{
	"id": "d924ba5d-d8cd-46d6-b2b0-1d115a222550",
	"created_at": "2026-04-06T00:10:40.376561Z",
	"updated_at": "2026-04-10T03:31:49.884083Z",
	"deleted_at": null,
	"sha1_hash": "a7704dc7cd5040a5cca2e6870ff6783e1bc6359c",
	"title": "Microsoft links Scattered Spider hackers to Qilin ransomware attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3693164,
	"plain_text": "Microsoft links Scattered Spider hackers to Qilin ransomware attacks\r\nBy Sergiu Gatlan\r\nPublished: 2024-07-16 · Archived: 2026-04-05 17:58:39 UTC\r\nImage: Midjourney\r\nMicrosoft says the Scattered Spider cybercrime gang has added Qilin ransomware to its arsenal and is now using it in\r\nattacks.\r\n\"In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat\r\nactor, added RansomHub and Qilin to its ransomware payloads in campaigns,\" Microsoft said Monday.\r\nAfter surfacing in early 2022, this threat group (also tracked as Octo Tempest, UNC3944, and 0ktapus) achieved notoriety\r\nfollowing their 0ktapus campaign that targeted over 130 high-profile organizations, including Microsoft, Binance, CoinBase,\r\nT-Mobile, Verizon Wireless, AT\u0026T, Slack, Twitter, Epic Games, Riot Games, and Best Buy.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe English-speaking gang has also encrypted MGM Resorts' systems after joining BlackCat/ALPHV ransomware as an\r\naffiliate in mid-2023 and was linked by Symantec to the RansomHub ransomware-as-a-service.\r\nIn November, the FBI and CISA issued an advisory highlighting Scattered Spider's tactics, techniques, and procedures\r\n(TTPs). These include impersonating IT employees to trick customer service staff into providing them with credentials or\r\ngaining persistence on targets' networks using remote access tools.\r\nOther tactics they're known to use for initial network access include phishing, MFA bombing (aka MFA fatigue), and SIM\r\nswapping.\r\nScattered Spider's move to ransomware attacks (Microsoft)\r\nThe Qilin ransomware operation that Scattered Spider just joined surfaced in August 2022 under the \"Agenda\" name but was\r\nrebranded as Qilin just one month later.\r\nOver the last two years, the Qilin gang has claimed over 130 companies on its dark web leak site; however, their operators\r\nweren't active until attacks picked up towards the end of 2023.\r\nSince December 2023, Qilin has also been developing one of the most advanced and customizable Linux encryptors to target\r\nVMware ESXi virtual machines, which enterprise organizations favor for their light resource needs.\r\nLike many other ransomware groups targeting businesses, Qilin operators infiltrate a company's networks and extract data as\r\nthey move through the victim's systems.\r\nAfter obtaining admin credentials and collecting all sensitive data, they deploy the ransomware payloads to encrypt all\r\nnetwork devices and leverage the stolen data to carry out double-extortion attacks.\r\nSo far, BleepingComputer has seen Qilin ransom demands ranging from as low as $25,000 to millions of dollars, depending\r\non the victim's size.\r\nLast month, the CEO of the UK's National Cyber Security Centre (NCSC) linked Qilin to a ransomware attack that hit\r\npathology services provider Synnovis in early June and impacted several major NHS hospitals in London, forcing them to\r\ncancel hundreds of operations and appointments.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks/"
	],
	"report_names": [
		"microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-10T02:00:04.772256Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-10T02:00:05.340198Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-10T02:00:03.374705Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"UNC3944",
				"Scattered Swine",
				"Octo Tempest",
				"DEV-0971",
				"Starfraud",
				"Muddled Libra",
				"Oktapus",
				"Scatter Swine",
				"0ktapus",
				"Storm-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824",
			"created_at": "2024-06-19T02:03:08.062614Z",
			"updated_at": "2026-04-10T02:00:03.655475Z",
			"deleted_at": null,
			"main_name": "GOLD HARVEST",
			"aliases": [
				"Octo Tempest ",
				"Roasted 0ktapus ",
				"Scatter Swine ",
				"Scattered Spider ",
				"UNC3944 "
			],
			"source_name": "Secureworks:GOLD HARVEST",
			"tools": [
				"AnyDesk",
				"ConnectWise Control",
				"Logmein"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434240,
	"ts_updated_at": 1775791909,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7704dc7cd5040a5cca2e6870ff6783e1bc6359c.pdf",
		"text": "https://archive.orkl.eu/a7704dc7cd5040a5cca2e6870ff6783e1bc6359c.txt",
		"img": "https://archive.orkl.eu/a7704dc7cd5040a5cca2e6870ff6783e1bc6359c.jpg"
	}
}