{ "id": "9d85faef-8f5d-41b0-8c73-444189abb4de", "created_at": "2026-04-06T00:17:54.013419Z", "updated_at": "2026-04-10T13:11:34.198195Z", "deleted_at": null, "sha1_hash": "b818769367968b7a26a16612fe7133e70fa7b7c7", "title": "Large Retailers Land in Scattered Spider's Ransomware Web", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2338136, "plain_text": "Large Retailers Land in Scattered Spider's Ransomware Web\r\nBy Becky Bracken\r\nPublished: 2025-05-20 · Archived: 2026-04-05 18:39:44 UTC\r\nSource: Picturelibrary via Alamy Stock Photo\r\nLarge retailers across the UK and US experiencing a high volume of calls into IT help desks regarding password\r\nresets might want to consider that they have a Scattered Spider cyberattack on their hands.\r\nFancy French fashion house Dior has joined the growing list of retailers falling victim to cyberattacks in recent\r\nweeks. The hack comes on the stilettos of previous breaches of Harrods, the Co-Op Group, and Marks \u0026 Spencer.\r\nDior was compromised on May 7, and the attackers made off with the sensitive data of an undisclosed number of\r\ncustomers across China and South Korea.\r\nThe group broadly assumed to be behind the recent spate of cyberattacks is a loosey-goosey affiliation of English-speaking cybercriminals called Scattered Spider, also tracked as UNC3944. Known for brazenly calling up and\r\nscamming IT help desks into handing over credentials, this threat actor collective has racked up big hacks, most\r\nnotably Las Vegas casinos MGM Resorts and Caesars Entertainment in 2023.\r\nRelated:Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting\r\nAlleged members of the Scattered Spider group have been arrested, but that doesn't appear to have dampened the\r\ngroup's cybercrime ambitions.\r\nhttps://www.darkreading.com/threat-intelligence/large-retailers-scattered-spider-ransomware-web\r\nPage 1 of 3\n\nNow it's 2025, and retail has become the sector of the moment for Scattered Spider. The group also swapped out\r\nits ransomware-as-a-service (RaaS) operation, trading in ALPHV/BlackCat for DragonForce. Members of the\r\nRaaS group claimed responsibility for the attacks on Marks \u0026 Spencer, Harrods, and the Co-Op Group, though it's\r\nunclear what role Scattered Spider actors may have played.\r\nResearchers following the group have warned that suspected Scattered Spider adversaries have made a distinctive\r\npivot from the UK to US retailers, based on recently observed malicious activity. On May 14, Google Threat\r\nIntelligence Group chief analyst John Hultquist raised eyebrows by posting a link on X to Google Mandiant threat\r\nintel on Scattered Spider, along with the ominous caption, \"Shields up US retailers. They're here.\"\r\nRetail Is Just the Latest Scattered Spider Target\r\nIt's not so much the retailer data the group is after; it's notoriety along with a payday, Hultquist explains. And the\r\ngroup can also be wily and unpredictable.\r\n\"This actor has a history of focusing their efforts on a single sector at a time, but we've also seen them abandoning\r\nan operation in the middle of an intrusion and switching their focus to a different victim in a completely unrelated\r\nindustry,\" Hultquist says. \"A part of what they want to do is to gain clout, and that can come from targeting any\r\nindustry.\"\r\nRelated:Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations\r\nBrands like Dior and Harrods are also household names, maximizing their media impact as well, says Tim\r\nRawlins, senior advisor and director at NCC Group. Experts also point out that retailers have historically operated\r\nwith an underprotected software supply chain.\r\n\"The breaches we're seeing today often come from weaknesses that have been there for years,\" Dray Agha,\r\noperations manager with Huntress, says. \"What's new is that attackers are now seemingly going after them more\r\ndeliberately. These aren't random hits anymore; cybercriminals are picking targets they know are vulnerable and\r\nprofitable.\"\r\nHuntress has also observed the Scattered Spider attackers — who, it adds, are purely financially motivated —\r\nusing phishing and credential abuse to either deploy ransomware or steal data, Agha notes.\r\nOrganizations can't predict when or if they will be the next Scattered Spider victim, so they need to take proactive\r\nmeasures to counter social engineering. This includes verifying callers, taking password resets out of the IT help\r\ndesk, and using tools like Microsoft Entra self-service password reset (SSRP), which requires both multifactor\r\nverification and a secret passphrase for authentication, according to Rawlins. He also suggests using Slack or\r\nTeams to confirm a password reset.\r\nRelated:China Upgrades the Backdoor It Uses to Spy on Telcos Globally\r\n\"The good news is there are typically multiple opportunities to detect and/or deter this threat actor,\" Hultquist\r\nadds. \"Currently, this threat actor is mostly calling help desks to reset passwords, so organizations should inform\r\ntheir users to reject unexpected MFA prompts, but also report that activity immediately.\"\r\nhttps://www.darkreading.com/threat-intelligence/large-retailers-scattered-spider-ransomware-web\r\nPage 2 of 3\n\nAbout the Author\r\nSenior Editor, Dark Reading\r\nBecky Bracken is a senior editor with Dark Reading who brings decades of journalism experience across, radio,\r\nprint, online and video channels. Becky lends her particular voice and cybersecurity expertise to the Dark Reading\r\nConfidential podcast as the host and producer, and moderates the Dark Reading editorial webinars. In addition,\r\nshe oversees the site's Commentary section, hosts Dark Reading's Black Hat News Desk, and contributes regularly\r\nas a writer and reporter. Prior to joining Dark Reading, Becky covered cybersecurity and hosted webinars for\r\nThreatpost. Other national media outlets she has contributed to include PBS, SheKnows, Complex, and more. \r\nSource: https://www.darkreading.com/threat-intelligence/large-retailers-scattered-spider-ransomware-web\r\nhttps://www.darkreading.com/threat-intelligence/large-retailers-scattered-spider-ransomware-web\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.darkreading.com/threat-intelligence/large-retailers-scattered-spider-ransomware-web" ], "report_names": [ "large-retailers-scattered-spider-ransomware-web" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "63883709-27b5-4b65-9aac-c782780fbb28", "created_at": "2026-04-10T02:00:03.996704Z", "updated_at": "2026-04-10T02:00:03.996704Z", "deleted_at": null, "main_name": "TeamPCP", "aliases": [], "source_name": "MISPGALAXY:TeamPCP", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434674, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b818769367968b7a26a16612fe7133e70fa7b7c7.pdf", "text": "https://archive.orkl.eu/b818769367968b7a26a16612fe7133e70fa7b7c7.txt", "img": "https://archive.orkl.eu/b818769367968b7a26a16612fe7133e70fa7b7c7.jpg" } }