{ "id": "c912d5f5-0365-41ec-b782-8a0dc745b6fa", "created_at": "2026-04-06T00:11:23.250289Z", "updated_at": "2026-04-10T13:13:01.527605Z", "deleted_at": null, "sha1_hash": "c25e8e9fba0033136dddb0c4b54ef980b0922544", "title": "Blurring Lines Between Scattered Spider \u0026 Russian Cybercrime", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2062181, "plain_text": "Blurring Lines Between Scattered Spider \u0026 Russian Cybercrime\r\nBy Rob Wright\r\nPublished: 2025-05-22 · Archived: 2026-04-05 16:18:10 UTC\r\nRob Wright,Senior News Director,Dark Reading\r\nMay 22, 2025\r\n6 Min Read\r\nJonathan Kellerman, Alamy\r\nLaw enforcement actions in 2024 were supposed to disrupt Scattered Spider. Instead, the notorious cybercrime\r\ngroup re-emerged this year and is trending in a direction that has alarmed some infosec experts.\r\nThe arrests of several alleged members of Scattered Spider last year, including the group's supposed ringleader,\r\nmay have led to a temporary dip in malicious activity. But not only have Scattered Spider's high-profile attacks\r\ncontinued this year, but the group has seemingly shifted further into the Russian ransomware ecosystem.\r\nScattered Spider, also known as UNC3944 and Octo Tempest, first emerged in 2022 and is primarily composed of\r\nnative English-speaking individuals, many of whom are under the age of 25. That distinction set the group apart\r\nfrom other notorious cybercrime outfits, many of which are based in Eastern Europe and include Russian-speaking actors.\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime\r\nPage 1 of 5\n\nIt also made Scattered Spider formidable, as members of the group displayed a knack for elaborate social\r\nengineering schemes such as SIM-swapping, or phishing or vishing attacks, where they pose as IT help desk staff.\r\nIn 2023, Scattered Spider achieved notoriety after two high-profile cyberattacks on Las Vegas casino giants MGM\r\nResorts and Caesars Entertainment.\r\nRelated:Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate\r\nThe two attacks were notable not only because the group of \"Advanced Persistent Teenagers\" had graduated to\r\nfull-fledged ransomware attacks, using a variant offered by the ALPHV/BlackCat ransomware-as-a-service (RaaS)\r\ngroup. It was also notable because, as Check Point Software's Cyberint noted in a recent report, the RaaS gang had\r\npreviously declared that it only works with Russian-speaking affiliates.\r\nScattered Spider was also tied to the formerly prolific but now-defunct RansomHub group. More recently, the\r\ncybercriminal collective delved even further into the ransomware ecosystem by partnering with the emerging\r\nDragonForce RaaS operation, which reportedly assumed control of RansomHub's operations.\r\nThe deepening ties with the Russian cybercrime scene has sparked concern among threat analysts and raised\r\nquestions about the composition of the group and the individuals that may be influencing it.\r\nScattered Spider Spins a New Web?\r\nThe recent cyberattacks on three UK retailers – Marks \u0026 Spencer, Harrods and Co-Op Group – served as a\r\nwakeup call for some when it comes to Scattered Spider. While DragonForce claimed responsibility for the\r\nattacks, some security researchers suspect Scattered Spider members were involved.\r\nCyberint's report noted that it is \"increasingly likely\" that members of the group were involved in early-stage\r\nintrusions of the UK retailers, and warned that Scattered Spider members are also targeting US retail\r\norganizations. \"Known for its cloud-first, identity-centric intrusion methods, Scattered Spider is emerging as a\r\nlikely access broker or collaborator within the DragonForce affiliate model,\" wrote Adi Bleih, security researcher,\r\nexternal risk management at Check Point Software Technologies.\r\nRelated:Bank Trojan 'Casbaneiro' Worms Through Latin America\r\nBleih tells Dark Reading that Scattered Spider has continued to align with Russian-speaking ransomware groups.\r\n\"This transition indicates an ongoing strategy of collaboration with Russian-speaking entities to leverage their\r\nransomware capabilities,\" he says.\r\nThe deeper collaboration with ransomware gangs, especially DragonForce, is concerning, according to Zach\r\nEdwards, senior threat researcher at Silent Push. Scattered Spider actors had previously used off-the-shelf\r\nmalware, such as the Vidar and Raccoon infostealers, that displayed some level of customization, he says.\r\nBut using such publicly available tools carries risk for threat actors because it may not perform as well as custom-built malware, and could increase the chances of detection in high-profile intrusions. DragonForce, however,\r\noffers a customizable affiliate model with white-label ransomware kits that allow members to compile their own\r\nbinaries and take advantage of exclusive tools and infrastructure to support attacks.\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime\r\nPage 2 of 5\n\nRelated:AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection\r\nThis, Edwards says, shows Scattered Spider has shifted toward \"triple A\"-level tools and tactics this year, which\r\nmakes the group more dangerous.\r\n\"Now that they're partnering with a much more serious ransomware group and getting access to malware that's not\r\nfor sale publicly, that's exactly the evolution that a lot of us were hoping wouldn't happen,\" he says. \"But it really\r\nseems to be occurring.\"\r\nIt also raises questions about why major ransomware operations would choose to work with affiliate hackers that\r\nare native English speakers, especially in the wake of increased law enforcement actions.\r\nPotential Russian Influences Within Scattered Spider\r\nSecurity researchers have different theories about why secretive ransomware operators, which typically favor\r\nRussian speaking individuals, would work closely with members of a loosely-affiliated hacker group, which itself\r\nis part of a larger collective known as \"The Com\" that is made up of mostly younger US and UK citizens.\r\nBleih says the close collaboration with Russian-speaking ransomware groups raises three possibilities: they are\r\nstraightforward affiliate partnerships; the groups have some kind of shared operational infrastructure; or there's \"a\r\nblurring of boundaries between groups, possibly involving multilingual intermediaries.\"\r\n\"While their use of platforms like Telegram and Discord, along with fluent English during extortion\r\ncommunications, points to a primarily Western-based group, the nature of today's interconnected cybercriminal\r\necosystem — especially on dark web forums — allows threat actors to easily recruit collaborators who speak\r\nRussian or other languages as needed,\" Bleih says.\r\nEdwards says the mystery around Scattered Spider's ransomware alliances speaks to a bigger problem for the\r\ninfosec community – a lack of awareness about how Scattered Spider operates, if it even does function as an\r\nactual group, and how it recruits new members. Existing members don't typically discuss operations or sensitive\r\nmatters on public Telegram chats like other cybercriminal groups, so visibility is limited.\r\nAdditionally, Edwards said that despite the arrests of alleged members in 2024, including accused ringleader Tyler\r\nBuchanan, other budding cybercriminals in the US and UK that are seemingly eager to join Scattered Spider. But\r\nthe affiliate alliance with DragonForce suggests there may other, older individuals within both Scattered Spider\r\nand The Com.\r\n\"The Com is mostly younger people, 13 to 25 years old, but there were always rumblings that there were older\r\npeople in their 30s and 40s who were the orchestrators,\" Edwards says. \"There are potentially older people within\r\nthis group who don't have Western ties, who are absolutely English-speaking individuals but have ties to the\r\nRussian cybercriminal underworld.\"\r\nIs Scattered Spider being influenced by Russian-speaking ransomware figures? Push Security researcher Dan\r\nGreen says it's an interesting question but one that's difficult to answer. Based on attack trends, he says, the group\r\nhas shown a consistent pattern of identity-based intrusions, specifically takeovers of highly privileged accounts on\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime\r\nPage 3 of 5\n\nidentity platforms like Okta and Microsoft's Entra. These techniques have been used to great success, including\r\nthe casino attacks in 2023.\r\n\"I think that Scattered Spider has been influenced generally by the evolution in identity-based techniques we've\r\nseen in the past few years,\" Green says, the successes of which likely made a huge impact on the group and the\r\nlarger Com collective.\r\nBut he says the affiliation with DragonForce shows Scattered Spider is adaptable and \"willing to use anything at\r\ntheir disposal to achieve their goals,\" including Russian ransomware groups.\r\nOn thing that threat analysts appear to agree on with Scattered Spider is that the law enforcement actions had little\r\nto no effect. And they urge organizations to be vigilant not just about the group's trademark social engineering\r\ntactics, such as MFA bombing and attacker-in-the-middle phishing schemes, but other newer techniques like the\r\nuse of dynamic DNS providers to generate spoofed domains of popular brands.\r\n\"They're trying new things,\" Edwards says, \"and they're just as aggressive as ever before.\"\r\nDon't miss the latest Dark Reading Confidential podcast, The Day I Found an APT Group in the Most Unlikely\r\nPlace, where threat hunters Ismael Valenzuela and Vitor Ventura share stories about the tricks they used to track\r\ndown advanced persistent threats, and the surprises they discovered along the way. Listen now!\r\nAbout the Author\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime\r\nPage 4 of 5\n\nSenior News Director, Dark Reading\r\nRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to\r\njoining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in\r\nvarious roles, including senior news director, executive editor and editorial director. Before that, he worked for\r\nseveral years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats\r\nand trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper\r\nreporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from\r\nthe University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives\r\nin the Boston area. \r\nSource: https://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime" ], "report_names": [ "blurring-lines-scattered-spider-russian-cybercrime" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434283, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c25e8e9fba0033136dddb0c4b54ef980b0922544.pdf", "text": "https://archive.orkl.eu/c25e8e9fba0033136dddb0c4b54ef980b0922544.txt", "img": "https://archive.orkl.eu/c25e8e9fba0033136dddb0c4b54ef980b0922544.jpg" } }