{ "id": "06e84049-bd89-43ff-8f82-4db132c1dbe7", "created_at": "2026-04-06T00:10:41.80795Z", "updated_at": "2026-04-10T03:31:49.983988Z", "deleted_at": null, "sha1_hash": "1c298000241af86f9aedbc9e6ea07c2334da8943", "title": "Scattered Spider: Rapid7 Insights, Observations, and Recommendations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71297, "plain_text": "Scattered Spider: Rapid7 Insights, Observations, and\r\nRecommendations\r\nBy Rapid7 Labs\r\nPublished: 2025-07-03 · Archived: 2026-04-05 22:04:20 UTC\r\nOverview of Scattered Spider and recent activity\r\nScattered Spider (also tracked as UNC3944, Scatter Swine, Muddled Libra, among other aliases) is a financially\r\nmotivated cybercriminal group active since at least May 2022. The group is notorious for targeting large\r\nenterprises — especially telecommunications, outsourcing firms, cloud/tech companies, and more recently, retail,\r\nfinance, and the airline sector — often by exploiting IT help desks via social engineering. \r\nIncidents taking place in the past few months — including high-profile breaches of UK retailers and airlines —\r\ndemonstrate that Scattered Spider continues to refine its tactics and broaden its targets. Based on this escalation,\r\nwe recommend practitioners become more familiar with their tactics and increase their vigilance by implementing\r\ndefense best practices. \r\nBelow, we outline the group’s known tactics, techniques, and procedures (TTPs), highlight novel elements\r\nobserved in a recent case, and provide defensive recommendations.\r\nTactics, techniques, and procedures (TTPs)\r\nOver the years, Scattered Spider has evolved from primarily conducting phishing and SIM-swapping campaigns\r\ntargeting telecom and tech firms to executing full-spectrum, multi-stage intrusions across cloud and on-prem\r\nenvironments. Their tactics have matured to include sophisticated help desk impersonation, exploitation of\r\nidentity infrastructure, abuse of legitimate tools like AWS Session Manager and Teleport for persistence, and even\r\ndefense evasion via bring-your-own-vulnerable-driver (BYOVD) techniques. Despite arrests, the group remains\r\nactive and adaptive, expanding targets and tactics while maintaining its core identity-focused attack strategy.\r\nScattered Spider’s operations typically involve data theft for extortion and sometimes ransomware deployment in\r\ncollaboration with groups like ALPHV/BlackCat. \r\nInitial access via social engineering (phishing/vishing)\r\nScattered Spider is an expert in social engineering, relying on human deception to gain initial access. Common\r\ntechniques include phishing emails/SMS and phone-based attacks (vishing). Notably, the group often\r\nimpersonates company IT staff or help desk personnel in calls or texts to trick employees into revealing\r\ncredentials or performing unsafe actions. \r\nFor example, Scattered Spider actors have:\r\nhttps://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/\r\nPage 1 of 6\n\nPhished for credentials and MFA codes via fake login pages or real-time interception of one-time\r\npasswords. (This aligns with MITRE ATT\u0026CK techniques Phishing (T1566) and Phishing for Information\r\n(T1598)).\r\nPosed as IT support via phone/SMS to convince victims to share their multi-factor authentication code or\r\nto install remote access software, granting the attacker a foothold. (Related ATT\u0026CK: User Execution of\r\nMalicious Tools – T1204, – Remote Services  T1219).\r\nMFA fatigue “push bombing” — sending repeated MFA requests to prompt a user to accept out of\r\nannoyance — to defeat MFA protections (ATT\u0026CK: T1621  Multi-factor Abuse).\r\nSIM swapping to hijack a target’s phone number (and thereby intercept MFA SMS codes).\r\nA hallmark of Scattered Spider’s initial access is the help desk scam. The attacker calls an organization’s IT help\r\ndesk, armed with personal details of an employee (often scraped from sources like LinkedIn), and impersonates\r\nthat user with a convincing backstory. The goal is to persuade the help desk to reset the user’s password and/or\r\nMFA device, thus handing control of the account to the attacker. By targeting high-privilege or sensitive accounts\r\nfor these resets, Scattered Spider often sidesteps the need for traditional privilege escalation — they start with the\r\nkeys to the kingdom.\r\nPersistence and remote access tools\r\nOnce inside a network or cloud environment, Scattered Spider establishes persistence using legitimate remote\r\nadministration tools. The group has shown a preference for commercial remote monitoring and management\r\n(RMM) tools and remote desktop software, repurposing them as backdoors. According to the FBI/CISA, they\r\nhave been observed using tools like TeamViewer, ScreenConnect (ConnectWise Control), Splashtop, AnyDesk,\r\nNgrok tunnels, FleetDeck, and more. These legitimate tools enable stealthy remote access since they blend in with\r\nIT usage (ATT\u0026CK T1219 – Remote Access Software). In past cases, Scattered Spider also leveraged VPN\r\nclients and even built-in OS features to maintain access. For example, they have used Windows Scheduled Tasks\r\nfor persistence (ATT\u0026CK T1053), as well as created new accounts or used stolen valid accounts (ATT\u0026CK\r\nT1078) to ensure continued access.\r\nA novel persistence mechanism Rapid7 observed in an incident was the use of Teleport, an infrastructure access\r\nplatform not previously associated with this group. After obtaining admin-level cloud access, the attacker installed\r\na Teleport agent on compromised Amazon EC2 servers to establish a persistent remote command-and-control (C2)\r\nchannel. Teleport is a legitimate open-source tool for managing remote infrastructure, but here it was co-opted for\r\nmalicious purposes. This effectively gave the attacker persistent remote shell access to those cloud servers even if\r\ntheir initial user credentials or VPN access were revoked. The use of Teleport indicates Scattered Spider’s\r\nadaptability in using new tools for persistence and command-and-control. By using standard administrative\r\nsoftware, they reduce the chance of detection by security tools that might flag custom malware.\r\nLateral movement and cloud techniques\r\nScattered Spider’s operations often span both cloud and on-premises environments. Once initial access is gained\r\n(for instance, via a compromised user account), the group performs extensive reconnaissance and lateral\r\nhttps://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/\r\nPage 2 of 6\n\nmovement to expand their foothold:\r\nCloud environment enumeration: Systematically listing EC2 instances and queried IAM instance\r\nprofiles via AWS API calls. Such information could allow the attacker to assume roles or find trust\r\nrelationships to pivot further (mapping to ATT\u0026CK T1526 – Cloud Service Discovery). These techniques\r\nillustrate Scattered Spider’s competence in abusing cloud management tools for lateral movement\r\n(ATT\u0026CK T1563.002 – Remote Services: Cloud Management Console). The use of built-in cloud tools\r\n(SSM, console) allows the attackers to move within a victim’s cloud environment without deploying\r\ncustom malware.\r\nOn-premises lateral movement: When Scattered Spider pivots into corporate networks (often after\r\nobtaining VPN or Okta access through stolen credentials), they employ standard internal tactics. They have\r\nbeen observed using Windows Remote Desktop (RDP) and SMB (psexec) to move between machines\r\n(ATT\u0026CK T1021 and T1569.002). With any harvested or high-privilege credentials, Scattered Spider will\r\ntry to move laterally and escalate privileges — for instance, attempting to RDP into additional servers or\r\nusing admin shares via PsExec. This on-prem activity aligns with many MITRE ATT\u0026CK techniques, such\r\nas Credential Dumping (T1003) and Internal Reconnaissance (T1016). Importantly, Scattered Spider’s\r\ninitial social engineering often gives them elevated access from the start, but they still perform internal\r\nrecon to identify valuable systems (databases, file servers, etc.) and to ensure they maintain access via\r\nmultiple pathways.\r\nTools, malware, and evasion techniques\r\nUnlike nation-state APTs, Scattered Spider largely relies on off-the-shelf tools and living-off-the-land techniques\r\nrather than custom malware. Their toolkit includes:\r\nLegitimate administrative tools for remote access and persistence (as noted, TeamViewer, AnyDesk,\r\nConnectWise, Teleport, etc.). These don’t trigger antivirus and provide full interactive control.\r\nCredential theft tools like Mimikatz (for extracting Windows passwords and hashes). Dumping\r\ncredentials allows them to pivot and possibly achieve domain administrator privileges if not already\r\nobtained.\r\nCustom exploit tools: The group has exploited known vulnerabilities to broaden access. For example,\r\nScattered Spider has been linked to exploitation of CVE-2021-35464 (ForgeRock AM) to achieve remote\r\ncode execution in a victim’s AWS-hosted identity service, and even legacy bugs like CVE-2015-2291 in\r\nIntel driver software to run code in kernel mode. They are adept at identifying and abusing\r\nmisconfigurations or unpatched systems to advance their attack (ATT\u0026CK T1190 – Exploit Public-Facing\r\nApplication).\r\nDefense evasion via BYOVD: A particularly advanced tactic in Scattered Spider’s playbook is using\r\nmalicious or vulnerable drivers to disable security software. They have deployed a toolkit known as\r\nSTONESTOP and POORTRY, which involves a userland loader (STONESTOP) installing a malicious\r\nsigned driver (POORTRY) to kill processes like endpoint protection agents. By using a Microsoft-signed\r\nvulnerable driver (the BYOVD technique), they bypass driver signature enforcement and terminate\r\nhttps://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/\r\nPage 3 of 6\n\nantivirus/EDR services. This tactic (ATT\u0026CK T1562.001 – Disable or Modify Tools) allows the group to\r\noperate without detection during critical phases of the attack, such as data exfiltration or ransomware\r\ndeployment.\r\nExtortion and ransomware: Scattered Spider’s end goals are typically data theft and extortion. In some\r\nintrusions, they have partnered with or acted as affiliates of ransomware gangs. The group has been\r\nassociated with ALPHV/BlackCat ransomware deployments and more recently with the DragonForce\r\nransomware (as seen in the 2025 attacks on UK retailers). Even when ransomware is used, the emphasis is\r\noften on exfiltrating sensitive data first — enabling the attackers to threaten leaks for payment (a double\r\nextortion approach). If the victim refuses to pay, the impact can be severe: for example, in the MGM\r\nResorts casino attack of 2023 (attributed to Scattered Spider), the hackers stole ~6 TB of data and caused\r\nwidescale IT outages, reportedly costing the company $100M+ in damages.\r\nDefensive best practices and recommendations\r\nDefending against Scattered Spider requires a combination of hardened identity security, vigilant monitoring, and\r\nuser awareness. Given this group’s reliance on tricking humans and abusing legitimate tools, enterprises should\r\nadopt a defense-in-depth approach focusing on both preventive controls and detective measures. Key\r\nrecommendations include:\r\nStrengthen help desk and account recovery processes: Since help/service desks are a prime target,\r\nimplement strict verification for password resets and MFA resets. For high-privilege accounts, require\r\nmulti-factor or multi-person approval for any credential reset or new device enrollment. Consider requiring\r\nthe user to show up in person or via a verified video call for critical account resets, rather than relying on\r\nphone/email requests. Establish clear procedures so that help desk personnel know to verify the requester’s\r\nidentity out-of-band (e.g. calling back a known number on file) and to be wary of urgent pleas or unusual\r\nrequests. Regularly train help desk staff to recognize social engineering red flags (e.g. callers pressing for\r\nquick reset due to an “emergency”). Additionally, limit which support staff can reset admin-level accounts\r\nand log all such actions with management oversight.\r\nImplement phishing-resistant MFA and monitor MFA changes: Ensure that all user accounts, especially\r\nadministrators, use strong MFA methods (FIDO2 security keys or app-based OTP with number matching)\r\nthat are less prone to social engineering. Educate users never to approve MFA prompts they did not initiate.\r\nDeploy MFA push notification protection (such as number matching or limiting push attempts) to counter\r\nMFA fatigue attacks. Monitor for unusual patterns like multiple MFA reset requests or device re-enrollments, and consider temporarily suspending self-service resets if suspicious activity is detected.\r\nQuick detection of an account takeover — for instance, seeing a new device added for MFA or an IP\r\ngeolocation anomaly — can allow security teams to intervene before the attacker pivots further.\r\nCloud security and monitoring: Since Scattered Spider is cloud-fluent, lock down cloud management\r\npathways. For AWS, restrict the use of Systems Manager Session Manager and the EC2 Serial Console to\r\nonly authorized admin users; generate alerts if these are used from unusual IPs or by new users. Monitor\r\ncloud audit logs (AWS CloudTrail, Azure AD logs, etc.) for signs of intrusions — e.g. a spike in\r\nGetInstanceProfile or IAM role enumeration calls, or a new IAM user creation that wasn’t planned. Use\r\nhttps://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/\r\nPage 4 of 6\n\nbehavior analytics to detect when a normally low-privilege user begins performing admin-level actions in\r\ncloud accounts (which could indicate compromise). Employ the principle of least privilege for cloud roles:\r\nensure that an Okta/SSO user account that gets compromised cannot by itself administer the entire cloud\r\nenvironment. For instance, separate high-level cloud admin accounts that are not integrated with regular\r\nSSO, and protect them with extra safeguards.\r\nEndpoint and network monitoring: Deploy robust Endpoint Detection and Response (EDR) on servers\r\nand workstations to catch suspicious behavior (though keep in mind Scattered Spider’s ability to disable\r\nsome EDRs via BYOVD). Enable features like Windows Driver Blocklist or Hypervisor-Protected Code\r\nIntegrity (HVCI) to mitigate vulnerable driver attacks, which can stop tools like POORTRY from\r\nfunctioning. Monitor for common post-compromise tools and behaviors: for example, sudden use of\r\nPsExec, Mimikatz, or tools launching from temp directories should raise alerts. Network monitoring can\r\nalso help — e.g. detect new outbound connections to uncommon hosts (such as an IP or domain like\r\nteleport.sh if your environment doesn’t normally use Teleport) or large data transfers that might indicate\r\nexfiltration. Keep system logs for authentication, process creation, and network connections centralized\r\nand analyzed for anomalies (failed login sprees, new services installed, etc.).\r\nLimit and audit remote administration tools: Create an inventory of approved remote access tools in\r\nyour enterprise. Block or tightly control the installation of any remote administration software outside this\r\nlist (for example, if your IT uses TeamViewer, then block others like AnyDesk or Teleport by policy). At\r\nminimum, enable alerts when such tools are executed or when new services (like a Teleport service or\r\nScreenConnect client) are installed on servers. Legitimate tools used maliciously often leave some trace —\r\ne.g. an unexpected listening port, a new Windows service, or an outbound connection to a non-corporate\r\nserver. Regularly audit administrative accounts and sessions; if an IT admin is remotely logging in at odd\r\nhours or from foreign IPs, verify it’s legitimate.\r\nIdentity hygiene and least privilege: Given Scattered Spider’s focus on abusing credentials, ensure your\r\nidentity and access management is robust. Use unique accounts for high-privilege tasks (no employees\r\nshould use their day-to-day account for domain admin or cloud admin roles). Implement just-in-time\r\nelevation for sensitive roles so that even if an account is compromised, the attacker cannot immediately\r\nescalate without an approved request. Regularly review user access rights, and disable or remove\r\nunnecessary privileged accounts (including contractor or helpdesk accounts that can reset credentials). \r\nBackup and response plan: Finally, prepare for the worst-case scenario of ransomware or extortion.\r\nMaintain offline, encrypted backups of critical data and regularly test your restore procedures. Develop an\r\nincident response plan specifically for identity breaches, since Scattered Spider-type incidents move\r\nquickly from an account compromise to full domain/domain admin compromise. This plan should include\r\nsteps like rapidly invalidating all active sessions and tokens (to kick the attackers out), forcing enterprise-wide password resets, temporarily locking down help desk password resets, and engaging incident\r\nresponse teams. Exercise this plan in drills (and include scenarios like a rogue VPN or cloud session\r\npopping up) to ensure your team can react swiftly when an attack is in progress.\r\nBy combining these measures, organizations can significantly reduce the risk of a Scattered Spider intrusion or\r\nlimit its impact. This group’s techniques, while sophisticated in execution, often exploit lapses in basic security\r\nhttps://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/\r\nPage 5 of 6\n\npractices — such as over-reliance on help desk identity proofing, or unmonitored use of admin tools.\r\nStrengthening those areas, along with user education and modern authentication controls, provides a strong\r\ndefense against Scattered Spider’s blend of social engineering and technical prowess.\r\nSource: https://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/\r\nhttps://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/" ], "report_names": [ "scattered-spider-rapid7-insights-observations-and-recommendations" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434241, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c298000241af86f9aedbc9e6ea07c2334da8943.pdf", "text": "https://archive.orkl.eu/1c298000241af86f9aedbc9e6ea07c2334da8943.txt", "img": "https://archive.orkl.eu/1c298000241af86f9aedbc9e6ea07c2334da8943.jpg" } }