{ "id": "213713c5-5805-4bbe-8b5c-9ecfca651d89", "created_at": "2026-04-06T00:21:37.242395Z", "updated_at": "2026-04-10T03:31:49.894254Z", "deleted_at": null, "sha1_hash": "37231b7e1c1f49d99d8ea6a673ad7342d2410cea", "title": "'Scattered Spider' Behind MGM Cyberattack, Targets Casinos", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1260218, "plain_text": "'Scattered Spider' Behind MGM Cyberattack, Targets Casinos\r\nBy Becky Bracken\r\nPublished: 2023-09-14 · Archived: 2026-04-05 20:12:52 UTC\r\nSource: Tim Plowden via Alamy Stock Photo\r\nA threat group called \"Scattered Spider\" is reportedly behind the Sept. 10 MGM Resorts cyberattack, which days\r\nlater is still keeping systems offline across the conglomerate's more than 30 hotels and casinos scattered around\r\nthe globe.\r\nAccording to a Reuters report that attributes the attack, citing sources familiar with the matter, the Scattered\r\nSpider ransomware group is believed to be made up of young adults in the US and UK. The group is known for\r\nusing social engineering schemes to trick users into handing over their login credentials and is tracked as an\r\naffiliate for the BlackCat/ALPHV ransomware.\r\nScattered Spider also recently targeted Caesars Entertainment, which paid tens of millions in ransom to the\r\ncyberattackers, according to Bloomberg, which added that Caesars is expected to submit a required SEC\r\nregulatory filing in the coming days with more details on the attack. The group began targeting Caesars in late\r\nAugust, sources said.\r\nhttps://www.darkreading.com/attacks-breaches/-scattered-spider-mgm-cyberattack-casinos\r\nPage 1 of 2\n\n\"Scattered Spider (aka Roasted 0ktapus, UNC3944) leverages a combination of credential phishing and social\r\nengineering to capture one-time-password (OTP) codes, or it overwhelms targets using multifactor authentication\r\n(MFA) notification fatigue tactics,” according to a CrowdStrike report on the cybercrime group from January.\r\n“Having obtained access, the adversary avoids using unique malware, instead favoring a wide range of legitimate\r\nremote management tools to maintain persistent access.”\r\nIn the meantime, MGM Resorts websites remain down, and the investigation into the breach is ongoing.\r\nAbout the Author\r\nSenior Editor, Dark Reading\r\nBecky Bracken is a senior editor with Dark Reading who brings decades of journalism experience across, radio,\r\nprint, online and video channels. Becky lends her particular voice and cybersecurity expertise to the Dark Reading\r\nConfidential podcast as the host and producer, and moderates the Dark Reading editorial webinars. In addition,\r\nshe oversees the site's Commentary section, hosts Dark Reading's Black Hat News Desk, and contributes regularly\r\nas a writer and reporter. Prior to joining Dark Reading, Becky covered cybersecurity and hosted webinars for\r\nThreatpost. Other national media outlets she has contributed to include PBS, SheKnows, Complex, and more. \r\nSource: https://www.darkreading.com/attacks-breaches/-scattered-spider-mgm-cyberattack-casinos\r\nhttps://www.darkreading.com/attacks-breaches/-scattered-spider-mgm-cyberattack-casinos\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.darkreading.com/attacks-breaches/-scattered-spider-mgm-cyberattack-casinos" ], "report_names": [ "-scattered-spider-mgm-cyberattack-casinos" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434897, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37231b7e1c1f49d99d8ea6a673ad7342d2410cea.pdf", "text": "https://archive.orkl.eu/37231b7e1c1f49d99d8ea6a673ad7342d2410cea.txt", "img": "https://archive.orkl.eu/37231b7e1c1f49d99d8ea6a673ad7342d2410cea.jpg" } }