures:
- Adopt Phishing-Resistant MFA: Prefer hardware-based FIDO2 keys or number-matching mechanisms to counter MFA fatigue.
- Harden Help-Desk Workflows: Require multi-party verification and out-of-band confirmation before credential resets.
- Monitor Identity Systems: Log and alert on anomalous OAuth token usage and new administrative session creation.
- Restrict Driver Installation: Block unsigned or untrusted kernel modules to prevent POORTRY or similar driver abuse.
- Zero-Trust Vendor Management: Enforce least-privilege principles for third-party access and remote monitoring tools.
- Incident Readiness: Pre-define credential rotation, ITDR (Identity Threat Detection & Response), and isolation procedures.
- Security Awareness: Continuously train employees to identify vishing, social engineering, and MFA fatigue scenarios.
By combining strong identity governance with proactive monitoring and user education, organizations can close the gaps Scattered Spider routinely exploits.
Outlook for 2026
The group’s alliance with ShinyHunters and other underground data-leak actors suggests a continued convergence between access brokerage and data extortion. Analysts predict increased targeting of aviation, fintech, and managed service providers through 2026, reflecting the group’s focus on high-value data and operational leverage.
Law-enforcement disruptions — including ongoing FBI and NCSC investigations — may fragment Scattered Spider into smaller cells. However, fragmentation could make them harder to track rather than less dangerous. Their open recruitment methods and reliance on social engineering ensure that their playbook can easily be replicated by others.
Defenders should anticipate that identity compromise, insider recruitment, and cloud exploitation will remain core components of this threat landscape.
References & Sources
- Palo Alto Networks Unit 42 – “Scattered Lapsus Hunters Update”https://unit42.paloaltonetworks.com/scattered-lapsus-hunters-updates/
- Trend Micro – “Ransomware Spotlight: DragonForce”https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-dragonforce
- DarkReading – “Scattered Spider Hacking Spree Flies Into Airline Sector”https://www.darkreading.com/cyberattacks-data-breaches/scattered-spider-hacking-spree-airline-sector
- CrowdStrike – “2025 Global Threat Report”https://www.crowdstrike.com/en-us/global-threat-report/
Experience true CTEM
Minimize complexity and maintain secure posture with real-time monitoring and actionable insights