{
	"id": "814f6ec0-fdc9-47eb-9a2a-ec3634719e9b",
	"created_at": "2026-04-06T00:09:18.366566Z",
	"updated_at": "2026-04-10T03:31:49.868253Z",
	"deleted_at": null,
	"sha1_hash": "8086699f78173ab9f776f278c5eaffd0ccee8b9d",
	"title": "SCATTERED SPIDER Escalates Attacks Across Industries | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79559,
	"plain_text": "SCATTERED SPIDER Escalates Attacks Across Industries |\r\nCrowdStrike\r\nBy Counter Adversary Operations\r\nArchived: 2026-04-02 10:59:08 UTC\r\nSCATTERED SPIDER, an eCrime adversary, has recently broadened its target scope to include the aviation\r\nsector, in addition to its established focus on the insurance and retail industries, as observed by CrowdStrike\r\nServices.\r\nThroughout Q2 2025, SCATTERED SPIDER's activities have primarily centered on U.S.-based insurance and\r\nretail entities, along with U.K.-based retail entities. However, incidents in late June 2025, specifically targeting\r\nU.S.-based airlines, demonstrated tactics, techniques, and procedures (TTPs) consistent with the adversary's\r\nprevious operations.\r\nOverview of SCATTERED SPIDER TTPs\r\nThe adversary used help desk voice-based phishing in almost all observed 2025 incidents to compromise\r\nMicrosoft Entra ID, single sign-on (SSO), and virtual desktop infrastructure (VDI) accounts. SCATTERED\r\nSPIDER operators routinely accurately respond to help desk verification questions when impersonating legitimate\r\nemployees in calls made to request password and/or multifactor authentication (MFA) resets.\r\nSCATTERED SPIDER typically pivots from compromised Entra ID, SSO, and VDI accounts to integrated\r\nsoftware-as-a-service (SaaS) applications. They use access to these platforms to search for data that may enable\r\nlateral movement (such as network architecture diagrams, VPN instructions, or text files containing credentials),\r\nextortion, or other monetization activity.\r\nBelow are additional TTPs observed in recent SCATTERED SPIDER activity:\r\nConducted Active Directory (AD) reconnaissance on on-premises systems using ADExplorer,\r\nADRecon.ps1, and the Get-ADUser PowerShell (PS) cmdlet\r\nUsed VMware vCenter access to create unmanaged virtual machines (VMs); the adversary often attaches\r\ndomain controller virtual machine disks to their unmanaged VMs, then dumps the AD database ntds.dit on\r\nthese systems\r\nInstalled legitimate protocol-tunneling and proxy tools on VMware vCenter and adversary-controlled VMs,\r\nincluding Chisel (configured to communicate with trycloudflare[.]com subdomains), MobaXterm, ngrok,\r\nPinggy, Rsocx, and Teleport\r\nManually deleted (i.e., HardDelete, SoftDelete, and MoveToDeletedItems operations) and created transport\r\nrules (Set-TransportRule) to delete or redirect emails notifying users of suspicious account activity — in\r\none case, the adversary created a mail transport rule to redirect emails intended for a compromised user to a\r\nlikely adversary-controlled email address with the googlemail[.]com domain\r\nhttps://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/\r\nPage 1 of 6\n\nUsed S3 Browser to enumerate victims’ Amazon Web Services (AWS) S3 buckets (AWS CloudTrail\r\nevents: ListBuckets and ListObjects) and exfiltrate data to remote adversary-controlled S3 buckets\r\nSCATTERED SPIDER Assessment\r\nSCATTERED SPIDER’s primary goal is deploying ransomware to a victim’s VMware ESXi infrastructure. If an\r\nincident is contained prior to ransomware deployment, the adversary often threatens to publicly leak stolen data\r\nand demands a ransom.\r\nThis adversary often targets several organizations within the same sector in a short time frame; however, they\r\ndon’t strictly follow this pattern. For example, CrowdStrike Services responded to one SCATTERED SPIDER\r\nincident targeting a retail entity during the same timeframe the adversary was predominantly targeting insurance\r\nentities.\r\nCommon attack methods for this adversary include: \r\nSocial Engineering: Targeting IT help desk and privileged users through sophisticated phone-based attacks\r\nand impersonation\r\nSIM Swapping and Phone-Based Credential Theft: Compromising mobile phone accounts to bypass\r\nSMS-based MFA\r\nAbuse of Legitimate Remote Access Tools: Leveraging TeamViewer, AnyDesk, and similar tools for\r\npersistent access\r\nVMware Infrastructure Compromise: Targeting vCenter and ESXi environments for ransomware\r\ndeployment\r\nCloud Environment Lateral Movement: Exploiting cloud identity providers and moving laterally\r\nthrough cloud resources\r\nData Exfiltration: Stealing sensitive data before deploying ransomware for double extortion\r\nCommon targets include: \r\nVMware vCenter and ESXi virtualization environments\r\nCloud identity providers (Azure AD/Entra ID, AWS IAM, Google Cloud Identity, Okta)\r\nPrivileged access management systems and administrative accounts\r\nVPN and remote access solutions\r\nBackup and recovery systems\r\nHelp desk and IT support personnel\r\nCrowdStrike Customers: Enable Falcon Platform Features\r\nCrowdStrike customers can maximize detection capabilities, enhance visibility, and improve response times by\r\ndeploying priority log sources, activating correlation rules, and integrating cloud security. All of these capabilities\r\nare available in the CrowdStrike Falcon® platform.\r\nFalcon Next-Gen SIEM: Critical Log Source Integration\r\nhttps://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/\r\nPage 2 of 6\n\nEndpoint customers will need to enable log ingestion connectors and the parser, so these logs can be ingested into\r\nCrowdStrike Falcon® Next-Gen SIEM to detect compromise.\r\nBelow are the highest priority logs to ingest into Falcon Next-Gen SIEM to detect SCATTERED SPIDER activity.\r\nFor more detailed walkthroughs on Falcon Next-Gen SIEM log parsing, please refer to this blog. \r\nInfrastructure Monitoring (Highest Priority)\r\nVMware vCenter and ESXi: Essential for detecting virtual infrastructure manipulation and unauthorized\r\naccess\r\nFirewall Logs: Critical for identifying network-based attack patterns and lateral movement\r\nDNS Logs: Vital for detecting command-and-control communications and data exfiltration attempts\r\nWeb Proxy Logs: Monitor for suspicious web traffic and potential data exfiltration\r\nIdentity and Authentication Systems\r\nSSO Platforms: Track authentication anomalies and suspicious login patterns\r\nEntra ID Sign-on and Audit Logs: Monitor for identity-based attacks and privilege escalation attempts\r\nPAM Applications: Detect unauthorized privileged access and credential misuse\r\nCloud and SaaS Applications\r\nAWS CloudTrail, Google Cloud, Azure Activity Logs: Monitor cloud resource manipulation and\r\nconfiguration changes\r\nCritical SaaS Applications: Monitor SaaS applications for application-level threat detection\r\nDeploy Critical Correlation Rule Templates \r\nCorrelation rule templates (CRTs) are critical to increase monitoring and detection posture. Once logs have been\r\ningested into Falcon Next-Gen SIEM, the following CRTs will help detect anomalous behavior. \r\nVMware Infrastructure Protection\r\nEssential rules for virtual environment security:\r\n1. VMware - vCenter - Virtual Machine Created with Recently Uploaded ISO\r\n2. VMware - vCenter - Sensitive Resource Search\r\n3. VMware - ESXi - Successful Login to the ESXi Host Client Web Administration Interface\r\n4. VMware - ESXi - New IP for SSH Login Detected\r\n5. VMware - ESXi - SFTP Server Enabled\r\nEntra ID Identity Protection\r\nCritical Identity Security Rules:\r\n1. Microsoft - Entra ID - Risky Sign-in\r\n2. Microsoft - Entra ID - Admin Deleted MFA Authentication Method\r\nhttps://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/\r\nPage 3 of 6\n\n3. Microsoft - Entra ID - Bulk Download User List\r\n4. Microsoft - Entra ID - Temporary Access Pass Added to User Account\r\n5. Microsoft - Entra ID - Global Administrator Role Assigned\r\nFalcon Shield: Priority Integration Deployment\r\nCrowdStrike Falcon® Shield is our cloud application security module that provides visibility and threat detection\r\nacross SaaS and cloud platforms. CrowdStrike provides multiple High and Medium severity alerts out of the box,\r\nwhich are helpful for detecting these types of attacks.\r\nCustomers should also increase Falcon Shield integrations and detection capabilities for automated continuous\r\ndetection. Integrations with the below list of applications should be prioritized.\r\nCore SaaS Applications\r\nMicrosoft 365 Suite: Exchange, SharePoint, OneDrive, Teams for comprehensive cloud application\r\nmonitoring\r\nMicrosoft Defender: Enhanced integration for security event correlation\r\nGoogle Workspace: Complete visibility into Google Cloud activities\r\nSecurity Platform Integration\r\nEnhanced Falcon Integration: Maximize native CrowdStrike detection capabilities\r\nZscaler Cloud Security: Monitor secure web gateway and cloud access security broker activities\r\nCyberArk PAM: Comprehensive privileged access monitoring and threat detection\r\nBusiness-Critical Applications\r\nSnowflake Data Platform: Monitor for unauthorized data access and exfiltration attempts\r\nWorkday HR Systems: Detect suspicious employee data access and modifications\r\nGitHub Repositories: Monitor code repository access and potential intellectual property theft\r\nConfluence: Monitor for suspicious query and searching activity\r\nSalesforce: Track suspicious activities in collaboration and CRM platforms\r\nFalcon Cloud Security: Comprehensive Cloud Visibility\r\nRegistering cloud tenants into CrowdStrike Falcon® Cloud Security also allows for monitoring of suspicious\r\nactivity and rogue cloud asset creation within cloud environments. Falcon Cloud Security enables real-time\r\nvisibility of cloud management and authentication platforms including Entra ID, which allows for rapid\r\ncorrelation rule creation.\r\nWith Falcon Cloud Security enabled, it is recommended to deploy the VMware Asset Inventory Collector to all\r\nvCenter devices. This allows organizations to monitor for unmanaged and rogue virtual machine creation.\r\nCloud Tenant Registration\r\nhttps://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/\r\nPage 4 of 6\n\nRegister all AWS, Azure, and Google Cloud tenants for real-time cloud management activity monitoring\r\nEnable automated alerting for suspicious cloud resource creation and configuration changes\r\nImplement continuous compliance monitoring across all cloud environments\r\nVMware Asset Inventory Collector Deployment\r\nDeploy collectors to all vCenter devices for complete virtual infrastructure visibility\r\nMonitor for unmanaged and rogue virtual machine creation\r\nTrack virtual infrastructure changes and detect unauthorized modifications\r\nImplement automated asset discovery and classification for comprehensive inventory management\r\nProactive Hardening and Monitoring Improvements\r\nThese are some of the proactive monitoring and employee best practices enterprises must enable to watch for\r\nattacks such as SCATTERED SPIDER.\r\nIdentity Protection\r\nDeploy phishing-resistant MFA (no SMS) and isolate privileged accounts\r\nStrengthen password reset processes and limit help desk MFA enrollment\r\nDetection and Monitoring\r\nTrack authentication anomalies, administrative actions, and network traffic to critical systems\r\nEnable comprehensive logging and behavioral analytics\r\nMonitor for anomalous application usage, suspicious search terms, and unusual data access patterns\r\nInfrastructure Security\r\nSecure VMware environments, segment networks, and block unauthorized tools\r\nApply least privilege in cloud environments and disable legacy authentication\r\nIncident Readiness\r\nMaintain isolated backups, develop response playbooks, and conduct regular assessments\r\nTrain IT/help desk staff on social engineering threats\r\nConclusion\r\nThis comprehensive approach leverages CrowdStrike Falcon platform capabilities while implementing\r\nfundamental security hardening measures to significantly reduce organizations’ exposure to SCATTERED\r\nSPIDER and similar advanced threat actors. The Falcon platform’s precise technical controls and robust security\r\ncapabilities provide defense-in-depth against sophisticated social engineering and infrastructure compromise\r\nattacks.\r\nAdditional Resources\r\nhttps://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/\r\nPage 5 of 6\n\nCheck out this upcoming webinar: Advanced Threat Hunting to Track SCATTERED SPIDER: How to Hunt\r\nSophisticated Adversaries in Third-Party Data\r\nSaaS Threat Simulation: Detecting and Stopping SCATTERED SPIDER\r\nHands-on Workshop: From Login to Lockdown: Stop Identity Breaches from SCATTERED SPIDER\r\nLearn more about how Falcon Next-Gen SIEM protects enterprises from threat targeting VMWare\r\nVCenter. \r\nSource: https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/\r\nhttps://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/"
	],
	"report_names": [
		"crowdstrike-services-observes-scattered-spider-escalate-attacks"
	],
	"threat_actors": [
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-10T02:00:04.772256Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-10T02:00:05.340198Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-10T02:00:03.374705Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"UNC3944",
				"Scattered Swine",
				"Octo Tempest",
				"DEV-0971",
				"Starfraud",
				"Muddled Libra",
				"Oktapus",
				"Scatter Swine",
				"0ktapus",
				"Storm-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824",
			"created_at": "2024-06-19T02:03:08.062614Z",
			"updated_at": "2026-04-10T02:00:03.655475Z",
			"deleted_at": null,
			"main_name": "GOLD HARVEST",
			"aliases": [
				"Octo Tempest ",
				"Roasted 0ktapus ",
				"Scatter Swine ",
				"Scattered Spider ",
				"UNC3944 "
			],
			"source_name": "Secureworks:GOLD HARVEST",
			"tools": [
				"AnyDesk",
				"ConnectWise Control",
				"Logmein"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434158,
	"ts_updated_at": 1775791909,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8086699f78173ab9f776f278c5eaffd0ccee8b9d.pdf",
		"text": "https://archive.orkl.eu/8086699f78173ab9f776f278c5eaffd0ccee8b9d.txt",
		"img": "https://archive.orkl.eu/8086699f78173ab9f776f278c5eaffd0ccee8b9d.jpg"
	}
}