{ "id": "13a80afb-2e08-402a-a720-dbb8d589d00f", "created_at": "2026-04-06T00:15:25.053022Z", "updated_at": "2026-04-10T03:31:49.990588Z", "deleted_at": null, "sha1_hash": "c7b2bd34707b0c5265524f0c290ae28bc0c7ec86", "title": "Scattered Spider Threat Actor Profile - Quorum Cyber", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 30983, "plain_text": "Scattered Spider Threat Actor Profile - Quorum Cyber\r\nArchived: 2026-04-05 13:29:07 UTC\r\nScattered Spider (also known as UNC3944 and Roasted 0ktapus) is a relatively new, financially motivated threat\r\ngroup that has been active since at least May 2022. The group is yet to receive a Microsoft designation but will\r\nfall into the Tempest (financially motivated) category once registered. The group commonly gains initial network\r\naccess via stolen credentials obtained from SMS phishing operations and have been detected utilising Azure Serial\r\nConsole to attain administrative console access to virtual machines (VMs) whilst executing a command prompt\r\nover the serial port.\r\nScattered Spider are reported to use a loader named ‘STONESTOP’ to install a malicious signed driver dubbed\r\n‘POORTRY’, which is designed to terminate processes associated with security software and to delete files as part\r\nof a Bring Your Own Vulnerable Driver (BYOVD) attack. The group has been attributed to creating the\r\nSTONESTOP and POORTRY toolkit to terminate security software.\r\nHistorically, Scattered Spider has mainly gained initial access to the victim environment via theft of administrative\r\ncredentials by email and SMS phishing attacks or the use of stealware. Once credentials have been obtained,\r\nScattered Spider use these to impersonate the admin and use sensitive data to gain access to the environment.\r\nFurthermore, they have also been observed continuing phishing attacks against other users, by leveraging the\r\nemployee database. This is likely to maintain persistence and provides them with lateral movement within the\r\nnetwork.\r\nSource: https://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/\r\nhttps://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/" ], "report_names": [ "scattered-spider-threat-actor-profile" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434525, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7b2bd34707b0c5265524f0c290ae28bc0c7ec86.pdf", "text": "https://archive.orkl.eu/c7b2bd34707b0c5265524f0c290ae28bc0c7ec86.txt", "img": "https://archive.orkl.eu/c7b2bd34707b0c5265524f0c290ae28bc0c7ec86.jpg" } }