{ "id": "b644d9a6-9eab-44bd-a4da-9a8294c208c6", "created_at": "2026-04-06T00:15:36.865452Z", "updated_at": "2026-04-10T03:34:18.766048Z", "deleted_at": null, "sha1_hash": "ac0f05ec52d206952e837a3f64ea0b7a383ea157", "title": "Scattered Spider laying new eggs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 732685, "plain_text": "Scattered Spider laying new eggs\r\nBy Pierre-Antoine D.,\u0026nbsp;Quentin Bourgue,\u0026nbsp;Livia Tibirna\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2024-02-22 · Archived: 2026-04-05 19:43:16 UTC\r\nTable of contents\r\nIntroduction\r\nBackground\r\nTracing the threads: the history of naming “Scattered Spider”\r\nUnravelling the threads: Scattered Spider’s web profile\r\nTTPs leveraged by Scattered Spider for high-profile attacks\r\nA spider’s web expansion: from access broker to BlackCat ransomware affiliate\r\nEggspedition: Scattered Spider’s exfiltration tactics\r\nSpider’s web: phishing traps unveiled\r\nTarget webs: where cyber spiders aim their digital threads\r\nThrough the eyes of the spider: focused targeting in the digital jungle\r\nConclusion\r\nIoCs \u0026 Technical Details\r\nScattered Spider’s IoCs\r\nAnnexes\r\nAnnex 1 – Malware and tools used by Scattered Spider\r\nAnnex 2 – RMM tools\r\nExternal references\r\nIntroduction\r\nScattered Spider (aka UNC3944, Scatter Swine, Muddled Libra, Octo Tempest, Oktapus, StarFraud) is a\r\nlucrative intrusion set active since at least May 2022, primarily engaged in social engineering, ransomware,\r\nextortion campaigns and other advanced techniques.\r\nThe intrusion set employs state-of-the-art techniques, particularly related to social engineering, such as\r\nimpersonation of IT personnel to deceive employees for targeted phishing, SIM swapping, leverage of MFA\r\nfatigue, and contact with victims’ support teams. Scattered Spider also conducted high-profile network intrusions\r\nand ransomware attacks as a BlackCat ransomware affiliate since mid-2023.\r\nThe intrusion set attracted significant media coverage several times with the compromise of Twilio in August 2022\r\nand the campaign against the casino chains Caesars Entertainment and MGM Resorts International in the summer\r\nof 2023.\r\nThis report provides an overview of the Scattered Spider evolution, its modus operandi and the toolset leveraged\r\nover the past years. Additionally, it delves into the Scattered Spider Techniques, Tactics and Procedures (TTPs),\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 1 of 19\n\nas well as the latest ongoing campaigns, including their current targets.\r\nBackground\r\nTracing the threads: the history of naming “Scattered Spider”\r\nSince mid-2022, Scattered Spider’s modus operandi has been documented under numerous aliases by various\r\nsources. It is reported overlapping with the activity of intrusion sets known as 0ktapus (Group-IB), Scatter\r\nSwine (Okta), UNC3944 (Mandiant), Octo Tempest (previously Storm-0875, Microsoft), Muddled Libra\r\n(Unit42) and others.\r\nSentinelOne associates Scattered Spider with the “Star Fraud” group, which is likely part of a larger cybercrime\r\necosystem of disparate and sometimes rival subgroups that refers to itself as “The Community” (aka “The Com.”\r\nand “The Comm”). This long-running online community is reported to be the cyber threat with the greatest impact\r\nin 2023 as per SentinelOne. While, Coveware links with a low level of confidence Scattered Spider to Rhysida\r\nransomware activity, we could not cross-reference this information.\r\nWhile most vendors use the above-mentioned aliases interchangeably, RedCanary analysts assess with high\r\nconfidence that Scattered Spider, UNC3944, Oktapus, and Muddled Libra are not exact overlaps. Those subgroups\r\nare likely multiple actors using a common toolkit, according to Unit42.\r\nSekoia.io Threat Detection \u0026 Research (TDR) team monitors Scattered Spider as a cluster of all the above-mentioned intrusion-sets that are highly likely subsets of a larger umbrella. So, we encompass all the related\r\nactivities under the Scattered Spider intrusion set.\r\nAccording to public reporting, Scattered Spider is an intrusion set of 17-22 years old, native English-speaking\r\nindividuals that reside primarily in Western countries. Intel471 refers to its members as mid-to-lower-level skilled\r\nactors with a small subset of highly technically capable members. \r\nOf note, a threat actor specialised in wire fraud and identity theft, reported in open sources as a Scattered Spider\r\naffiliate, was arrested in early 2024.\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 2 of 19\n\nFigure 1. A timeline of public reporting on Scattered Spider activities. Sources: see the External\r\nReferences section.\r\nUnravelling the threads: Scattered Spider’s web profile\r\nOver the past years, Scattered Spider compromised numerous high-profile organisations, mainly located in the\r\nUnited States. In mid-2022, a wide-scale social engineering campaign aiming at stealing employee credentials\r\nwas reported impacting technology companies, telecommunications providers, and cryptocurrency-related\r\nindividuals and organisations. The campaign targeted Twilio and Cloudflare employees among others, and was\r\nattributed to the Scattered Spider intrusion set. \r\nThe intrusion set was highly prolific since its first appearance, as it had allegedly compromised over 130 unique\r\norganisations between March and July 2022 only. Since 2022 and throughout 2023, attacks targeting the social\r\nnews website Reddit, the hospitality and entertainment giant MGM Resorts International were also attributed to\r\nthe intrusion set in open sources.\r\nMoreover, the campaigns attributed to Scattered Spider are continuously persistent. In a 2022 campaign targeting\r\nT-Mobile customers, Scattered Spider and two additional intrusion sets engaged in SIM swapping accessed\r\nvictim’s systems 100 times across seven months.\r\nThe intrusion set persistently conducts phishing campaigns to gain access to a company’s network. Scattered\r\nSpider is reported to leverage advanced, targeted, mainly phone-based social engineering techniques. This\r\nincludes tailored phishing domains, SIM swapping, phishing phone calls and targeted SMS.\r\nThe intrusion set’s proficiency in phishing is highly likely due to their comprehensive understanding of their\r\ntargets’ environment, allowing them to successfully impersonate a victim’s employee. Indeed, Scattered Spider\r\nis known to meticulously plan their campaigns, consistently gathering intelligence on corporate hierarchies,\r\nspecific employees, and the IT support infrastructure of their targets.\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 3 of 19\n\nAccording to Microsoft, if initial attempts fail, Scattered Spider members leverage personal information such as\r\nresidential addresses and relatives’ names, coupled with threats of physical harm, to coerce victims into revealing\r\nlogin credentials for corporate systems.\r\nUpon gaining unauthorised access, the intrusion set frequently reviewed internal documents detailing processes\r\nand procedures, using this information to expand their reach further and secure an extensive access to sensitive\r\nsystems and data.\r\nWhile conducting advanced and targeted campaigns, Scattered Spider is reported as being exclusively financially-motivated. The latest monetisation strategy adopted by Scattered Spider consists of deploying ransomware in\r\nvictims’ environments. Indeed, the intrusion set conducts double extortion campaigns leveraging the BlackCat\r\nransomware since mid-2023, after several months of exfiltrating files without encryption.\r\nTTPs leveraged by Scattered Spider for high-profile attacks\r\nA spider’s web expansion: from access broker to BlackCat ransomware affiliate\r\nSince mid-2022, Scattered Spider evolving activities have been documented by multiple sources, outlining the\r\nvarious techniques adopted by the intrusion set over time.\r\nThe evolution of Scattered Spider’s TTPs and the reported victimology illustrates a significant shift in their\r\noperational strategy. Initially functioning as an access broker, the intrusion set targeted high-value organisations\r\nacross the telecommunications and technology sectors, as well as individuals linked to cryptocurrency. Over time,\r\nScattered Spider’s tactics evolved into those of a ransomware affiliate, including data exfiltration and ransomware\r\ndeployment for extortion.\r\nStarting from mid-2022, Scattered Spider conducted campaigns to gain initial access to organisation’s accounts\r\nthrough social engineering, leveraging SMS, phone calls or Telegram to impersonate IT personnel and direct\r\nvictims to a credential harvesting site. Such attacks led to further smishing campaigns and account takeovers of\r\nhigh-net-worth individuals. Microsoft assesses that Scattered Spider monetised intrusions by selling access to\r\nother criminals at that time.\r\nBy late 2022, the intrusion set expanded its targeting to business process outsourcing (BPO) intending to gain\r\nfurther access to mobile carrier networks from a Telco or BPO environment. For this purpose, Scattered Spider\r\nestablished persistence using VPN access or Remote Monitoring and Management (RMM) tools. The intrusion set\r\ninnovates to gain an initial foothold within the victims’ environment, by targeting corporate assets through stolen\r\nAzure credentials and exploiting vulnerabilities. Microsoft assesses that Scattered Spider monetised intrusions\r\nby extorting organisations with stolen data.\r\nIn mid-2023, Scattered Spider allegedly joined the BlackCat ransomware operation and began deploying the\r\nransomware payload on Windows and Linux systems, and later on VMWare ESXi servers. \r\nBlackCat (aka ALPHV) Ransomware as a Service (RaaS) distributes its malware since late 2021 and was among\r\nthe Top 3 most prolific ransomware operations in 2023, according to Sekoia.io observations. BlackCat\r\nrepresentatives declare cooperating with Russian-speaking affiliates only. Therefore, Scattered Spider joining this\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 4 of 19\n\nRaaS as an affiliate is likely indicative of a constantly evolving Russian-speaking RaaS group, driven by the\r\nmaximisation of financial gain, whose main condition for recruiting affiliates likely remains to avoid attacking\r\nwithin the Commonwealth of Independent States (CIS) organisation.\r\nThe intrusion set continuously expanded its arsenal of tools, malware and techniques, for establishing\r\npersistence and reconnaissance on networks, escalating privileges, removing, disabling and bypassing security\r\ntools, as well as exfiltrating data. These evolutions, as well as the ever-extended targeting, are indicative of a\r\nrelatively advanced, increasingly persistent and well-established intrusion set.\r\nBased on open-source reporting (see the External References section), Sekoia.io analysts compiled the techniques\r\nemployed by Scattered Spider over time and the targeted sectors, as shown in the table below:\r\nScattered Spider’s techniques Targeted sectors\r\nMid-2022\r\nRoasting 0ktapus (Group-IB,\r\nAugust 2022 – Twilio,\r\nAugust 2022 – Cloudflare,\r\nAugust 2022)\r\nScatter Swine (Okta, August\r\n2022)\r\n– Gathered mobile phone numbers\r\nof employees from commercially\r\navailable data aggregation services\r\n– Targeted employees with\r\nphishing, including smishing and\r\nvoice phishing.\r\n– Harvested credentials through\r\ntargeted phishing pages\r\n– Relayed One Time Password\r\n(OTP) through phishing pages\r\n– Distributed the commercial\r\nRMM tool AnyDesk\r\n– Used anonymising proxy\r\nservices\r\n– Took over user accounts\r\n– Conducted further smishing\r\nattacks\r\n– Technology\r\n– Telecommunications\r\n– Individuals linked to\r\ncryptocurrency\r\nLate 2022\r\nScattered Spider\r\n(CrowdStrike, December\r\n2022)\r\nUNC3944 (Mandiant,\r\nDecember 2022)\r\n– Gathered mobile phone numbers\r\nof employees\r\n– Targeted employees with\r\nphishing, including smishing,\r\nTelegram message and phone calls\r\n– Impersonated IT personnel for\r\nphishing\r\n– Accessed Azure account using\r\nstolen credentials\r\n– Exploited CVE in ForgeRock\r\nOpenAM application server\r\n– Distributed various RMM tools\r\n– Telecommunications\r\n– Business process\r\noutsourcing\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 5 of 19\n\n– Persisted using VPN access,\r\nAWS key theft and IAM\r\nmanipulation\r\n– Exploited the Bring Your Own\r\nVulnerable Driver (BYOD)\r\ntechnique to bypass endpoint\r\nsecurity\r\n– Deployed the Remote Access\r\nTrojan (RAT) RattyRAT\r\n– Conducted further smishing\r\nattacks\r\n– Gained access to mobile carrier\r\nnetwork and SIM card information\r\n– Exfiltrated data using\r\ntransfer[.]sh\r\n– Performed SIM swapping\r\nMid-2023\r\nUNC3944 (Mandiant,\r\nSeptember 2023)\r\nMuddled Libra (Unit42,\r\nSeptember 2023)\r\n– Purchased stolen credentials\r\nfrom cybercriminal market\r\n– Gathered mobile phone numbers\r\nof employees\r\n– Targeted employees with\r\nphishing, including smishing and\r\nphone calls\r\n– Used phone-based social\r\nengineering\r\n– Leveraged MFA bombing \r\n– Performed SIM swapping\r\n– Used the commercial residential\r\nproxy services NSOCKS and\r\nTrueSocks\r\n– Distributed various RMM tools\r\n– Created publicly accessible\r\nvirtual machines inside victims’\r\nenvironments\r\n– Deployed commodity malware\r\n(infostealers, reconnaissance,\r\nprivilege escalation)\r\n– Targeted VMware vCenters\r\nservers using the open-source\r\nbedevil Linux rootkit\r\n– Achieved privilege escalation by\r\nresetting password or modifying\r\n– Telecommunications\r\n– Business process\r\noutsourcing\r\n– Hospitality\r\n– Retail\r\n– Media\r\n– Entertainment\r\n– Financial services\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 6 of 19\n\nmulti-factor authentication (MFA)\r\n– Performed reconnaissance and\r\ncredential dump using public tools\r\n– Enumerated the internal\r\ndocumentation and resources\r\n– Achieved privilege escalation by\r\ntargeting password managers or\r\nIAM\r\n– Disabled security products\r\n– Exfiltrated data using Rclone,\r\nMEGAsync, FileZilla or DropBox\r\n– Deleted shadow copies, disabled\r\nsecurity tools \r\n– Deployed BlackCat ransomware\r\n– Engaged aggressive\r\ncommunications with victims for\r\npersuasion\r\nLate 2023\r\nOcto Tempest (Microsoft,\r\nOctober 2023)\r\nScattered Spider (CISA,\r\nNovember 2023)\r\n– Purchased stolen credentials\r\nfrom cybercriminal market\r\n– Targeted employees with\r\nphishing, including smishing and\r\nphone calls\r\n– Harvested credentials through\r\ntargeted AiTM phishing pages\r\n– Used phone-based social\r\nengineering\r\n– Distributed various RMM tools\r\n– Used reverse shells\r\n– Deployed commodity malware\r\n(infostealers, reconnaissance,\r\nprivilege escalation)\r\n– Targeted VMware vCenters\r\nservers using the open-source\r\nbedevil Linux rootkit\r\n– Achieved privilege escalation by\r\nresetting password or modifying\r\nmulti-factor authentication (MFA)\r\n– Performed reconnaissance and\r\ncredential dump using public tools\r\n– Enumerated the internal\r\ndocumentation and resources\r\n– Disabled security products\r\n– Natural resources\r\n– Gaming\r\n– Hospitality\r\n– Consumer products\r\n– Retail\r\n– Managed services\r\nproviders\r\n– Manufacturing\r\n– Law\r\n– Technology\r\n– Financial services\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 7 of 19\n\n– Modified mailbox rules to delete\r\nemails from security vendors, and\r\nexfiltrate emails\r\n– Exfiltrated data using\r\nMEGAsync, Gofile, shz[.]al, Storj,\r\nTemp[.]sh, Paste[.]ee, Backblaze,\r\nand AWS S3 buckets\r\n– Deployed BlackCat ransomware\r\n– Engaged aggressive\r\ncommunications with victims for\r\npersuasion\r\nTable 1. TTPs leveraged by Scattered Spider between 2022 and 2023\r\nEggspedition: Scattered Spider’s exfiltration tactics\r\nBy late 2022, a notable development in Scattered Spider’s tactics emerged with the employment of the file sharing\r\nservice transfer[.]sh to facilitate data exfiltration. In 2023, the intrusion set further expanded its data\r\nexfiltration capabilities, incorporating new tools such as Rclone, MEGAsync, DropBox, and subsequently,\r\nGofile, shz[.]al, Storj, Tem[.].sh, Paste[.]ee, Backblaze and AWS S3 buckets, as reported by Mandiant and\r\nMicrosoft.\r\nRansomware affiliates frequently use such file-hosting services to exfiltrate large volumes of data from\r\ncompromised networks onto anonymous infrastructures. Once they obtain sensitive data from victims, attackers\r\ntypically coerce victims into paying the ransom by threatening publication. Since 2020, this tactic, known as\r\ndouble extortion ransomware, has become widespread among ransomware gangs, including BlackCat and its\r\naffiliate, Scattered Spider.\r\nWhile some ransomware affiliates or groups use customised exfiltration tools (e.g. ExMatter, StealBit, Grixba)\r\nto exfiltrate data to their own infrastructures, many operators tend to leverage legitimate, open source tools (e.g.\r\nFileZilla, MEGAsync, Rclone, WinSCP) to remain stealthy, as they are widely used in corporate environments.\r\nAlso, ransomware actors frequently leverage anonymous infrastructures (e.g. transfer[.]sh, MEGA, DropBox) for\r\ndata hosting and sharing, allowing attackers to avoid burning their infrastructure during the exfiltration\r\nstage.\r\nOne such example is the cloud storage MEGA (also known as mega[.]nz or mega[.]io) and its associated client\r\nMEGAsync. Created in 2013 by Kim Dotcom, MEGA provides privacy and security-focused storage boasting\r\n“zero-knowledge encryption” at an attractive price compared to competitors. Moreover, MEGA accepts Bitcoin\r\nas payment, enabling cybercriminals to capitalise on anonymity, decentralisation, and difficulty in tracking\r\nassociated with cryptocurrency transactions. The MEGA service provides end-to-end encryption with restricted\r\naccess to user data and account information, enhancing anonymity and reducing the risk of exposure or\r\ninterception of exfiltrated data.\r\nThe MEGAsync client is an open-source, cross-platform exfiltration tool available on GitHub, enabling\r\nransomware affiliates to deploy the tool across Windows, Linux and macOS distributions.\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 8 of 19\n\nFor Scattered Spider and numerous other ransomware intrusion sets – like LockBit, BlackCat, Trigona, INC,\r\nVice Society, and Monti – MEGA and MEGAsync stand out as one of the preferred solutions for the data\r\nexfiltration stage, owing it to their protective measures for identity and data.\r\nWith similar intentions, cybercriminals rely on a wide range of legitimate services, tools and technologies,\r\nprioritising privacy, anonymisation and data protection. It includes cryptocurrencies, VPNs, VPS, proxy services,\r\nthe Tor network, various messaging services (e.g. Telegram, Tox, Session, Jabber), and email providers (e.g.\r\nProtonMail, Tutanota, Onion Mail).\r\nSpider’s web: phishing traps unveiled\r\nTarget webs: where cyber spiders aim their digital threads\r\nSilentPush recently reported on the advanced Scattered Spider intrusion set deploying a new phishing kit since\r\nSeptember 2023, along with sharing the intrusion set registrars and Autonomous System Numbers (ASN) details.\r\nFollowing this article, Sekoia.io TDR analysts initiated a dedicated infrastructure tracking, resulting in new\r\ntracking heuristics for our Sekoia.io C2 Tracker project.\r\nIn January 2024, our tracker got new matches, indicating that a new campaign was underway. Instead of using\r\nthe usual ASN, Scattered Spider switched to another registrar: “registrar[.]eu”. Subsequently, all domains\r\nregistered since then use the same combination as of mid-February 2024.\r\nBased on TDR observations, the phishing pages designed by Scattered Spider have short online lifespans, often\r\nlasting only several days or even a few hours, which is consistent with previous reports by other security\r\ncompanies. For example, the domain “linkedinsso[.]com” was registered on 19 January 2024, it became active\r\nimmediately and ceased operations two days later. On 8 February, after a one-week break, the phishing\r\ninfrastructure went live again, with new registered domains and, subsequently, new targets.\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 9 of 19\n\nFigure 2. Scattered Spider phishing pages harvesting credentials and MFA code targeting a United\r\nStates insurance company in February 2024.\r\nThe root page of the phishing domain attempts to lure users into providing their Okta credentials. Upon clicking\r\non the “Sign In” button, the collected information is sent to the “fuckyou.php” page before being redirected to the\r\n“factor.html” page, which prompts the user for what we assess to be a 2FA code.\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 10 of 19\n\nThe information submitted in the 2FA form is then sent to “factor.php”, which, after a brief delay, redirects users\nto the legitimate public website of the targeted company.\nOf note, during our infrastructure investigation, we came across several old domains targeting MGM Resorts\nInternational, a major casino brand targeted by Scattered Spider in a ransomware and extortion campaign in the\nsummer of 2023. The following two of the observed domains were registered and were active in August 2022:\nmgmresorts-okta[.]com\nschedule.mgmresorthotels[.]com\nFigure 3. Fake MGM Resorts International login page.\nSekoia.io analysts assess with high confidence that these phishing domains were set up by Scattered Spider, given\ntheir modus operandi, the ASN and the registrar they leveraged at that time.\nFurthermore, most of Scattered Spider’s phishing pages contain an invisible list with a distinctive URL in the\nHTML code, e.g.:\n-\n\nTable 2. Characteristic URL in the HTML code\r\nThis element aligns with the “colourful” language used by the intrusion set, as reported by Group-IB researchers\r\nin August 2022. Their investigation uncovered a Telegram channel used to exfiltrate data from Scattered Spider’s\r\nformer phishing kit, whose administrator was named “₿ Bored Niggas INC ₿”.\r\nThrough the eyes of the spider: focused targeting in the digital jungle\r\nSince mid-2022, Scattered Spider was publicly reported as actively targeting a wide range of industries,\r\nincluding telecommunication providers, software and technology, business process outsourcing providers,\r\ncryptocurrency platforms, food delivery services, and organisations in the hospitality, banking, manufacturing,\r\nretail as well as customer relationship management, marketing and legal sectors.\r\nSekoia.io’s tracking of the intrusion set’s phishing infrastructure yielded a list of new phishing domain names\r\n(see the IoCs section) allegedly targeting employees of specific companies based on the design of the\r\nauthentication pages and their redirection to targets’ official websites.\r\nOn this basis and regarding the previously reported Scattered Spider’s victimology, we assess with high\r\nconfidence that the intrusion set does target those organisations in an ongoing campaign.\r\nAs of February 2024, we gathered the following list of targeted organisations:\r\nTrue Corporation\r\nZendesk\r\nSquarespace\r\nWalmart\r\nLinkedin\r\nCostco\r\nCellular Sales\r\nGrubhub\r\nSamsung\r\nGitlab\r\nFireblocks\r\nSinch\r\nRoblox\r\nUs Cellular\r\nApple\r\nBinance\r\nVerizon\r\nAflac\r\nBell\r\nAllstate\r\nAthene\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 12 of 19\n\nFigure 4. Industries targeted by Scattered Spider’s phishing pages tracked by Sekoia.io in January\r\n2024.\r\nScatter Spider primarily targets organisations based in the United States. While some of the newly unveiled\r\ntargets are based in other regions of the world, the majority of them do maintain offices in the United States.\r\nYet, of particular interest are True Corporation and Bell companies, based in Thailand and Canada, respectively.\r\nWhile their industry-related targeting aligns with Scattered Spider’s usual campaigns aimed at organisations\r\nwithin the telecommunication sector, this is likely indicative of new targeted regions.\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 13 of 19\n\nFigure 5. Fake True Corporation login page\r\nAfter expanding their list of targeted sectors over time and switching to Big Game Hunting (BGH) attacks to\r\nmaximise their profits by increasing extorted amounts, Scattered Spider is likely also expanding their list of\r\ntargeted locations. Our assumption relies on analysing their phishing pages impersonating novel organisations. As\r\nof mid-February 2024, there have been no reported incidents involving victims outside the United States linked to\r\nScattered Spider.\r\nSekoia.io TDR remains committed to actively monitoring the Scattered Spider activities to anticipate and evaluate\r\nfurther evolutions.\r\nConclusion\r\nScattered Spider is a financially-motivated intrusion set engaging in highly lucrative cybercrime activities\r\naimed at theft of sensitive data, cryptocurrency stealing, data exfiltration and ransomware deployment for\r\nextortion. We assess Scattered Spider’s techniques progressively evolve towards an advanced modus operandi,\r\nindicative of a group, or at least of some of its members, with a relatively high level of expertise.\r\nOver the past years, the intrusion set expanded its activities from being an access broker specialising in phishing\r\nand social engineering to becoming a ransomware affiliate, enhancing its TTPs, its arsenal of tools and\r\nmalware, and adjusting its targeting.\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 14 of 19\n\nSekoia.io analysts view Scattered Spider as an umbrella encompassing various modus operandi that are likely to\r\nevolve, notably as new threat actors bring their skills, experiences and arsenal by joining the group.\r\nTo actively monitor the threat and protect our customers, we focus on monitoring and tracking the Scattered\r\nSpider’s TTPs in time, consistent with those of many ransomware affiliates and initial access brokers. To\r\nprovide our customers with actionable intelligence, the TDR team will continue to proactively track Scattered\r\nSpider’s phishing infrastructure and investigate new reports outlining the intrusion set operations.\r\nIoCs \u0026 Technical Details\r\nScattered Spider’s IoCs\r\nYou can find the IoCs as a CSV file on our Community Github here.\r\nPhishing Domains\r\nbell-hr[.]com gitlabsso[.]com\r\nallstate-hr[.]com fireblocks-sso[.]com\r\nuscellular-hr[.]com sec-sso[.]net\r\nmarsh-hr[.]com cellularsso[.]com\r\nuscellularhr[.]com connect-sso[.]com\r\nusinfo1[.]net costsso[.]com\r\nuscchr[.]com grubhubsso[.]com\r\naflac-hr[.]com walmartsso[.]com\r\nwww[.]aflac-hr[.]com linkedinsso[.]com\r\nusccplus[.]com vz-hr[.]com\r\nsinchdev[.]com walmartworkspace[.]com\r\non-sinch[.]com square-sso[.]com\r\nuscell[.]net zen-sso[.]com\r\ncellularhr[.]com zendesklt[.]com\r\nrbxhr[.]net applesso[.]com\r\nroblox-hrs[.]com www.truecorphr[.]net\r\ngitlabhr[.]com truecorphr[.]net\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 15 of 19\n\nbn-sso[.]com athene-usa[.]com\r\nPhishing servers\r\nIP address First seen Last seen\r\n149.248.14[.]222 2024-02-19 2024-02-19\r\n149.28.105[.]251 2024-02-09 2024-02-10\r\n216.128.128[.]163 2024-02-09 2024-02-09\r\n155.138.227[.]80 2024-02-08 2024-02-09\r\n149.28.41[.]193 2024-02-08 2024-02-09\r\n140.82.29[.]65 2024-02-08 2024-02-09\r\n149.248.12[.]179 2024-02-07 2024-02-09\r\n45.32.66[.]91 2024-01-30 2024-01-31\r\n162.33.178[.]245 2024-01-29 2024-01-29\r\n207.246.106[.]194 2024-01-28 2024-01-28\r\n45.63.54[.]8 2024-01-26 2024-01-26\r\n45.76.65[.]42 2024-01-25 2024-01-28\r\n144.202.114[.]128 2024-01-25 2024-01-25\r\n45.76.172[.]113 2024-01-24 2024-01-25\r\n45.32.64[.]247 2024-01-24 2024-01-25\r\n149.248.0[.]189 2024-01-24 2024-01-25\r\n104.207.153[.]50 2024-01-24 2024-01-25\r\n45.63.53[.]99 2024-01-22 2024-01-23\r\n149.28.66[.]216 2024-01-18 2024-01-21\r\n149.28.80[.]155 2024-01-19 2024-01-20\r\n45.63.52[.]43 2024-01-19 2024-01-20\r\n207.246.102[.]242 2024-01-18 2024-01-20\r\n45.77.120[.]140 2024-01-10 2024-01-12\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 16 of 19\n\n45.32.84[.]65 2024-01-09 2024-01-11\r\n104.238.141[.]119 2024-01-08 2024-01-09\r\n108.61.86[.]177 2024-01-06 2024-01-08\r\n195.35.10[.]222 2024-01-01 2024-01-02\r\n2a02:4780:b:1342:0:238d:fa59[:]3 2024-01-02 2024-01-03\r\nAnnexes\r\nAnnex 1 – Malware and tools used by Scattered Spider\r\nTactics Malware, tools, services\r\nReconnaissance Linkedin\r\nInitial Access EIGHTBAIT (0ktapus phishing kit)\r\nPersistence RattyRat, bedevil, AADInternals\r\nPrivilege Escalation\r\nLINpeas, aws_consoler, STONESTOP, POORTRY, KDMapper,\r\nHashiCorp\r\nVault, Trufflehog, GitGuardian, Jecretz, pacu\r\nDefense Evasion privacy.sexy\r\nCredential Access\r\nMimikatz, ProcDump, DCSync, LAPSToolkit, LaZagne,\r\ngosecretsdump\r\nDiscovery\r\nRustScan, ADRecon, ADExplorer, PingCastle, MicroBurst, Advanced\r\nPort\r\nScanner, Angry IP Scanner, Angry Port Scanner, SharpHound,\r\nCIMplant,\r\nManageEngine, LANDESK, PDQ Inventor, Govnomi, PureStorage\r\nFlashAr-ray\r\nLateral Movement\r\nImpacket, CitrixReceiver, CitrixWorkspaceApp, mobaxterm, ngrok,\r\nOpenSSH, proxifier, PuTTY, socat, Wstunnel, RDP, Cloudflare\r\nTunnel\r\nclient, Chrome Remote Desktop, PsExec, Sshimpanzee\r\nCollection Atomic, Vidar, Meduza, Raccoon, Snaffler, Hekatomb, Lumma,\r\nDBeaver,\r\nMongoDB Compass, Azure SQL Query Editor, Cerebrata, FiveTran,\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 17 of 19\n\nAve-Maria\r\nCommand and\r\nControl\r\nRMM tools (listed below), rsocx, NSOCKS, TrueSocks, Twingate\r\nExfiltration Telegram, Rclone, MEGAsync, Storage Explorer\r\nImpact BlackCat ransomware\r\nAnnex 2 – RMM tools\r\nAnyDesk RemotePC\r\nASG Remote Desktop Rport\r\nBeAnywhere RSAT\r\nConnectWise Rsocx\r\nDomotz RustDesk\r\nDWService (DWAgent) ScreenConnect\r\nFixMe.IT Socat\r\nFleetDeck Splashtop\r\nGetScreen SSH RevShell and RDP Tunnelling via SSH\r\nITarian Endpoint Manager Tailscale\r\nLevel.io (Level RMS) Tactical RMM\r\nLogMeIn TeamViewer\r\nManageEngine TightVNC\r\nMesh TrendMicro Basecamp\r\nN-Able Twingate\r\nNgrok Sorillus\r\nParsec WsTunnel\r\nPulseway ZeroTier\r\nRemote Server Administration Tools (RSAT) ZohoAssist\r\nExternal references\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 18 of 19\n\n[Okta] Detecting Scatter Swine: Insights into a Relentless Phishing Campaign, 25/08/2022\r\n[Group-IB] Roasting 0ktapus: The phishing campaign going after Okta identity credentials,\r\n25/08/2022\r\n[CrowdStrike] Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Tar-geting Telco and BPO Companies, 02/12/2022\r\n[Mandiant] I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed\r\nMalware, 13/12/2022\r\n[SentinelOne] Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Mi-crosoft Drivers, 13/12/2022\r\n[CrowdStrike] SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security, 10/01/2023\r\n[Mandiant] SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of\r\na Well Balanced Attack, 16/05/2023\r\n[Trend Micro] BlackCat Ransomware Deploys New Signed Kernel Driver, 22/05/2023\r\n[Unit42] Threat Group Assessment: Muddled Libra (Updated), 21/06/2023, updated on 15/09/2023\r\n[RSecurity] ’Ransomed.Vc’ In The Spotlight – What We Know About The Ransomware Group\r\nTargeting Major Japanese Businesses, 26/09/2023\r\n[Mandiant] Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM\r\nSwapping, Ransomware, Extortion, and Notoriety, 14/09/2023\r\n[Microsoft] Octo Tempest crosses boundaries to facilitate extortion, encryption, and de-struction, 25/10/2023\r\n[Permiso] LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD, 20/09/2023\r\n[Silent Push] Eight-legged Phreaks: Silent Push DNS and content scans discover new Scat-tered Spider phishing infrastructure, 07/12/2023\r\n[CISA] Scattered Spider, 16/11/2023\r\nFeel free to read other Sekoia TDR (Threat Detection \u0026 Research) analysis here :\r\nCTI Cybercrime phishing\r\nShare this post:\r\nSource: https://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/" ], "report_names": [ "scattered-spider-laying-new-eggs" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "adf68b66-8287-44de-9cdc-3277508a8126", "created_at": "2023-11-05T02:00:08.082461Z", "updated_at": "2026-04-10T02:00:03.400457Z", "deleted_at": null, "main_name": "RansomVC", "aliases": [ "Ransomed.vc" ], "source_name": "MISPGALAXY:RansomVC", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434536, "ts_updated_at": 1775792058, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac0f05ec52d206952e837a3f64ea0b7a383ea157.pdf", "text": "https://archive.orkl.eu/ac0f05ec52d206952e837a3f64ea0b7a383ea157.txt", "img": "https://archive.orkl.eu/ac0f05ec52d206952e837a3f64ea0b7a383ea157.jpg" } }