{ "id": "c7d8c363-f126-4bef-a1ce-a46b29df6514", "created_at": "2026-04-06T00:10:53.751982Z", "updated_at": "2026-04-10T13:12:19.809205Z", "deleted_at": null, "sha1_hash": "4fabd146fbacc9703c7efad91329e8e06340159a", "title": "Ex-NSA bad-guy hunter listened to Scattered Spider's fake help-desk calls: 'Those guys are good'", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46105, "plain_text": "Ex-NSA bad-guy hunter listened to Scattered Spider's fake help-desk calls: 'Those guys are good'\r\nBy Jessica Lyons\r\nPublished: 2025-05-18 · Archived: 2026-04-05 13:24:20 UTC\r\nINTERVIEW The call came into the help desk at a large US retailer. An employee had been locked out of their\r\ncorporate accounts. \r\nBut the caller wasn't actually a company employee. He was a Scattered Spider criminal trying to break into the\r\nretailer's systems - and he was really good, according to Jon DiMaggio, a former NSA analyst who now works as\r\na chief security strategist at Analyst1.\r\nScattered Spider is a cyber gang linked to SIM swapping, fake IT calls, and ransomware crews like ALPHV.\r\nThey've breached big names like MGM and Caesars, and despite arrests, keep evolving. They're tracked by\r\nMandiant as UNC3944, also known as Octo Tempest.\r\nDiMaggio listened in on this call, which was one of the group's recent attempts to infiltrate American retail\r\norganizations after hitting multiple UK-based shops. He won't name the company, other than to say it's a \"big US\r\nretail organization.\" This attempt did not end with a successful ransomware infection or stolen data.\r\n\"But I got to listen to the phone calls, and those guys are good,\" DiMaggio told The Register. \"It sounded legit,\r\nand they had information to make them sound like real employees.\"\r\nScattered Spider gave the help desk the employee's ID and email address. DiMaggio said he suspected the caller\r\nfirst social-engineered the employee to obtain this data, \"but that is an assumption.\"\r\n\"The caller had all of their information: employee ID numbers, when they started working there, where they\r\nworked and resided,\" DiMaggio said. \"They were calling from a number that was in the right demographic, they\r\nwere well-spoken in English, they looked and felt real. They knew a lot about the company, so it's very difficult to\r\nflag these things. When these guys do it, they're good at what they do.\"\r\nLuckily, the target was a big company with a big security budget, and it employs several former government and\r\nlaw enforcement infosec officials, including criminal-behavior experts, on its team. But not every organization has\r\nthis type of staffing or resources to ward off these types of attacks where the would-be intruders are trying to\r\nbreak in from every access point.\r\nThey are resourceful, they're smart, they're fast\r\n\"They are resourceful, they're smart, they're fast,\" Mandiant CTO Charles Carmakal told The Register.\r\n\"One of the challenges that defenders have is: it's not the shortage of network alerts,\" he added. \"You know when\r\nScattered Spider is targeting a company because people are calling the help desk and trying to reset passwords.\r\nhttps://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/\r\nPage 1 of 2\n\nThey are running tools across an enterprise that will fire off on antivirus signatures and EDR alerts, tons and tons\r\nand tons of alerts. They operate at a speed that can be hard to defend against.\"\r\nIn this case, sometimes the best option — albeit a painful one — is for the organization to break its own IT\r\nsystems before the criminals do.\r\nCyber fiends battering UK retailers now turn to US stores\r\nMarks \u0026 Spencer admits cybercrooks made off with customer info\r\nBritish govt agents step in as Harrods becomes third mega retailer under cyberattack\r\nHere's what we know about the DragonForce ransomware that hit Marks \u0026 Spencer\r\nCo-op pulled its own plug\r\nThis appears to have been the case with British retailer Co-op, which pulled its systems offline before Scattered\r\nSpider could encrypt its files and move throughout its networks.\r\n\"Following the malicious third-party cyber-attack, we took early and decisive action to restrict access to our\r\nsystems in order to protect our Co-op,\" a spokesperson told The Register. \"We are now in the recovery phase and\r\nare taking steps to bring our systems gradually back online in a safe and controlled manner.\"\r\nThe outfit said customers will see \"improved stock availability in our food stores and online\" beginning this\r\nweekend, and added it is \"working closely\" with suppliers to restock its brick-and-mortar stores.\r\nAll payment forms and systems are now up and running across the business, we're told. ®\r\nSource: https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/\r\nhttps://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/" ], "report_names": [ "ex_nsa_scattered_spider_call" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434253, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fabd146fbacc9703c7efad91329e8e06340159a.pdf", "text": "https://archive.orkl.eu/4fabd146fbacc9703c7efad91329e8e06340159a.txt", "img": "https://archive.orkl.eu/4fabd146fbacc9703c7efad91329e8e06340159a.jpg" } }