{
	"id": "1fcc46e3-ba66-406b-a7af-4495139644e6",
	"created_at": "2026-04-17T02:19:45.991853Z",
	"updated_at": "2026-04-18T02:21:39.515633Z",
	"deleted_at": null,
	"sha1_hash": "a894be235a0f82062b5215e6a4aa1f04d8a5ab89",
	"title": "Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63067,
	"plain_text": "Exposing Scattered Spider: New Indicators Highlight Growing\r\nThreat to Enterprises and Aviation\r\nBy laurama\r\nPublished: 2025-07-07 · Archived: 2026-04-17 02:06:42 UTC\r\nCheck Point Research identifies phishing domain patterns, offering actionable insights to proactively counter\r\nthreats from the notorious cyber group behind recent airline attacks\r\nScattered Spider, a sophisticated cyber threat group known for aggressive social engineering and targeted\r\nphishing, is broadening its scope, notably targeting aviation alongside enterprise environments. Check Point\r\nResearch has uncovered specific phishing domain indicators, helping enterprises and aviation companies\r\nproactively defend against this emerging threat.\r\nRecent Aviation Attacks Linked to Scattered Spider\r\nIn a significant escalation, recent media reports and intelligence advisories have linked Scattered Spider to cyber-attacks on major airlines, notably the July 2025 data breach affecting six million Qantas customers. Cybersecurity\r\nanalysts noted tactics such as MFA fatigue and voice phishing (vishing), closely matching Scattered Spider’s\r\nknown methods.\r\nSimilar incidents involving Hawaiian Airlines and WestJet have further highlighted the urgency of addressing\r\nvulnerabilities in aviation-related third-party providers.\r\nKey Targeting Indicators (Phishing Domains)\r\nCheck Point Research has identified a consistent pattern in the phishing infrastructure registered by Scattered\r\nSpider. These domains closely mimic legitimate corporate login portals and are designed to deceive employees\r\ninto revealing their credentials.\r\nTypical naming conventions include:\r\nvictimname-sso.com\r\nvictimname-servicedesk.com\r\nvictimname-okta.com\r\nDuring a targeted investigation, Check Point researchers identified approximately 500 domains that follow\r\nScattered Spider’s known naming conventions—indicating potential phishing infrastructure either in use or\r\nprepared for future attacks. While some of these domains appear to target technology, retail, and aviation\r\norganizations, others impersonate companies across a much broader set of industries, including manufacturing,\r\nmedical technology, financial services, and enterprise platforms. This cross-sector targeting underscores the\r\ngroup’s opportunistic approach, adapting to high-value vulnerabilities rather than focusing on a specific\r\nvertical.Examples of observed domains include:\r\nhttps://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/\r\nPage 1 of 3\n\nchipotle-sso[.]com\r\ngemini-servicedesk[.]com\r\nhubspot-okta[.]com\r\nWhile not all domains are confirmed to be actively malicious, their alignment with known TTPs (tactics,\r\ntechniques, and procedures) strongly suggests targeting intent.\r\nThese findings further highlight the importance of industry-agnostic threat monitoring and reinforce that no sector\r\nis immune from sophisticated social engineering campaigns.\r\nGroup Overview: Who Is Scattered Spider?\r\nPublicly available intelligence outlines Scattered Spider as:\r\nActive since at least 2022, composed primarily of young individuals (ages 19–22) from the US and UK\r\nFinancially driven, targeting ransomware, credential theft, and cloud infrastructure\r\nUtilizing advanced social engineering techniques, including MFA manipulation and voice spoofing\r\nEmploying remote access tools and malware for persistent intrusion\r\nTools \u0026 Techniques Used by Scattered Spider\r\nScattered Spider employs a broad range of sophisticated attack methods to infiltrate targets and maintain long-term access:\r\nSocial Engineering Methods:\r\nTargeted phishing\r\nSIM swapping\r\nMulti-Factor Authentication (MFA) fatigue (“push bombing”)\r\nPhone and SMS impersonation\r\nTricking employees into installing remote access tools\r\nCapturing one-time passwords or coercing users to approve MFA prompts\r\nRemote Access Tools:\r\nFleetdeck.io, Level.io, Ngrok, Pulseway, ScreenConnect\r\nSplashtop, Tactical RMM, Tailscale, TeamViewer\r\nMimikatz (credential dumping tool)\r\nMalware:\r\nWarZone RAT (leaked version)\r\nRaccoon Stealer\r\nVidar Stealer\r\nRansomware:\r\nBlackCat / ALPHV (Ransomware-as-a-Service)\r\nhttps://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/\r\nPage 2 of 3\n\nComprehensive Recommendations\r\nCheck Point recommends the following defensive strategies tailored for both enterprises and aviation\r\norganizations:\r\nFor Enterprises:\r\nDomain Monitoring: Continuously scan domain registrations and block suspicious ones matching\r\nScattered Spider patterns.\r\nEmployee Training: Conduct simulations and awareness training focused on MFA abuse and vishing.\r\nAdaptive Authentication: Deploy smart MFA solutions with behavioral anomaly detection.\r\nEndpoint Security: Ensure robust endpoint detection and response across the organization.\r\nFor Aviation Sector Organizations:\r\nVendor Risk Management: Audit third-party service providers, particularly call centers, for access\r\ncontrols and security maturity.\r\nStrong Identity Verification: Require layered verification for password resets and MFA-related support\r\nrequests.\r\nSector-Specific Incident Response: Establish response playbooks tailored for data breaches involving\r\npassenger data and loyalty platforms.\r\nCheck Point Solutions to Mitigate Scattered Spider Threats\r\nTo effectively counter these emerging risks, Check Point recommends the following security platforms:\r\nCheck Point Harmony Email \u0026 Collaboration: Prevents phishing and impersonation attacks across\r\ninboxes and communication apps.\r\nCheck Point Harmony Endpoint: Detects and mitigates threats at the endpoint before they spread.\r\nCheck Point CloudGuard: Secures multi-cloud environments and prevents credential-based access abuse.\r\nInfinity ThreatCloud AI: Powers threat intelligence with AI to deliver proactive defenses.\r\nCheck Point Quantum Security Gateway: Provides scalable network security with real-time threat\r\nprevention.\r\nFurther Reading \u0026 Resources\r\nExplore additional resources on Scattered Spider:\r\nCyberInt: Meet Scattered Spider\r\nHC3 Threat Actor Profile – Scattered Spider (October 2024)\r\nFor real-time intelligence and updates, visit Check Point’s blog.\r\nSource: https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/\r\nhttps://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/"
	],
	"report_names": [
		"exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation"
	],
	"threat_actors": [
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-18T02:00:05.143642Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-18T02:00:04.779782Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-18T02:00:03.67245Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Muddled Libra",
				"Oktapus",
				"Scattered Swine",
				"Scatter Swine",
				"Octo Tempest",
				"Starfraud",
				"UNC3944",
				"0ktapus",
				"Storm-0971",
				"DEV-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-18T02:00:04.852006Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-18T02:00:04.852737Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824",
			"created_at": "2024-06-19T02:03:08.062614Z",
			"updated_at": "2026-04-18T02:00:04.615783Z",
			"deleted_at": null,
			"main_name": "GOLD HARVEST",
			"aliases": [
				"Octo Tempest ",
				"Roasted 0ktapus ",
				"Scatter Swine ",
				"Scattered Spider ",
				"UNC3944 "
			],
			"source_name": "Secureworks:GOLD HARVEST",
			"tools": [
				"AnyDesk",
				"ConnectWise Control",
				"Logmein"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1776392385,
	"ts_updated_at": 1776478899,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a894be235a0f82062b5215e6a4aa1f04d8a5ab89.pdf",
		"text": "https://archive.orkl.eu/a894be235a0f82062b5215e6a4aa1f04d8a5ab89.txt",
		"img": "https://archive.orkl.eu/a894be235a0f82062b5215e6a4aa1f04d8a5ab89.jpg"
	}
}