{ "id": "c89a31fb-8b65-490b-a8b3-0ea3835442e5", "created_at": "2026-04-06T00:14:44.281999Z", "updated_at": "2026-04-10T03:34:59.497512Z", "deleted_at": null, "sha1_hash": "b36540fdb30eb0726f78a2fa47944203fe38cc44", "title": "Subgroup: Scattered Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 108469, "plain_text": "Subgroup: Scattered Spider - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 20:06:38 UTC\r\nHome \u003e List all groups \u003e Subgroup: Scattered Spider\r\n APT group: Subgroup: Scattered Spider\r\nNames\r\nScattered Spider (CrowdStrike)\r\nUNC3944 (Mandiant)\r\n0ktapus (Group-IB)\r\nMuddled Libra (Palo Alto)\r\nScatter Swine (Okta)\r\nStorm-0875 (Microsoft)\r\nOcto Tempest (Microsoft)\r\nLUCR-3 (Permiso)\r\nStar Fraud (self given)\r\nCountry [Unknown]\r\nMotivation Financial gain\r\nFirst seen 2022\r\nDescription An affiliate group of ALPHV, BlackCat Gang\r\n(Mandiant) UNC3944 is a financially motivated threat cluster that has persistently\r\nused phone-based social engineering and SMS phishing campaigns (smishing) to\r\nobtain credentials to gain and escalate access to victim organizations. At least some\r\nUNC3944 threat actors appear to operate in underground communities, such as\r\nTelegram and underground forums, which they may leverage to acquire tools,\r\nservices, and/or other support to augment their operations. This activity overlaps\r\nwith activity that has been reported in open sources as '0ktapus,' 'Scatter Swine,' and\r\n'Scattered Spider.' Since 2022 and through early 2023, UNC3944 appeared to focus\r\non accessing credentials or systems used to enable SIM swapping attacks, likely in\r\nsupport of secondary criminal operations occurring outside of victim environments.\r\nHowever, in mid-2023, UNC3944 began to shift to deploying ransomware in victim\r\nenvironments, signaling an expansion in the group's monetization strategies. These\r\nchanges in their end goals signal that the industries targeted by UNC3944 will\r\ncontinue to expand; Mandiant has already directly observed their targeting broaden\r\nbeyond telecommunication and business process outsourcer (BPO) companies to a\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb\r\nPage 1 of 6\n\nwide range of industries including hospitality, retail, media and entertainment, and\nfinancial services.\nAround July 2025, ShinyHunters teamed up or merged with Scattered Spider. They\nshare their Telegram channel also with Lapsus$, so they may all work together now\n– see the DataBreaches.net references in the Information section under\nShinyHunters.\nObserved Countries: Worldwide.\nTools used\nADRecon, AnyDesk, DCSync, FiveTran, FleetDeck, gosecretsdump, Govmomi,\nHekatomb, Impacket, LaZagne, LummaC2, Mimikatz, Ngrok, PingCastle,\nProcDump, PsExec, Pulseway, Pure Storage FlashArray, RedLine, Rsocx, RustDesk,\nScreenConnect, SharpHound, Socat, Spidey Bot, Splashtop, Stealc, TacticalRMM,\nTailscale, TightVNC, VIDAR, WinRAR, WsTunnel, Living off the Land.\nOperations performed\nAug 2023\n“Can you reset my password?” How a simple service desk attack cost\nClorox $400 million\nSep 2023\nMGM Resorts shuts down IT systems after cyberattack\nSep 2023\nCaesars Entertainment confirms ransom payment, customer data theft\nSep 2023\nHackers who breached casino giants MGM, Caesars also hit 3 other\nfirms, Okta says\nSep 2023\n‘Scattered Spider’ group launches ransomware attacks while\nexpanding targets in hospitality, retail\nSep 2023 Luxury Hotels Remain Major Target of Ongoing Social Engineering\nAttack\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb\nPage 2 of 6\n\nJan 2024\nMuddled Libra’s Evolution to the Cloud\nOct 2024\nScattered Spider x RansomHub: A New Partnership\n2025\nScattered Spider: Still Hunting for Victims in 2025\nApr 2025\nMarks \u0026 Spencer breach linked to Scattered Spider ransomware\nattack\nApr 2025\nHarrods the next UK retailer targeted in a cyberattack\nApr 2025\nCo-op confirms data theft after DragonForce ransomware claims\nattack\nMay 2025\nHackers behind UK retail attacks now targeting US companies\nMay 2025\nLarge Retailers Land in Scattered Spider's Ransomware Web\nJun 2025\nHackers switch to targeting U.S. insurance companies\nJun 2025\nAflac discloses breach amidst Scattered Spider insurance attacks\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb\nPage 3 of 6\n\nJun 2025\nScattered Spider hackers shift focus to aviation, transportation firms\nJun 2025\nWestJet investigates cyberattack disrupting internal systems\nJun 2025\nHawaiian Airlines discloses cyberattack, flights not affected\nJul 2025\nQantas discloses cyberattack amid Scattered Spider aviation breaches\nAug 2025\nScattered Spider has a new Telegram channel to list its attacks\nCounter operations\nJun 2024\nAlleged Boss of ‘Scattered Spider’ Hacking Group Arrested\nJul 2024\nWalsall teenager arrested in joint West Midlands Police and FBI\noperation\nNov 2024\nUS charges five linked to Scattered Spider cybercrime gang\nDec 2024\nUS arrests Scattered Spider suspect linked to telecom hacks\nJul 2025\nRetail cyber attacks: NCA arrest four for attacks on M\u0026S, Co-op and\nHarrods\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb\nPage 4 of 6\n\nPlaybook Last change to this card: 16 August 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb\nPage 5 of 6\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb" ], "report_names": [ "showcard.cgi?u=4a45e10c-1486-44d7-b3ba-2b2086cf2afb" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434484, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b36540fdb30eb0726f78a2fa47944203fe38cc44.pdf", "text": "https://archive.orkl.eu/b36540fdb30eb0726f78a2fa47944203fe38cc44.txt", "img": "https://archive.orkl.eu/b36540fdb30eb0726f78a2fa47944203fe38cc44.jpg" } }