{ "id": "22fa2997-fbfa-4c23-8745-0cfac82da15d", "created_at": "2026-04-06T00:15:22.817062Z", "updated_at": "2026-04-10T03:31:49.947477Z", "deleted_at": null, "sha1_hash": "94fbb6659acd5092c44b7264bd187f3462415c0b", "title": "LUCR-3: Scattered Spider Getting SaaS-y in the Cloud", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 785089, "plain_text": "LUCR-3: Scattered Spider Getting SaaS-y in the Cloud\r\nBy Ian Ahl\r\nPublished: 2023-09-20 · Archived: 2026-04-05 18:44:55 UTC\r\nCredits: Wilma Miranda\r\nSummary\r\nLUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a\r\nfinancially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with\r\nthe goal of stealing Intellectual Property (IP) for extortion. LUCR-3 targets Fortune 2000 companies across\r\nvarious sectors to include but not limited to Software, Retail, Hospitality, Manufacturing, and Telecoms.\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 1 of 9\n\nLUCR-3 does not rely heavily on malware or even scripts, instead LUCR-3 expertly uses victims' own tools,\r\napplications, and resources to achieve their goals. At a high level, Initial Access is gained through compromising\r\nexisting identities in the IDP (Okta: Identity Cloud, Azure AD / Entra, Ping Identity: PingOne). LUCR-3 uses\r\nSaaS applications such as document portals, ticketing systems, and chat applications to learn how the victim\r\norganization operates and how to access sensitive information. Using the data they gained from reconnaissance\r\nwithin the SaaS applications, they then carry out their mission of data theft. Data theft is typically focused on IP,\r\nCode Signing Certificates, and customer data.\r\nAttacker Attributes\r\nHighlights\r\nLUCR-3 attribution is difficult. Many of us in the Cyber Intelligence community have even begun to track\r\nthe individual personas separately. Further confusing attribution, some LUCR-3 personas appear to be\r\naffiliates of ALPHV with access to deploy BlackCat ransomware.\r\nMuch like LUCR-1 (GUI-Vil), LUCR-3 tooling, especially in Cloud, SaaS, and CI/CD is mostly using web\r\nbrowsers, and some GUI utilities such as S3 Browser. Leveraging the native features of applications, just\r\nlike any employee would do, to carry out their goal.\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 2 of 9\n\nLUCR-3 heavily targets the IDPs for Initial Access. Buying creds from common market places, and\r\nbypassing MFA via SIM swapping, social engineering and push fatigue.\r\nLUCR-3 does their homework on their initial access victims, choosing identities that will have elevated\r\nprivileges and even ensuring they source from a similar geolocation as their victim identities to avoid\r\nimpossible travel (geo disparity) alerts.\r\nLUCR-3 will utilize the victim organizations software deployment solutions such as SCCM, to deploy\r\nspecified software to target systems.\r\nMission\r\nLUCR-3 is a financially motivated threat actor that uses data theft of sensitive data (IP, Customer data, Code\r\nSigning Certificates) to attempt extortion. While extortion demands do vary, they are often in the tens of millions\r\nof dollars. Some personas within LUCR-3 will often collaborate with ALPHV to carry out the extortion phase of\r\nthe attack.\r\nTooling\r\nLUCR-3 utilizes mostly Windows 10 systems running GUI utilities to carry out their mission in the cloud. Using\r\nthe native features of SaaS applications such as search, LUCR-3 is able to navigate through an organization\r\nwithout raising any alarms. In AWS the threat actor routinely leverages S3 Browser (version 10.9.9) and the AWS\r\nmanagement console (via a web browser). LUCR-3 utilizes AWS Cloudshell within the AWS management\r\nconsole to carry out any activity that requires direct interaction with the AWS API.\r\nVictimology\r\nLUCR-3 often targets large (Fortune 2000) organizations that have Intellectual Property (IP) that is valuable\r\nenough that victim organizations are likely to pay an extortion fee. Software companies are a common target as\r\nthey aim to extort a fee related to the theft of source code as well as code signing certificates. LUCR-3 will often\r\ntarget organizations that can be leveraged in a supply chain attack against others. Identity Providers and their\r\noutsourced services companies are frequently targeted as a singular compromise of one of these entities will allow\r\nfor access into multiple other organizations. In recent months LUCR-3 has expanded their targeting into sectors\r\nthey haven’t previously focused as much on such as hospitality, gaming, and retail.\r\nAttacker Lifecycle\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 3 of 9\n\nAWS Attacker Lifecycle\r\nInitial Recon\r\nLUCR-3 does their homework when deciding on their target victim identities. They ensure they are targeting users\r\nthat will have the access they need to carry out their mission. This includes but is not limited to Identity Admins,\r\nDevelopers, Engineers, and the Security team.\r\nThey have been known to leverage credentials that were available in common deep web marketplaces.\r\nInitial Access (IA)\r\nLUCR-3’s initial access into an environment is gained through compromised credentials. They are not performing\r\nnoisy activity like password spraying to find passwords. When they connect, they already have a legitimate\r\npassword to use. The typical approach for them is:\r\n1. Identify credentials for the intended victim identity\r\n     a.) Buy credentials from common deepweb marketplaces\r\n     b.) Smishing victims to collect their credentials\r\n     c.) Social engineering help desk personnel to gain access to the credentials\r\n2. Bypass Multi-factor Authentication (MFA)\r\n     a.) SIM Swapping (when SMS OTP is enabled)\r\n     b.) Push Fatigue (when SMS OTP is not enabled)\r\n     c.) Phishing attacks with redirects to legitimate sites where OTP codes are captured and replayed\r\n     d.) Buy or social engineer access from an insider (last resort)\r\n3. Modify MFA settings\r\n     a.) Register a new device\r\n     b.) Add alternative MFA options\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 4 of 9\n\nWhen LUCR-3 modifies MFA settings they often register their own mobile device and add secondary MFA\r\noptions such as emails. Signals to watch for here are:\r\nWhen a user register a device that is in a different ecosystem than their previous device (Android to Apple\r\nas an example)\r\nWhen a user registers a new device that is an older model than their previous device\r\nWhen a single phone (device id) is assigned to multiple identities\r\nWhen an external email is added as a multi-factor option\r\nRecon (R)\r\nR-SaaS\r\nIn order to carry out their goal of data theft, ransom and extortion, LUCR-3 must understand where the important\r\ndata is and how to get to it. They perform these tasks much like any employee would. Searching through and\r\nviewing documents in the various SaaS applications like SharePoint, OneDrive, knowledge applications, ticketing\r\nsolutions, and chat applications, allows LUCR-3 to learn about an environment using native applications without\r\nsetting off alarm bells. LUCR-3 uses search terms targeted at finding credentials, learning about the software\r\ndeployment environments, code signing process, and sensitive data.\r\nR-AWS\r\nIn AWS, LUCR-3 performs recon in several ways. They will simply navigate around the AWS Management\r\nConsole into services like Billing, to understand what types of services are being leveraged, and then navigate\r\neach of those services in the console. Additionally, LUCR-3 wants to know what packages are running on the\r\ncompute systems (EC2 instances) in an organization. Leveraging Systems Manager (SSM) LUCR-3 will run the\r\nnative AWS-GatherSoftwareInventory job against all EC2 instances, returning the software running on the EC2\r\ninstances. Lastly, LUCR-3 will leverage the GUI utility S3 Browser in combination with a long-lived access key\r\nto view available S3 buckets.\r\nPrivilege Escalation (PE)\r\nLUCR-3 often chooses initial victims who have the type of access necessary to carry out their mission. They do\r\nnot always need to utilize privilege escalation techniques, but we have observed them do so on occasion in AWS\r\nenvironments.\r\nPE-AWS\r\nLUCR-3 has utilized three (3) main techniques for privilege escalation in AWS:\r\n1. Policy manipulation: LUCR-3 has been seen modifying the policy of existing roles assigned to EC2\r\ninstances ( ReplaceIamInstanceProfileAssociation ) as well as creating new ones with a full open\r\npolicy.\r\n2. UpdateLoginProfile : LUCR-3 will update the login profile and on occasion create one if it doesn’t exist\r\nto assign a password to an identity, so they can leverage for AWS Management Console logons.\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 5 of 9\n\n3. SecretsManager Harvesting: Many organizations store credentials in SecretsManger or Terraform Vault for\r\nprogrammatic access from their cloud infrastructure. LUCR-3 will leverage AWS CloudShell to scrape all\r\ncredentials that are available in SecretsManager and similar solutions.\r\nEstablish Persistence/ Maintain Presence (EP)\r\nLUCR-3 like most attackers want to ensure that they have multiple ways to enter an environment in the event that\r\ntheir initial compromised identities are discovered. In a modern cloud world, there are many ways to achieve this\r\ngoal, and LUCR-3 employs a myriad to maintain their presence.\r\nEP-AzureAD/Okta\r\nAfter gaining access to an identity in the IDP (AzureAD, Okta, etc) LUCR-3 wants to ensure they can easily\r\ncontinue to access the identity. In order to do so they will often perform the following actions:\r\n1. Reset/Register Factor: LUCR-3 will register their own device to ease their ability for continued access. As\r\nmentioned previously watch for ecosystem switches for users as well as single devices that are registered to\r\nmultiple users.\r\n2. Alternate MFA: Many IDPs allow for alternate MFA options. LUCR-3 will take advantage of these features\r\nto register external emails as a factor. They are smart about choosing a name that aligns with the victim\r\nidentity.\r\n3. Strong Authentication Type: In environments where the default setting is to not allow for SMS as a factor,\r\nLUCR-3 will modify this setting if they are able to. In AzureAD you can monitor for this by looking for\r\nthe StrongAuthenticationMethod changing from a 6 (PhoneAppOTP) to a 7 (OneWaySMS)\r\nEP-AWS\r\nTo maintain persistence in AWS, LUCR-3 has been observed performing the following:\r\n1. CreateUser : LUCR-3 will attempt to create IAM Users when available. They choose names that align\r\nwith the victim identity they are using for initial access into the environment.\r\n2. CreateAccessKey : LUCR-3 will attempt to create access keys for newly created IAM Users as well as\r\nexisting IAM Users that they can then use programmatically. Like GUI-Vil (LUCR-1), the access keys that\r\nare created are often inputted into S3 Browser to interact with S3 buckets.\r\n3. CreateLoginProfile / UpdateLoginProfile : LUCR-3, when trying to be more stealthy or when they do\r\nnot have access to create new IAM users, will attempt to create or update login profiles for existing users.\r\nLogin profiles are what assign a password to an IAM User and allow for console access. This technique\r\nalso lets the attacker gain the privileges of the victim identity.\r\n4. Credential Harvesting: As mentioned previously, LUCR-3 finds great value in harvesting credentials from\r\ncredential vaults such as AWS SecretsManager and Terraform Vault. These often store credentials not just\r\nfor the victim organizations, but also credentials that may allow access to business partners, technology\r\nintegrations, and even clients of the victim organization.\r\n5. Resource Creation: Lastly, LUCR-3 will create or take over existing resources such as EC2 instances that\r\ncan be leveraged for access back into the environment as well as a staging area for tools and data theft as\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 6 of 9\n\nneeded.\r\nEP-SaaS\r\nLUCR-3 will use all the applications available to them to further their goal. In ticketing systems, chat programs,\r\ndocument stores, and knowledge applications they will often perform searches looking for credentials that can be\r\nleveraged during their attack.\r\nAdditionally, many of these applications allow the creation of access tokens that can be used to interact with the\r\nSaaS applications API.\r\nEP-CI/CD\r\nLUCR-3 will also generate access tokens for interacting with the APIs of your code repositories such as GitHub\r\nand GitLab.\r\nDefense Evasion (DE)\r\nWe have observed LUCR-3 has a significant focus on defense evasion tactics in various environments. This is\r\nclearly to avoid detection as long as possible, until they are sure they have achieved their mission objectives, and\r\nare ready to perform ransom and extortion activities. They accomplish this through multiple means depending on\r\nthe type of environment they are in.\r\nDE-AWS\r\nLUCR-3 employs mostly common defense evasion techniques in AWS, with a couple unique flares.\r\n1. Disable GuardDuty: LUCR-3 will perform the typical deletion of GuardDuty detectors, but also tries to\r\nmake it harder to add back to the org level by deleting invitations. This is accomplished through the\r\nfollowing three commands: DisassociateFromMasterAccount DeleteInvitations DeleteDetector\r\n2. Stop Logging: LUCR-3 also attempts to evade AWS detections by performing DeleteTrail and\r\nStopLogging actions.\r\n3. Serial Console Access: This may be giving LUCR-3 too much credit, but we have observed them\r\nEnableSerialConsoleAccess for AWS accounts they have compromised and then attempt to use EC2\r\nInstance Connect to SendSerialConsoleSSHPublicKey which will attempt to establish a serial connection\r\nto a specified EC2 instance. This can be leveraged to avoid network monitoring, as serial connections are\r\nhardware based.\r\nDE-AzureAD/Okta\r\nLUCR-3 clearly understands that one of the more common detections in place for IDPs is to monitor and alert on\r\nimpossible travel. To avoid these impossible travel detections, LUCR-3 will ensure that they source from a similar\r\ngeo location as their victim identity. This seems to be mostly accomplished via the use of residential VPNs.\r\nDE-M365/Google Workspace\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 7 of 9\n\nSome of LUCR-3’s actions in an environment, such as generating tokens and opening up help desk tickets, cause\r\nemails to be sent to the victims mailbox. LUCR-3, already sitting in those mailboxes, will delete the emails to\r\navoid detection. While email deletion on its own is a very weak signal, looking for email deletions via the web\r\nversion of outlook with sensitive terms like OAuth, access token, and MFA might bring to light higher fidelity\r\nsignals to follow.\r\nComplete Mission (CM)\r\nLUCR-3 has one goal, financial gain. They do this mostly though extortion for sensitive data that they have\r\ncollected via the native tools of the victim organizations SaaS and CI/CD applications. In AWS this is\r\naccomplished by data theft in S3, and in database applications such as Dynamo and RDS.\r\nWhile in the SaaS world, they complete their mission by searching and downloading documents and web pages\r\nvia a traditional web browser.\r\nOn the CI/CD side, LUCR-3 will use use the clone, archive, and view raw features of Github and Gitlab to view\r\nand download source data.\r\nIndicators\r\nDetections\r\nPermiso clients are protected by the following detections:\r\nName Type\r\nP0_AWS_ACCESSKEY_CREATED_1 Alert\r\nP0_AWS_CLOUDTRAIL_LOGGING_STOPPED_1 Alert\r\nP0_AWS_CLOUDTRAIL_TRAIL_DELETED_1 Alert\r\nP0_AWS_EC2_ROOT_USER_SSH_1 Alert\r\nP0_AWS_EC2_SERIAL_CONSOLE_ACCESS_ENABLED_1 Alert\r\nP0_AWS_GUARDDUTY_STATUS_CHANGED_1 Alert\r\nP0_AWS_NEW_USER_CREATED_1 Alert\r\nP0_AWS_S3_BROWSER_USERAGENT_1 Alert\r\nP0_AWS_SM_GETSECRETVALUE_CLOUDSHELL_1 Alert\r\nP0_AZUREAD_MFA_FACTOR_ROTATION_1 Alert\r\nP0_AZUREAD_MFA_FACTOR_ROTATION_BY_ADMIN_1 Alert\r\nP0_GIT_CLONE_ALL Alert\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 8 of 9\n\nName Type\r\nP0_IDP_MFA_DEVICE_DOWNGRADE Alert\r\nP0_IDP_MFA_ECOSYSTEM_SWITCH Alert\r\nP0_IDP_MFA_EXTERNAL_EMAIL Alert\r\nP0_IDP_MFA_MANYUSERS_1DEVICE Alert\r\nP0_INTEL_LUCR3 Alert\r\nP0_OKTA_MFA_FACTOR_ROTATION_1 Alert\r\nP0_OKTA_MFA_FACTOR_ROTATION_BY_ADMIN_1 Alert\r\nP0_SAAS_CREDENTIAL_SEARCH Alert\r\nSource: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nhttps://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\r\nPage 9 of 9\n\nfor the victim integrations, organizations, and even clients but also credentials of the victim that may allow organization. access to business partners, technology \n5. Resource Creation: Lastly, LUCR-3 will create or take over existing resources such as EC2 instances that\ncan be leveraged for access back into the environment as well as a staging area for tools and data theft as\n Page 6 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" ], "report_names": [ "lucr-3-scattered-spider-getting-saas-y-in-the-cloud" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/94fbb6659acd5092c44b7264bd187f3462415c0b.pdf", "text": "https://archive.orkl.eu/94fbb6659acd5092c44b7264bd187f3462415c0b.txt", "img": "https://archive.orkl.eu/94fbb6659acd5092c44b7264bd187f3462415c0b.jpg" } }