{ "id": "a220dca7-4d0c-4b60-9ada-b9751e0fecfa", "created_at": "2026-04-06T00:15:41.930304Z", "updated_at": "2026-04-10T03:36:22.961214Z", "deleted_at": null, "sha1_hash": "c3d3e3f53e2025dabce6e63eee7d26f9d2932f14", "title": "Scattered Spider: Still Hunting for Victims in 2025", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4500673, "plain_text": "Scattered Spider: Still Hunting for Victims in 2025\r\nBy Peggy Kelly\r\nPublished: 2025-04-08 · Archived: 2026-04-05 16:10:30 UTC\r\n2025 Key Findings\r\nSilent Push has determined the evolving threat Scattered Spider is still actively hunting for victims:\r\nServices targeted by Scattered Spider in 2025 include Klaviyo, HubSpot, and Pure Storage.\r\nBrands targeted in 2025 include Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart,\r\nLouis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos,\r\nTwitter/X, Tinder, T-Mobile, and Vodafone.\r\nSilent Push researchers are tracking five unique Scattered Spider phishing kits, which have been used since\r\nat least 2023. Some of these kits have seen several updates, alongside dozens of their code fingerprints and\r\ntechnical deployment decisions. Right now, it appears their legacy phishing kits are being deprecated.\r\nOur team is also sharing the discovery and analysis of a new version of Spectre RAT used by Scattered\r\nSpider. In our analysis section, we have included publicly available code for a Spectre RAT String Decoder\r\nand Command and Control (C2) Emulator to support defenders in their own analytical efforts.\r\nIn 2024, Scattered Spider acquired a domain (twitter-okta[.]com) previously owned by Twitter/X. This\r\ndomain was likely part of a previous brand protection effort, but it’s unclear if the domain will be used to\r\ntarget Twitter/X directly or users of the service.\r\nTable of Contents\r\n2025 Key Findings\r\nExecutive Summary\r\nAttend “The Evolving Web of Scattered Spider” Webinar: April 15, 2025\r\nScattered Spider Legacy TTPs \u0026 Behaviors\r\nSign Up for a Free Silent Push Community Edition Account\r\nBackground\r\nScattered Spider Brand Impersonation\r\nTwitter Abandoned a Domain, Scattered Spider Picked It Up\r\nTimeline of 2024 Arrests\r\nUnderstanding The Comm \u0026 Telecom Enemies Malicious Developers-As-A-Service \r\nNew Scattered Spider TTPs for 2025\r\n2025 Phishing Targeting Klaviyo\r\nEvilginx Cluster\r\nSpectre RAT String Emulator on GitHub\r\nScattered Spider Sample Indicators of Future Attack TM (IOFA) List\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 1 of 30\n\nExecutive Summary\r\nScattered Spider is a hacker collective that has been active since at least 2022. It is well-known for launching\r\nsophisticated social engineering attacks to obtain usernames, login credentials, and multi-factor authentication\r\n(MFA) tokens.\r\nSilent Push analysts have successfully identified Scattered Spider infrastructure, tactics, techniques, and\r\nprocedures (TTPs), and developed several methods for routinely and proactively identifying Indicators of Future\r\nAttackTM (IOFA™) that our customers can use against this threat. Changes to deployments and phishing kits in\r\nearly 2025, however, suggest Scattered Spider is turning the page on some past decisions.\r\nIn our tracking of Scattered Spider, our team recently observed two significant developments: The discovery of a\r\nnew version of Spectre RAT used by threat actors to gain persistent access to compromised systems and a\r\nboomerang domain ownership between the threat actor and Twitter/X.\r\nOur team is continuing to track this evolving threat actor.\r\nAttend “The Evolving Web of Scattered Spider” Webinar: April 15, 2025\r\nJoin Silent Push for a special Scattered Spider webinar on April 15, 2025. We will host in three time zones to\r\nsupport global interest in the evolving threat actor group.\r\nLearn more and register now.\r\nScattered Spider Legacy TTPs \u0026 Behaviors\r\nSilent Push analysts review all opportunities to track a threat, from on-page content, server details, and\r\ndeployment processes to preferred technology solutions. Here are some of the legacy behaviors our team has\r\nobserved for Scattered Spider:\r\nMultiple variations of their phishing kits, each of which:\r\nAre visually equal\r\nUse very distinct source code\r\nReuse of dedicated servers\r\nRegistration of a bulk domain within the same day or a few days, usually targeting a specific company or\r\nseveral companies in the same business sector.\r\nCreation of multiple domains targeting a specific company over distinct attack waves.\r\nLast Seen Preferred Registrar: NiceNIC\r\nLast Seen Preferred Hosts: Njalla, Virtuo, and Cloudflare\r\nHistorically Preferred Hosts \u0026 Registrars: Porkbun, Namecheap, Hostinger, Tucows, and Hosting\r\nConcepts\r\nPreferred ASNs: Cloudflare (AS13335), Choopa (AS20473), DigitalOcean (AS14061), Hostinger\r\n(AS47583), Akamai-Linode (AS63949), and Namecheap (AS22612)\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 2 of 30\n\nTargeting Sectors: Financial, Retail, Entertainment, Telecommunications, Cloud Storage Platforms, and\r\nSoftware Providers\r\nUse of Domain Keywords: “connect,” “corp,” “duo,” “help,” “he1p,” “helpdesk,” “helpnow,” “info,”\r\n“internal,” “mfa,” “my,” “okta,” “onelogin,” “schedule,” “service,” “servicedesk,” “servicenow,” “rci,”\r\n“rsa,” “sso,” “ssp,” “support,” “usa,” “vpn,” “work,” “dev,” “workspace,” “it,” and “ops.” For top-level\r\ndomains (TLDs): “com,” “co,” “us,” “net,” “org,” and “help.”\r\nRegister now for our free Community Edition to take advantage of all the tools and queries highlighted in this\r\nblog.\r\nBackground\r\nScattered Spider, also known as UNC3944, Star Fraud, Octo Tempest, Scatter Swine, or Muddled Libra, is a threat\r\nactor group associated with the larger hacking group known as “The Community,” “The Comm,” or also “The\r\nCom.”\r\nOperating since the spring of 2022, Scattered Spider has been behind several significant ransomware and extortion\r\nefforts, targeting numerous major brands, mostly based in the U.S. Threat actors like Scattered Spider are known\r\nfor launching sophisticated social engineering attacks. After acquiring data and encrypting resources, they\r\nblackmail victim organizations to pay exorbitant ransom.\r\nOver the past three years, Scattered Spider has been responsible for numerous security incidents, with the two\r\nmost notable being the Twilio breach in August 2022 and the MGM breach in September 2023.\r\nThe domain, klv1.it[.]com, targeting Klaviyo is based on the HTML title, but the subdomain name “klv1” isn’t\r\nterribly close to “Klaviyo” – making it harder to find with classic brand regex searches, especially those without\r\nforeknowledge of a given brand’s marketing campaigns. Scattered Spider is also using a Dynamic DNS vendor\r\n(it[.]com), so there are no domain registration fingerprints. The targeting of this domain via Scattered Spider\r\nfurther confirms the threat group does extensive research on targets.\r\nIn 2024, there were allegations that the threat actors who compromised Snowflake had connections to Scattered\r\nSpider. This was explained by Chris Morgan, a senior cyber-threat intelligence analyst at security firm ReliaQuest,\r\nto Wired, “…the threat actor’s profile picture is taken from an article referencing the threat group Scattered\r\nSpider, although it is unclear whether this is to make an intentional association with the threat group.” In 2025,\r\nSilent Push has also seen Scattered Spider targeting “Pure Storage,” a competitor to Snowflake, so it appears\r\ncloud storage solutions remain one of the group’s priority targets.\r\nAt least seven Scattered Spider members, including an alleged leader, were arrested in 2024. After five were\r\ncharged by U.S. prosecutors in November 2024, operations started to slow down. Details from the arrests, among\r\nother reports, confirm most members are young and based in the U.S., U.K., and Europe.\r\nChanges observed in 2025 allude to new developers and/or technical obfuscation decisions being made.\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 3 of 30\n\nOne of the most recent Scattered Spider domains, seen in February 2025, was klv1[.]it[.]com, a domain\r\nimpersonating a “Custom Link Shortener” used by Klaviyo (klv1[.]io), which was part of their SMS marketing\r\nfeatures.\r\nScattered Spider continues to use BitLaunch (bitlaunch[.]io), which provides instant launch servers from\r\nBitLaunch, DigitalOcean, Vultr, and Linode. Service includes hourly rental of servers paid for with crypto.\r\nSilent Push published our first public blog on Scattered Spider in December 2023. This was followed by a detailed\r\nreport for our enterprise customers in March 2024 and another significant recap report in March 2025. We’re\r\nmaking some of those details public now to support external tracking efforts.\r\nScattered Spider Brand Impersonation\r\nScattered Spider creates domains that impersonate a wide range of brands, both directly targeting major\r\norganizations and appearing to also target specific software vendors used by the targeted organizations.\r\nWhen analyzing the list of Scattered Spider domains and brands we detected, our research team found it\r\ninteresting that some brands, those we know have been directly targeted, didn’t have domains registered that\r\nexplicitly mentioned their brand names. Essentially, this means that just because a brand’s name wasn’t included\r\nin the corporate brand list, it doesn’t mean the brand is safe from being on Scattered Spider’s radar.\r\nHere is a comprehensive list of the corporate brand names we’ve seen Scattered Spider referencing in their\r\ndomains since 2023:\r\nAflac, Allstate, Ally Bank, Amica, Apple, AT\u0026T, Athene, Audemars Piguet, Ballet Crypto, BCB Group, Bell,\r\nBitcoin Suisse, Blockdaemon, Blockstream, Charter Communications, Chik-fil-A, Cincinnati Financial, Comcast\r\nCorporation, Core Scientific, Costco, Credit Karma, DoorDash, Fireblocks, Forbes, Gemini, Grayscale, H\u0026R\r\nBlock, Hanover Insurance, Harrow Health, Iliad, Instacart, Jackson Hewitt, Kemper, Louis Vuitton, Luno, Marsh,\r\nMercury, Morningstar, Mutual of Omaha, Nansen, NGRAVE, New York Digital Investment Group, New York\r\nLife Insurance, News Corporation, Nike, Orange, P.F. Chang’s, Paxos, PNC Bank, Revolut, RiteAid, 7-Eleven,\r\nSingtel, Stargate Industries, Synchrony Bank, Synovus, T-Mobile, Telstra, TIAA, Transamerica, Twitter/X,\r\nUScellular, Verizon, Vodafone, WINDTRE, and Xapo Bank.\r\nSome of the software brands we’ve seen referenced in Scattered Spider domains since 2023 may have also been\r\ndirectly targeted:\r\nAccenture, ActiveCampaign, Ada CX, Alchemy, Asurion, Bandwith, Bird CRM, Campaign Monitor, Concentrix,\r\nConstant Contact, Corporate Tools, CTS, eClerx, Expedia Group, FalconX, FICO, Five9, Foundever, Freshworks,\r\nGenesis Trading, Givebutter, GoDaddy, HubSpot, Incode, Intercom, iQor, Iterable, Jumio, Klaviyo, LinkedIn,\r\nMixpanel, Nuance Communications, Onfido, OnSolve, Podium, Pure Storage, Ripple, Roblox, Salesforce,\r\nShipbob, Sinch, Socure, SPOC, Squarespace, TaskUs, TriVista, Twilio, Ulta Beauty, Upland Software, Wix,\r\nWorkday, Ziff Davis, and 247[.]ai.\r\nTwitter Abandoned a Domain, Scattered Spider Picked It Up\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 4 of 30\n\nOne of the queries we used to track Scattered Spider detected a domain on October 6, 2024, that looked similar to\r\npast campaigns: twitter-okta[.]com\r\nWhen investigating the domain, we noticed the WHOIS records had changed three times in three years. It’s\r\npossible that Scattered Spider owned the domain, Twitter/X legal took it over and stopped re-registering it, and\r\nthen Scattered Spider picked it back up.\r\nThe domain was registered on Porkbun in June 2022, around the time Scattered Spider first started its activity.\r\nScattered Spider has used Porkbun in the past in other confirmed infrastructure.\r\nBy August 2022, Twitter had taken control of the domain, and WHOIS details noted they were working with the\r\nbrand protection vendor CSC (Corporation Service Company) (corporatedomains[.]com).\r\nThe domain was then registered on NiceNIC, Scattered Spider’s current registrar of choice, on October 6, 2024.\r\nThe same day, we picked it up with a fingerprint we used to track one of Scattered Spider’s phishing kits (detailed\r\nlater). This October 2024 fingerprint confirmed that Scattered Spider currently controls this domain and\r\npotentially owned it in 2022.\r\nTimeline of 2024 Arrests\r\nJanuary 2024: Member Noah Michael Urban, aka “Sosa,” “King Bob,” and “Elijah,” arrested in Florida\r\nfor stealing approximately $800,000 in cryptocurrency (Krebs on Security).\r\nJune 2024: Alleged leader Tyler Buchanan, aka “TylerB,” arrested in Spain with $27 million in Bitcoin\r\n(Krebs on Security).\r\nJuly 2024: U.K. law enforcement in West Midlands arrested a 17-year-old connected to Scattered Spider\r\n(West Midlands Police).\r\nNovember 2024: Five Scattered Spider members charged by U.S. prosecutors – (including “King Bob”\r\nand “TylerB”); defendants were Tyler Buchanan, 22, of Scotland; Ahmed Elbadawy, 23, of College Station,\r\nTX; Joel Evans, 25, of Jacksonville, NC; Evans Osiebo, 20, of Dallas, TX; and Noah Urban, 20, of Palm\r\nCoast, FL, (Reuters).\r\nDecember 2024: Member Remington Goy Ogletree, a 19-year-old from Fort Worth, TX, was arrested after\r\nthe FBI convinced him to engage in a fake cryptocurrency laundering operation called “Cash Service”\r\n(Dark Reading).\r\nScattered Spider and CryptoChameleon are both part of “The Comm,” and each has been involved in multiple,\r\nhigh-profile attacks. \r\nThroughout 2024, Silent Push Threat Analysts received private briefings and sensitive details from our research\r\nsharing partners about The Comm, and industry reports were able to make public that they use a “Developer-as-a-Service” (DaaS) group called “Telecom Enemies” aka “Telecom Clowns” that are building tools used by The\r\nComm. \r\nTelecom Enemies develop tools, including the “Gorilla Call Bot,” which is used for voice phishing campaigns and\r\nabuse of Google Voice. They also develop “Suite’s (All in One) AIO,” a tool for creating phishing pages. The AIO\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 5 of 30\n\nproduct includes phishing templates for Coinbase, Gemini, Kraken, Binance, Robinhood, OKX, Trezor, Ledger,\r\nExodus, MetaMask, Trust Wallet, Bitwarden, LastPass, Yahoo!, AOL, Microsoft/MSN, Gmail, and iCloud. \r\nThese services have been targeted by both Scattered Spider and CryptoChameleon. \r\nOur team believes the AIO product is one of the strongest connections between Scattered Spider and\r\nCryptoChameleon. This further highlights that many members of The Comm are “script kiddies” who use\r\ncomplex attack methods but often do not code projects directly themselves. \r\nScattered Spider updated its phishing kits at least four times through 2024. The latest version, Phishing Kit #5,\r\nwas seen in 2025 and had additional content changes. It was hosted on Cloudflare.\r\nOver the last year, we have seen relatively significant changes in their deployment decisions and phishing kits.\r\nThere has been a shift in preferred hosting providers, the underlying code of the phishing kits has changed, and\r\nseveral other changes have enabled our team to develop strong fingerprints against them, which, for operational\r\nsecurity reasons, have been omitted from this blog.\r\nOne point we can include, however, is that we saw our first dynamic DNS/rented subdomain used by Scattered\r\nSpider this year, which further speaks to their evolving TTPs.\r\nSilent Push enterprise customers have access to a bulk data feed that tracks dynamic DNS providers along with\r\nother third-party services that facilitate subdomain leasing.\r\n2025 Phishing Targeting Klaviyo\r\nOn February 6, 2025, one of our Scattered Spider fingerprints picked up a new host: klv1.it[.]com\r\nOur Scattered Spider fingerprint picked up a new host: klv1.it[.]com\r\nThis Scattered Spider host is registered on a subdomain of it[.]com – a domain and service that allows public\r\nsubdomain registrations.\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 6 of 30\n\nThe Scattered Spider host was registered on a subdomain of it[.]com\r\nThe new usage of a publicly rentable subdomain may create tracking challenges for some organizations.\r\nIt can be seen with the klv1[.]it[.]com host, which had only five detections in VirusTotal as of this writing:\r\nVirusTotal results for klv1[.]it[.]com\r\nOne domain (corp-asurion[.]com), from December 2024, followed more of their normal patterns with 11\r\ndetections, including Google’s safe browsing:\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 7 of 30\n\nVirusTotal results for corp-asurion[.]com\r\nIf Scattered Spider keeps using dynamic DNS vendors (organizations that provide publicly rentable subdomains),\r\nit will be important for all targeted organizations to alert or block requests for the associated domains and all\r\nrelated DNS vendor subdomains.\r\nNew 2025 Scattered Spider Phishing Kit: #5\r\nOur team regularly monitors our own data but also external conversations and data sources to ensure we\r\ninvestigate potential leads, especially for threats like Scattered Spider. Using this hybrid approach, our analysts\r\nwere able to create fingerprints to track the four unique phishing kits used from 2023 to 2025.\r\nOn January 23, 2025, threat intel researcher Lontz published details about new potential Scattered Spider\r\ninfrastructure, which led to the establishment of a fingerprint for Phishing Kit #5.\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 8 of 30\n\nObservation from @lontze7 Scattered Spider research @\r\nhttps://x[.]com/lontze7/status/1882367142823367121\r\nThe shared template had different brands integrated into the same website, which almost appeared to be a\r\ndevelopment mistake. The example shared, okta-louisvuitton[.]com, can be seen with content targeting T-Mobile,\r\nTinder, and Nike.\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 9 of 30\n\nAnother observation from @lontze7 Scattered Spider research @\r\nhttps://x[.]com/lontze7/status/1882367142823367121\r\n@lontze7 Scattered Spider research @ x[.]com/lontze7/status/1882367142823367121\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 10 of 30\n\n@lontze7 Scattered Spider research @ x[.]com/lontze7/status/1882367142823367121\r\nLontz wrote that the phishing pages trigger with the following path:\r\n“https://[domain].[TLD]/index?id=[base64 string=]”\r\nOur team replicated the research to confirm that the same phishing kit could be triggered on domains like\r\nMorningstar-okta[.]com, as shown below.\r\nMorningstar-okta[.]com\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 11 of 30\n\nPivoting from fingerprints developed during our research, which we shared in our private enterprise client report,\r\nwe found additional sites being targeted. A sample list of them includes the following:\r\ncorp-hubspot[.]com – HubSpot\r\nmorningstar-okta[.]com – Morningstar\r\npure-okta[.]com – Pure Storage\r\nsignin-nydig[.]com – New York Digital Investment Group\r\nsso-instacart[.]com – Instacart\r\nsts-vodafone[.]com – Vodafone\r\nLegacy Phishing Kits and Analysis of Evolving TTPs\r\nThe details below this point cover four other legacy Scattered Spider phishing kits that we tracked previously. We\r\nwill highlight the group’s consistent decisions and unique infrastructure, which don’t particularly align with past\r\nattacks.\r\nKit #1 – Okta Impersonation Modified to Match Target Information\r\nIn September 2023, we picked up a new Scattered Spider phishing kit that impersonated Okta login pages for\r\ntargeted organizations.\r\nThe phishing pages had the HTML title “Sign In” and were always hosted on short-lived domains that included\r\nspecific keywords such as “okta,” “sso,” “help,” “hr,” “corp,” “my,” “internal,” “sso,” or “vpn,” among others.\r\nAfter registering these domains, usually a couple per day, with multiple typo-squats of a particular organization or\r\norganizations that operate in the same business sector, the Scattered Spider operators immediately acquired an\r\nSSL certificate for them and rapidly hosted the phishing content.\r\nThe phishing pages were up for 5 to 30 minutes after a domain was registered, but never for more than a couple of\r\nhours. The domains were usually abandoned after that, being parked or taken down by the registrars.\r\nWe’ve seen some legacy infrastructure maintain MX records or other DNS records, but content typically was only\r\nhosted briefly and then removed, never to return.\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 12 of 30\n\nPhishing page example from asurion-idp[.]com\r\nThe web pages crafted from this phishing kit mimicked the targeted organization’s Okta portal by displaying its\r\nlogo and organization name and having a “Powered by Okta” footer.\r\nAfter a visitor successfully submitted their credentials, a PHP script named “f⬛ckyou[.]php” was executed to\r\nprocess the exfiltrated data further. The use of obscene language like this aligns with other Scattered Spider\r\nefforts.*\r\n*Note: For community users following along with the query below, please note that we have replaced the “u”\r\nwith a “⬛” in the above script name.\r\nPhishing Kit #1 Activity\r\nFirst seen: September 2023\r\nLast seen: Feb 2025\r\nDespite some hiatus in activity in 2024, this phishing kit was consistently in use until February 2025.\r\nWhen we compare any of the domains we are tracking with details available on VirusTotal, it becomes clear there\r\nare some inconsistencies in what is being used to track their infrastructure, as seen below:\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 13 of 30\n\nScattered Spider Phishing Kit #1\r\nDomain\r\nNumber of VirusTotal Detections (March\r\n2025)\r\nsytemstern[.]net 0\r\nxn--gryscale-ox0d[.]com 5\r\niyft[.]net 10\r\nbbtplus[.]com 10\r\nsquarespacehr[.]com 10\r\nmytsl[.]net 11\r\ngemini-sso[.]com 12\r\nprntsrc[.]net 14\r\nKit #2 – Kit #1 Variation, Simple Layout\r\nThe web pages hosted with Phishing Kit #2 appeared less polished than the ones crafted from Phishing Kit #1.\r\nThese displayed a simple form and did not mention Okta anywhere on the page.\r\nFoundever phishing page (corp-foundever[.]net)\r\nNearly all of the domains hosting Phishing Kit #2 used dashes (“-”) in their domains, along with brand names and\r\nsome generic keywords.\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 14 of 30\n\nPhishing Kit #2 domain names typically matched patterns similar to those seen here:\r\nfreshworks-hr[.]com\r\nklaviyo-hr[.]com\r\nlogin.freshworks-hr[.]com\r\nlogin.hr-intercom[.]com\r\nPhishing Kit #2 Activity\r\nFirst seen: February 2024\r\nLast seen: October 2024\r\nThis phishing kit was consistently used between February 2024 and June 2024, after which it went back to a\r\nlengthy period of inactivity, despite a sporadic hit in August and October 2024.\r\nWHOIS and PADNS information of the domains showed that, contrary to the domains seen in Phishing Kit #1,\r\nmany had multiple subdomains, with account, corporate, and login being the most popular.\r\nThe majority of the domains were registered on Hosting Concepts and used its default name servers, whereas a\r\ncouple were registered on NiceNIC and used “*.1984.is” name servers. All domains were served from IP\r\naddresses owned by Vultr, BitLaunch, or DigitalOcean.\r\nSome of the subdomains were seen redirecting to “Rick Roll” videos on YouTube. The Rick Roll video redirect is\r\na feature of Evilginx (https://github[.]com/kgretzky/evilginx2), a “man-in-the-middle attack framework used for\r\nphishing login credentials.”\r\nKits #1 and #2 – ASN Breakdown\r\nOver the last year, 79 unique domains that matched Phishing Kits #1 or #2 were hosted on 49 dedicated IP\r\naddresses across 3 different ASNs.\r\nASN AS Name Percentage\r\n14061 DIGITALOCEAN-ASN, US 37\r\n20473 AS-CHOOPA, US 43\r\n399629 BLNWX, US 20\r\nThe community has extensively covered news of Scattered Spider acquiring some of these servers through\r\nBitLaunch (bitlaunch[.]io), a company that provides hourly hosting plans, paid in crypto, with servers on\r\nDigitalOcean, Vultr, and Linode.\r\nPhishing Kits #1 and #2 – IP Pivoting\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 15 of 30\n\nPivoting on the dedicated IP addresses found hosting any of the Scattered Spider domains picked up with our\r\nprevious pivots returned a couple of dozen new indicators hosted within the same timeframe.\r\nThese domains mostly followed legacy domain patterns to include a dash (“-”) in the URL, along with a brand and\r\ngeneric keyword:\r\nactivecampiagn[.]net\r\nacwa-apple[.]com\r\nbirdsso[.]com\r\nokta-ziffdavis[.]com\r\npfchangs-support[.]com\r\nx-sso[.]com\r\nKit #3 – “Powered by Okta” Phishing Pages\r\nThe web pages crafted from the third phishing kit mimicked the targeted organization’s Okta dashboard by\r\ndisplaying its logo and organization name, as well as a “Powered by Okta” header and footer.\r\nThe kit was first seen in early 2024, but it has also been seen recently—one such domain was launched on\r\nFebruary 3, 2025 (paxos-my-salesforce[.]com), targeting the Paxos blockchain.\r\nPhishing Kit #3 looks like this:\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 16 of 30\n\nPhishing Kit #3 example (okta-onsolve[.]com)\r\nPhishing Kit #3 domains featured a dash (“-”) in the URL, and almost all contain the word “okta” along with a\r\nbrand name. Examples include:\r\nokta-onsolve[.]com\r\nokta-ripple[.]com\r\ndashboard-iterable[.]com\r\npaxos-my-salesforce[.]com\r\nOne fingerprint tracking this phishing kit has had notably consistent hits from February 2024 to May 2024, then\r\nonly a single hit in September 2024, and once again in February 2025.\r\nContrary to the domains from the clusters that matched Kits #1 and #2, which hosted phishing pages almost\r\nimmediately after creation, we found the domains from this group might take hours, days, or even weeks to host\r\nthe actual phishing page.\r\nPhishing Kit #3 started matching hits again in June 2024 and continued until August 2024. After another pause, it\r\nwas seen again in early October 2024 and has not been seen since.\r\nKit #3 – Legacy IP Address\r\nAnalyzing historical DNS records from one of the IP addresses (149.28.110[.]16) that hosted Phishing Kit #3\r\n(onsolve-okta[.]com) revealed that it also hosted a domain used in the initial 2022 attacks: tmobile-okta[.]com.\r\nResults of reverse A lookup on 149.28.110[.]16\r\nEvilginx Cluster\r\nAcross the first three phishing kits, we regularly saw redirects to the YouTube video for Rick Astley, aka the “Rick\r\nRoll meme.” Our analysts are also aware that Evilginx (https://github[.]com/kgretzky/evilginx2), the previously\r\nmentioned “Standalone man-in-the-middle attack framework,“ features this type of redirect as an option for hiding\r\nmalicious payloads.\r\nSome Scattered Spider domains seen hosting this software include:\r\ncorp-azure[.]com\r\ncorporatetools-okta[.]com\r\nhr-myccmortgage[.]com\r\nhr-synovus[.]com\r\nLooking over the full list, our team noticed the domains found matched previously seen patterns:\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 17 of 30\n\nDomains were registered on Hosting Concepts, GoDaddy, and NiceNIC.\r\nThey were hosted on Virtuo, DigitalOcean, and Choopa.\r\nWe then pivoted into dedicated IP ranges that hosted these and found several new domains matching similar\r\npatterns during the same timeframe.\r\nDomains found from dedicated IP pivots:\r\n7-eleven-hr[.]com\r\nbell-hr[.]com\r\ncts-comcast[.]com\r\ndoordash-support[.]com\r\nNote: The domains were registered on NameSilo, NiceNIC, and Hosting Concepts.\r\nKit #4 – Minor Change from Kit #3\r\nWhen reviewing some of the phishing pages captured via previous phishing kits, we noticed some domains\r\nserving a kit that looked visually identical to Phishing Kit #3, mimicking the targeted organization’s Okta\r\ndashboard by displaying the logo, organization name, and having a “Powered by Okta” header and footer.\r\nThe only subtle difference we observed was within some of the code—minor tweaks, but largely the same as Kit\r\n#3.\r\ndocusign-okta[.]com\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 18 of 30\n\nThis slight variation on Kit #3, which we classified as Kit #4, was one of the more recent kits seen in the wild.\r\nFirst seen: September 2024\r\nLast seen: February 2025\r\nSample of new domains found:\r\ncommonspiritcorp-okta[.]com\r\ncitrix-okta[.]com\r\nconsensys-okta[.]com\r\ntwitter-okta[.]com\r\nitbit-okta[.]com\r\nWe saw that the new domains were served from Njalla VPS servers, AS39287 (ABSTRACT, FI), a new AS for\r\nthis threat group.\r\nHowever, by analyzing historical DNS records of the domains, we saw that itbit-okta[.]com had been hosted on a\r\nVultr IP address, AS20473 (AS-CHOOPA), which aligns with historical Scattered Spider activities.\r\n66.42.117[.]61\r\n2024-2025 Hosting Providers Timeline\r\nAnalyzing the ASNs of IP addresses collected in 2024, we saw that Scattered Spider consistently used IPs from\r\nDigitalOcean, Vultr, and BitLaunch. Recalling that BitLaunch (bitlaunch[.]io) provided anonymous VPS on\r\nBitLaunch servers, DigitalOcean, and Vultr, it’s likely that Scattered Spider operators are renting significant\r\nnumbers of servers on this service. Our analysts believe, based on our research, that this has been the group’s\r\nservice of choice for a long time, as previous articles from organizations like Okta have confirmed separately as\r\nwell.\r\nHowever, since the second quarter of 2024, Scattered Spider started renting dedicated servers on other BPH hosts,\r\nincluding “privacy-focused” hosting providers such as Virtuo and Njalla. In January 2025, our researchers picked\r\nup a campaign using Cloudflare, which is new for Scattered Spider.\r\nASN Hosting Provider First Seen\r\nAS47583 (AS-HOSTINGER,\r\nCY)\r\nHostinger\r\nSeptember\r\n2023\r\nAS20473 (AS-CHOOPA, US) Vultr (Constant)\r\nSeptember\r\n2023\r\nAS399629 (BLNWX, US) BitLaunch (BL Networks) March 2024\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 19 of 30\n\nAS14061 (DIGITALOCEAN-ASN, US)\r\nDigitalOcean April 2024\r\nAS214943 (RAILNET, US)\r\nUnknown (theodexer@gmail[.]com,\r\nrailnet@gmail[.]com)\r\nApril 2024\r\nAS57043 (HOSTKEY-AS, NL) HostKey June 2024\r\nAS42624 (SIMPLECARRIER,\r\nUS)\r\nGlobalData Cloud (globaldata-cloud[.]com)\r\nJuly 2024\r\nAS399486(VIRTUO, CA) Virtuo Host (BPH) August 2024\r\nAS39287 (ABSTRACT, FI) Njalla October 2024\r\nAS13335 (Cloudflare, Inc) Cloudflare January 2025\r\nAS39287 (ABSTRACT, FI) Njalla\r\nFebruary\r\n2025\r\nCurrent Scattered Spider Infrastructure Preferences\r\nRegistrar: NiceNIC\r\nUsed since the second quarter of 2024\r\nMany of the domains registered after 2024 were created through this service\r\nHosting Provider: Njalla, Virtuo, Cloudflare\r\nVirtuo was last used in October 2024\r\nNjalla was last used in November 2024\r\nMalware Delivery Cluster\r\nScattered Spider registered domains featuring the same keywords in waves – essentially using specific generic\r\nkeywords to target multiple brands.\r\nWe saw that a subset of the high-confidence potential domains was registered consecutively in May 2024 and\r\ntargeted some niche brands that Scattered Spider had impersonated in previous attacks.\r\nAll of the domains followed the same name pattern: \u003ctargeted_company\u003e-cdn.com\r\nFirst seen: May 2024\r\nLast seen: May 2024\r\nSome of the domains seen include:\r\nbestbuy-cdn[.]com\r\nduelbits-cdn[.]com\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 20 of 30\n\ngucci-cdn[.]com\r\nsimpletexting-cdn[.]com\r\nThese domains were all registered on NiceNIC, further indicating a shared developer.\r\nThe Web Scanner records revealed that some of these had an Open Directory for a while, which we then accessed,\r\nextracted the malicious file, and analyzed it. We will cover this analysis in the next section.\r\nOpen Directory on telnyx-cdn[.]com\r\nMalware Analysis Introduction\r\nOnce we analyzed the file referenced above, we discovered that Scattered Spider was using an updated version of\r\nSpectre RAT.\r\nSpectre RAT is a remote access Trojan (RAT) that enables threat actors to gain persistent access to compromised\r\nsystems. Like many such tools, it provides capabilities for data exfiltration, command execution, and system\r\nreconnaissance. Its design allows it to be stealthy and flexible, features that make it attractive to sophisticated\r\nattackers.\r\nThe updated version used by this group featured a set of techniques ranging from obfuscation to the use of a\r\nsophisticated crypter. The malware was compiled in both 32-bit and 64-bit versions for Intel processors. It also\r\nincluded a wide range of newly implemented C2 commands. Additionally, some commands and features are still\r\nbeing implemented or only partially added, suggesting this malware is still in a heavy developmental phase. As\r\ntime goes on, we expect the malware to further evolve through the incorporation of additional features and\r\nprotections.\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 21 of 30\n\nThe malware started by initializing a large list of initialization functions, which were present in the “_initterm”\r\nfunction of MSVC.\r\nExample of the malware’s initialization functions\r\nSome of the functions in this list were null functions, further indicating the malware is/was still in a heavy\r\ndevelopmental stage. Strings in the malware were also encoded, using an XOR-based algorithm. The following\r\nIDA script helps in recovering the strings:\r\nSpectre RAT String Decoder Code on GitHub\r\nhttps://raw.githubusercontent.com/Silent-Push/Shared/refs/heads/main/specter_rat_string_decoder.py\r\nFor persistence, it set up a mutex to prevent duplicate instances of the malware from running. This mechanism\r\ncould also serve as a malware vaccine for Spectre RAT, as seen here:\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 22 of 30\n\nA mutex was set up to prevent multiple instances of malware from running\r\nIf the mutex was not found, the malware proceeded to initialize the system with the following actions:\r\nDecoding hardcoded command and control servers from memory.\r\nSetting up the C2 URI.\r\nRetrieving user folder paths, install paths, package name, and configuration file name.\r\nGathering system information (e.g., drives and processes).\r\nUtilizing LOL Bin binaries (such as nircmdc.exe and 7Zip) along with a downloader payload (aizk.exe).\r\nReading the 89CC88 configuration for the dynamic C2 configuration file.\r\nReading the 733949 configuration for system information.\r\nThe hardcoded C2 server was a decoy, used only once to retrieve the list of dynamic C2 servers, which were saved\r\nin the 89CC88 configuration and then never used again. This hardcoded C2 server was embedded in the binary\r\nand encoded with Base64 in combination with bitwise AND and XOR operations, seen below:\r\n00407DA6 |. 24 0A |AND AL,0A\r\n00407DA8 |. 320429 |XOR AL,BYTE PTR DS:[ECX+EBP]\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 23 of 30\n\nInside the binary, the string data type is represented in a specific format, and many helper functions are provided\r\nto manage this data type.\r\nstruct CXXStringStruct\r\n{\r\nchar *ptr; // Pointer to buffer 0x00\r\nint *UN1;\r\nint UN2;\r\nconst sizeHdr; // 0x0a 0x0c size of header\r\nunsigned int length; // length of buffer 0x10\r\nunsigned int max_length;\r\n};\r\nStrings may be static instead of being pointers to a character, and a character array may also be supplied. The\r\nmaximum static string size is 0x10; so if the string is less than 10 characters, it is stored within the structure, as\r\nseen here:\r\nIf the string is less than 10 characters, it is stored within the structure\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 24 of 30\n\n“733949” file config\r\nDuring the malware’s initialization phase, a file named “733949” is created. This file stores system-related\r\ninformation, which is also sent to the command and control server upon request. It consists of a combination of\r\nBoolean and string values separated by ‘*’. Some of these values are hardcoded and remain unexplained in the\r\nbinary, yet another indication that the malware is still in development.\r\n0: trxu\r\n1: USER\r\n2: COMP_NAME\r\n3: OS Name\r\n4: true\r\n5: true\r\n6: false\r\n7: 0\r\n8: 0\r\n9: void\r\n10: void\r\n11: false — wait for c2 to signal work ( will not start main thread unless c2 gives a green signal )\r\nCommunication Protocol\r\nThe communication protocol is based on HTTP and includes a URI parameter with the following breakdown:\r\nwber\r\nwber Parameters Purpose ACK response\r\n6 beacon packet “txru” or fail\r\n5 Ping Back with no data  \r\n35 \u0026 kiqa ==\r\nfilename_base64\r\nDownload resource from c2\r\n“void” – supply a filename\r\nbase64 encoded packet of data\r\ncontaining file contents\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 25 of 30\n\n36 \u0026 \u0026lhpg= and\r\nDownload resource from C2 (\r\nroute 1) plugin\r\n \r\n31 GetXqls – BotnetID None\r\n34 lhpg== debuglog\r\nSend DebugLog ( debuglog\r\nEncoded using XOR encoding\r\nalgorithm + base64)\r\n \r\n3\r\nPing Back C2 with \u0026dpna=\r\nsubcmd\r\ndpna=5 == Uninstall Complete\r\n10 (POSTDATA)\r\nSend system info\u0026jkux= Available\r\nDrives\r\n \r\n1\r\nRequest CMD from C2 (\r\nDecodeRevData == 1)\r\n \r\nCommand List\r\nThe most interesting wber command for us to analyze was the wber=1 parameter, which relates to the operational\r\ncommand from the C2 (i.e., instructing the bot to perform a task). We were then able to reverse-engineer a variety\r\nof commands. Parameters are tokenized using the “|” character.\r\nCMD\r\nnumber\r\nParameter (\r\ntokenized by ‘|’ )\r\nDescription\r\n1 Filename Download a file from infected machine\r\n2 Type*http payload * Upload a file on infected machine\r\n3 FolderPath*filename\r\nExecute an executable on the infected machine based\r\non the folder path type, which can range from 3 to 9 to\r\nrepresent different file paths. For example, type 3\r\ncorresponds to the Roaming folder.\r\n5\r\nAdditional File to\r\nRemove\r\nUninstall Bot\r\n6\r\nwber3_trigger a\r\npingback to c2\r\nwber3_trigger switch\r\n7   Get Infection Info\r\n9 Process Name Terminate a Process\r\n10   Send list of all Running Processes\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 26 of 30\n\n12   Send DebugLogs\r\n13 C2Server\r\nAdd Additional C2 Server ( write to\r\nSaveAndWrite89CC88 file\r\n14 num*command execute cmd.exe /c command\r\n15  \r\nRetrieve monitor Info + Recon info from psinfo.exe –\r\napplications, etc\r\nLeveraging all this information, we implemented a testing C2 server for Spectre RAT to facilitate captive bot\r\ntesting. This setup served multiple purposes, the code for which is included below:\r\nSimulation and Analysis: This allows researchers to simulate real-world scenarios and analyze how the\r\nmalware responds to various operational commands, thereby deepening our understanding of its\r\nfunctionality.\r\nOperational Takeover Utility: In the event of a successful takeover of a Spectre RAT C2 infrastructure,\r\nthe same mechanism can be used to send commands to infected systems. For example, law enforcement\r\nagencies could potentially use such a command channel to instruct the malware to uninstall itself from\r\ncompromised devices.\r\nMitigation Strategy: This capability represents a proactive mitigation strategy, offering a controlled\r\nmethod to neutralize the threat while minimizing collateral damage.\r\nSpectre RAT String Emulator on GitHub\r\nhttps://raw.githubusercontent.com/Silent-Push/Shared/refs/heads/main/specter_rat_c2_emulator.py\r\nDebug Logging System\r\nThe malware incorporates a logging system that records all error and debug messages generated during its\r\nruntime. This system serves multiple purposes:\r\nDiagnostic Data: It collects information on failures or unexpected behavior, which can help the malware\r\nadapt its operations dynamically.\r\nOperational Stealth: By logging errors internally rather than displaying them, the malware minimizes\r\nexternal clues that might alert security systems or users.\r\nFeedback Loop: The logs provide a feedback mechanism for the malware, enabling it to modify its\r\nbehavior or troubleshoot issues without relying on external inputs.\r\nPost-Infection Analysis: In some cases, malware may transmit these logs back to a command and control\r\nserver, offering attackers insights into its performance and potential vulnerabilities in the infected system.\r\nSome of the error logs with error codes included:\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 27 of 30\n\nError Code A Error Code B Description\r\n100 10010 beacon command 6 invalid response\r\n100 10002 install path after installation does not exist\r\nContinuing to Track Scattered Spider\r\nAs Scattered Spider continues to demonstrate its resilience in the global cyber threat landscape, Silent Push\r\nremains committed to equipping defenders with the intelligence they need to pre-emptively detect and counter this\r\nevolving threat.\r\nWe will continue to report on our work tracking Scattered Spider and share any new findings as our research\r\nprogresses throughout 2025. If you or your organization have any leads related to this effort, particularly those\r\nbeing used by these threat actors, we would love to hear from you.\r\nMitigation\r\nSilent Push believes all Scattered Spider-related domains present some level of risk.\r\nOur analysts constructed Silent Push IOFA\r\nTM Feeds, which provide Indicators of Future AttackTM domains\r\nand IPs used by Scattered Spider.\r\nAlso, as Scattered Spider now uses “Publicly Rentable Domains”—essentially, Dynamic DNS providers that\r\nallow people to register subdomains on a central domain—tracking its future infrastructure has become slightly\r\nmore complex.\r\nSilent Push Threat Analysts created a Bulk Data Feed for all domains we’re tracking that rent subdomains and\r\nprovide Dynamic DNS services. We suggest alerting on connections to any subdomains on these domains and, for\r\nsome organizations, blocking connections to them.\r\nSilent Push Indicators of Future AttackTM (IOFA™) Feeds and Bulk Data Feeds are available as part of an\r\nEnterprise subscription. Enterprise users can ingest IOFA\r\nTM Feed data into their security stack to inform their\r\ndetection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed\r\nAnalytics screen.\r\nRegister for Community Edition\r\nSilent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced\r\noffensive and defensive lookups, web content queries, and enriched data types, including Silent Push Web Scanner\r\nand Live Scan.\r\nClick here to sign up for a free account.\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 28 of 30\n\nScattered Spider Sample Indicators of Future Attack\r\nTM (IOFA) List\r\nBelow is a sample IOFA\r\nTM list associated with Scattered Spider. Our full list is available for enterprise users.\r\nSilent Push Enterprise clients have access to domain and IP feeds containing all Scattered Spider infrastructure.\r\nScattered Spider Indicators of Future AttackTM:\r\n7-eleven-hr[.]com\r\nactivecampiagn[.]net\r\nacwa-apple[.]com\r\nbbtplus[.]com\r\nbell-hr[.]com\r\nbestbuy-cdn[.]com\r\nbirdsso[.]com\r\ncitrix-okta[.]com\r\ncommonspiritcorp-okta[.]com\r\nconsensys-okta[.]com\r\ncorp-hubspot[.]com\r\ncts-comcast[.]com\r\ndoordash-support[.]com\r\nduelbits-cdn[.]com\r\nfreshworks-hr[.]com  \r\ngemini-sso[.]com\r\ngucci-cdn[.]com\r\nitbit-okta[.]com\r\niyft[.]net\r\nklaviyo-hr[.]com      \r\nlogin.freshworks-hr[.]com\r\nlogin.hr-intercom[.]com\r\nmorningstar-okta[.]com\r\nmytsl[.]net\r\nokta-ziffdavis[.]com\r\npfchangs-support[.]com\r\nprntsrc[.]net\r\npure-okta[.]com\r\nsignin-nydig[.]com\r\nsimpletexting-cdn[.]com\r\nsquarespacehr[.]com\r\nsytemstern[.]net\r\nsso-instacart[.]com\r\nsts-vodafone[.]com\r\ntwitter-okta[.]com\r\nxn--gryscale-ox0d[.]com\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 29 of 30\n\nx-sso[.]com\r\nSource: https://www.silentpush.com/blog/scattered-spider-2025/\r\nhttps://www.silentpush.com/blog/scattered-spider-2025/\r\nPage 30 of 30\n\n https://www.silentpush.com/blog/scattered-spider-2025/ \nAnother observation from @lontze7 Scattered Spider research @\nhttps://x[.]com/lontze7/status/1882367142823367121 \n@lontze7 Scattered Spider research @ x[.]com/lontze7/status/1882367142823367121 \n Page 10 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025/" ], "report_names": [ "scattered-spider-2025" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "f87ef0bf-0574-492f-aebc-63e5953938e2", "created_at": "2024-11-23T02:00:04.116692Z", "updated_at": "2026-04-10T02:00:03.779803Z", "deleted_at": null, "main_name": "Gorilla", "aliases": [], "source_name": "MISPGALAXY:Gorilla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "6355663f-1a27-4a08-879a-89bc3cf2cd63", "created_at": "2026-02-04T02:00:03.712015Z", "updated_at": "2026-04-10T02:00:03.953324Z", "deleted_at": null, "main_name": "CryptoChameleon", "aliases": [ "UNC5356" ], "source_name": "MISPGALAXY:CryptoChameleon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434541, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c3d3e3f53e2025dabce6e63eee7d26f9d2932f14.pdf", "text": "https://archive.orkl.eu/c3d3e3f53e2025dabce6e63eee7d26f9d2932f14.txt", "img": "https://archive.orkl.eu/c3d3e3f53e2025dabce6e63eee7d26f9d2932f14.jpg" } }