{ "id": "bf34157f-0772-458a-9732-1d9f62f4d025", "created_at": "2026-04-06T00:19:58.906381Z", "updated_at": "2026-04-10T03:31:50.054759Z", "deleted_at": null, "sha1_hash": "b5cebbff0e465376bcb472c382d4319e2dbc74fd", "title": "Tracking Adversaries: Scattered Spider, the BlackCat affiliate", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 522813, "plain_text": "Tracking Adversaries: Scattered Spider, the BlackCat affiliate\r\nBy BushidoToken\r\nPublished: 2023-08-16 · Archived: 2026-04-05 21:03:29 UTC\r\nAfter tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often\r\nanymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting\r\ncybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB,\r\nteaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention.\r\nBackground on Scattered Spider\r\nCrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023. These\r\nfinancially motivated English-speaking threat actors are known for their unique style of attacks, which usually all\r\nbegin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very\r\nhttps://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html\r\nPage 1 of 3\n\neffective) social engineering vishing call to get credentials or get the target to download malicious software and\r\nprovide access.\r\nOther tricks Scattered Spider is known for includes multi-factor authentication (MFA) fatigue attacks, which\r\ninvolve spamming the authentication request notification to the target’s device until the accept (either by accident\r\nor out of annoyance), as well as SIM swapping, which includes tricking the mobile carrier of the target to provide\r\nSIM card access to the threat actor.\r\nScattered Spider’s tricks don’t end there though. They also use a variety of defense evasion techniques to bypass\r\nenterprise-level security, such as the bring-your-own-vulnerable-driver (BYOVD) exploit and Microsoft-signed\r\nmalicious drivers, as well as the use of a UEFI Bootkit called BlackLotus that’s sold as off-the-shelf malware on\r\nthe cybercriminal underground. Plus, for command-and-control (C2) the group uses a whole host of legitimate\r\ncommercial remote monitoring and management (RMM) tools to manipulate target systems, often through free\r\ntrials too.\r\nFor more background information on Scattered Spider, you can watch my BSides Cheltenham talk from June\r\n2023. The slides are also available on my GitHub too.\r\nScattered Spider shifts to BlackCat ransomware attacks\r\nScattered Spider is tracked under several cryptonyms by different cybersecurity vendors Group-IB calls them\r\n0ktapus, Mandiant tracks them as UNC3944, and Microsoft calls them Storm-0875. Until recently, has been\r\nknown primarily for data theft extortion without ransomware deployment.\r\nThe two best examples we have of a Scattered Spider archetypal intrusion has been against Riot Games in January\r\n2023 and Reddit in February 2023. The threat actors used their tricks described above, got into the networks of\r\nthese companies, and stole whatever they could in hopes to ransom it back to them. It doesn’t seem though that\r\nthese were very successful intrusions as neither Reddit nor Riot Games seemed to have paid any amount of\r\nransom (as far as we know, that’s just what these companies stated themselves).\r\nWe now have several reasons to believe that Scattered Spider have gone for the BlackCat (ALPHV) ransomware-as-a-service (RaaS) group. This includes temporal, technical, and behavioural analysis.\r\nLinks available in public sources (OSINT) between Scattered Spider and BlackCat are as follows:\r\nFollowing the February 2023 Reddit breach, that has several signs Scattered Spider was responsible for, the\r\nBlackCat data leak site posted Reddit as a victim in June 2023. The threat actor who wrote the leak post on\r\nthe BlackCat blog also stated that “Operators broke into Reddit on February 5, 2023, and took 80 gigabytes\r\n(zipped) of data.”\r\nIn May 2023, Trend Micro researchers revealed that a certain BlackCat affiliate used an identical\r\nMicrosoft-signed driver for defense evasion with the same file-hash (MD5:\r\n909f3fc221acbe999483c87d9ead024a) that Mandiant has called POORTRY and has linked to UNC3944\r\n(Scattered Spider), among other threat actors.\r\nIn July 2023, the Canadian Center for Cyber Security (CCCS) shared a comprehensive Ransomware Alert\r\non BlackCat (ALPHV) attacks against Canadian organisations. In this alert, the CCCS described some very\r\nhttps://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html\r\nPage 2 of 3\n\nfamiliar Scattered Spider tradecraft. This includes the use of SMS phishing for credential harvesting, single\r\nsign-on (SSO) themed domains, social engineering phone calls, MFA fatigue attacks, the delivery of\r\ncommercial RMM tools, the use of cloud file-sharing sites, and even the continued use of ExpressVPN for\r\nC2.\r\nIOCs from CrowdStrike’s blog in December 2022 also align with the CCCS’s alert as well. This includes\r\nthe appearance of the Fleetdeck[.]io and Level[.]io RMM tools in both.\r\nFurther, many of the same TTPs laid out in the Coinbase blog in February 2023 are also present in the\r\nCCCS advisory on BlackCat. This includes the use of SMS phishing, social engineering over the phone, an\r\nSSO-themed domain, and the use of RMM tools.\r\nIn summary, the technical, behavioural, and temporal overlaps between Scattered Spider and this latest BlackCat\r\naffiliate campaign are abundant. I suspect that due to the hit and miss nature of Scattered Spider’s campaigns up to\r\nearly 2023 the group has decided to change tactics and join the Russian-speaking cybercriminal community of\r\nransomware operators.\r\nSource: https://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html\r\nhttps://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html" ], "report_names": [ "tracking-adversaries-scattered-spider.html" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434798, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5cebbff0e465376bcb472c382d4319e2dbc74fd.pdf", "text": "https://archive.orkl.eu/b5cebbff0e465376bcb472c382d4319e2dbc74fd.txt", "img": "https://archive.orkl.eu/b5cebbff0e465376bcb472c382d4319e2dbc74fd.jpg" } }