{ "id": "cc898aac-3a38-4f98-aef2-9fec8e186c3b", "created_at": "2026-04-09T02:23:51.355487Z", "updated_at": "2026-04-10T03:34:59.532226Z", "deleted_at": null, "sha1_hash": "087dc70ebd1f683f17566d80eb7a5fce036d6570", "title": "Scattered Spider is NOT quiet. They're just under another name now. - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47843, "plain_text": "Scattered Spider is NOT quiet. They're just under another name\r\nnow. - DataBreaches.Net\r\nPublished: 2025-08-05 · Archived: 2026-04-09 02:21:29 UTC\r\nCiting a July 30 report in The Hacker News, SC Media reports:\r\nFollowing recent arrests of alleged Scattered Spider members in the UK, Google Cloud’s Mandiant\r\nConsulting has reported a noticeable pause in the group’s activities, offering a “critical window of\r\nopportunity” for organizations to bolster their defenses, reports The Hacker News.\r\nTHN had reported, in part:\r\n“Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the U.K.,\r\nMandiant Consulting hasn’t observed any new intrusions directly attributable to this specific threat\r\nactor,” Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, told The Hacker News in a\r\nstatement.\r\n“This presents a critical window of opportunity that organizations must capitalize on to thoroughly\r\nstudy the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security\r\nposture accordingly.”\r\nCarmakal also warned businesses not to “let their guard down entirely,” as other threat actors\r\nlike UNC6040 are employing similar social engineering tactics as Scattered Spider to breach target\r\nnetworks.\r\nDataBreaches recently suggested that attempting to distinguish the groups or to attribute incidents to one or the\r\nother is fraught with difficulty because they appear to be one now, as claimed by the leader of ShinyHunters in a\r\nstatement to DataBreaches.\r\nToday, DataBreaches asked ShinyHunters to respond to Carmakal’s statements to THN. He replied:\r\nMr. Charles Carmakal and the rest of the Google Threat Intelligence Group appear to be tunnel\r\nvisioned. They’ve been saying the same thing for a year now.\r\nTheir analysis compared to BleepingComputer or DataBreaches.net is inaccurate.\r\nMandiant is just upset they can’t directly link which name (group) is doing this and we have them\r\nexactly where we want them to be, just like the entirety of threat intelligence and law enforcement.\r\nIn a follow-up inquiry, DataBreaches asked ShinyHunters to respond more specifically to the claim that Mandiant\r\nhad not detected any new intrusions by Scattered Spider (UNC3944) since the arrests of four alleged members of\r\nScattered Spider. “Have members of Scattered Spider been active since those arrests, attacking new victims?”\r\nDataBreaches asked. “If so, can you give me any clues or insight as to who they have been attacking?\r\nhttps://databreaches.net/2025/08/05/scattered-spider-is-not-quiet-theyre-just-under-another-name-now/\r\nPage 1 of 3\n\nShinyHunters replied:\r\nThey’ve been working with us. Despite everyone’s efforts to halt the Salesforce-related attacks, we\r\ncontinue to attack multi-billion to multi hundred billion dollar companies daily and successfully dump\r\nthem. We urge law enforcement and Google Threat Intelligence to collaborate closely with CrowdStrike\r\nand Unit221b to effectively counter and put an end to this threat. Google Threat Inteligence and law\r\nenforcement have showed nothing but incompetence and inaccuracy.\r\nGoogle Threat Intelligence has been actively monitoring the situation, particularly tracking activity and\r\nTTPs associated with the four alleged members of Scattered Spider arrested in the U.K. Those four\r\nindividuals do not constitute the entirety of Scattered Spider.\r\nShinyHunters’ reply is consistent with his prior statement to DataBreaches that ShinyHunters and Scattered Spider\r\nare now one.\r\nWhile Mandiant and others continue to use the two labels for the groups, DataBreaches continues to think that it\r\nmight be more productive to think of one entity, “Sp1d3rHunters” or some other combination name, recognizing\r\nthat individuals and affiliates will have different roles and approaches that may be utilized in different campaigns.\r\nGrowing/Integration Challenges?\r\nShinyHunters had generally appeared to be a fairly well-controlled operation over the past few years. Since last\r\nyear, however, things seem a little less well-controlled. DataBreaches is aware of at least two incidents where\r\nthings did not go as ShinyHunters wanted. The atypical incidents may be a result of new people being\r\nincorporated or the combination of the two groups.\r\nOne incident involved  the second round of extortion in the PowerSchool incident, when some clients of\r\nPowerSchool received extortion demands on May 6 signed “ShinyHunters” and using the same ToxID and BTC\r\nwallet used in the original December extortion of PowerSchool. The attempt made the news quickly, and just as\r\nquickly, it was dropped.  At the time, DataBreaches had expressed significant surprise at the attempt because\r\nShinyHunters had never attempted to “double-dip” as far as this blogger knew. ShinyHunters later told\r\nDataBreaches that affiliates had not listened to him and had tried to extort the clients.\r\nA second example is more recent. ShinyHunters contacted DataBreaches this week and told me that despite their\r\nfirm and longstanding prohibition on hitting the healthcare sector, an affiliate who was previously associated with\r\nScattered Spider had dumped a major health insurance firm. ShinyHunters gave me the name of the victim, its url,\r\nand asked me to notify them that they had been hit (it was a Salesforce-related attack). Shiny also gave me the\r\ndates of the dump to facilitate the insurer’s forensics, assured me that the insurance company will not be extorted,\r\nand was taking steps to make sure that the data had been deleted from their server.\r\nShinyHunter’s actions might surprise some people, but they did not surprise me because unlike groups that claim\r\nthey won’t hit the healthcare sector and then do, ShinyHunters has really adhered to the prohibition on hitting the\r\nhealthcare sector.\r\nThat affiliate “has since been removed and will never return. We actually mean this unlike Lockbit,” ShinyHunters\r\ntold me.\r\nhttps://databreaches.net/2025/08/05/scattered-spider-is-not-quiet-theyre-just-under-another-name-now/\r\nPage 2 of 3\n\nIn the meantime, DataBreaches continues to read the perspective of others who continue to try to deal with two\r\nentities as opposed to one combined one.  Hopefully one day soon we will all have greater clarity.\r\nSource: https://databreaches.net/2025/08/05/scattered-spider-is-not-quiet-theyre-just-under-another-name-now/\r\nhttps://databreaches.net/2025/08/05/scattered-spider-is-not-quiet-theyre-just-under-another-name-now/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://databreaches.net/2025/08/05/scattered-spider-is-not-quiet-theyre-just-under-another-name-now/" ], "report_names": [ "scattered-spider-is-not-quiet-theyre-just-under-another-name-now" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701431, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/087dc70ebd1f683f17566d80eb7a5fce036d6570.pdf", "text": "https://archive.orkl.eu/087dc70ebd1f683f17566d80eb7a5fce036d6570.txt", "img": "https://archive.orkl.eu/087dc70ebd1f683f17566d80eb7a5fce036d6570.jpg" } }