{
	"id": "bfe42940-f51c-435c-b3c2-0d3e46c8029b",
	"created_at": "2026-04-06T00:08:20.73618Z",
	"updated_at": "2026-04-10T03:31:49.97474Z",
	"deleted_at": null,
	"sha1_hash": "cab46c4f91b8ce6bc452dc5b0e160df2f1995ca3",
	"title": "Hackers behind UK retail attacks now targeting US companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3193794,
	"plain_text": "Hackers behind UK retail attacks now targeting US companies\r\nBy Sergiu Gatlan\r\nPublished: 2025-05-14 · Archived: 2026-04-05 18:25:04 UTC\r\nGoogle warned today that hackers using Scattered Spider tactics against retail chains in the United Kingdom have also\r\nstarted targeting retailers in the United States.\r\n\"The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to\r\nUNC3944, also known as Scattered Spider,\" John Hultquist, Chief Analyst at Google Threat Intelligence Group, told\r\nBleepingComputer.\r\n\"The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a\r\nsingle sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take\r\nnote.\"\r\nhttps://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAs first reported by BleepingComputer, British retail giant Marks \u0026 Spencer (M\u0026S) was first breached in a ransomware\r\nattack where threat actors encrypted virtual machines on VMware ESXi hosts with a DragonForce encryptor. This attack\r\nwas attributed to Octo Tempest, Microsoft's name for Scattered Spider.\r\nCo-op also experienced another cyber incident, confirming that attackers stole data from many current and former members.\r\nHarrods also disclosed on May 1st that it was forced to restrict internet access to sites after attackers tried to infiltrate its\r\nnetwork, suggesting an active response to a cyberattack even though a breach has yet to be confirmed.\r\nThe DragonForce ransomware operation has claimed all three attacks, and BleepingComputer has learned that the attackers\r\nwho orchestrated them have used the same social engineering tactics linked to Scattered Spider threat actors. DragonForce\r\nsurfaced in December 2023 and has recently begun advertising a new service designed to allow other cybercrime groups to\r\nwhite-label their services.\r\nSince Scattered Spider started targeting UK retailers in April, the UK National Cyber Security Centre (NCSC) has published\r\nguidance to help UK organizations strengthen their cybersecurity defenses and has also cautioned that these cyberattacks\r\nshould be seen as a \"wake-up call\", as any of them could become the next target.\r\nThe UK NCSC has yet to attribute these incidents to a specific hacking group or threat actor and said it's still working with\r\nvictims to determine that.\r\n\"Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a\r\nsingle actor, or whether there is no link between them at all,\" stated the NCSC. \"We are working with the victims and law\r\nenforcement colleagues to ascertain that.\"\r\nThe Scattered Spider threat actors\r\nScattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) is a term used to\r\ndescribe a fluid collective of threat actors known for breaching many high-profile organizations worldwide in sophisticated\r\nsocial engineering attacks that also involve phishing, SIM swapping, multi-factor authentication (MFA) bombing (also\r\nknown as targeted MFA fatigue).\r\nTheir attacks escalated in September 2023 when they breached MGM Resorts, using the BlackCat ransomware to encrypt\r\nover 100 VMware ESXi hypervisors after breaching the network by impersonating an employee when calling the IT help\r\ndesk.\r\nSince then, they've also acted as affiliates for various other ransomware operations, including RansomHub, Qilin, and, now,\r\nDragonForce. Other attacks linked to Scattered Spider include those on Twilio, Coinbase, DoorDash, Caesars, MailChimp,\r\nRiot Games, and Reddit.\r\nSome Scattered Spider threat actors are also believed to be part of the \"Com,\" a loosely connected community involved in\r\ncyberattacks and violent acts that have often attracted media attention.\r\nThese cybercriminals are as young as 16, and most are English speakers who frequent the same Telegram channels, Discord\r\nservers, and hacker forums where they plan and conduct their attacks in real time.\r\nAlthough news outlets and security researchers frequently use \"Scattered Spider\" to describe this collective as a cohesive\r\ngang, it refers to a loosely-knit group of threat actors who use specific tactics during their attacks, making it challenging to\r\ntrack their activities.\r\n\"These actors are aggressive, creative, and particularly effective at circumventing mature security programs. They have had\r\na lot of success with social engineering and leveraging third parties to gain entry to their targets,\" Hultquist told\r\nBleepingComputer today.\r\nTo learn more about Scattered Spider tactics and how to harden your defenses, you can review our previous reporting and a\r\nnew CTM360 report.\r\nhttps://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/\r\nhttps://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/"
	],
	"report_names": [
		"google-scattered-spider-switches-targets-to-us-retail-chains"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-10T02:00:04.772256Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-10T02:00:05.340198Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6608b798-f92b-42af-a93f-d72800eeb3a3",
			"created_at": "2023-11-30T02:00:07.292Z",
			"updated_at": "2026-04-10T02:00:03.482199Z",
			"deleted_at": null,
			"main_name": "DragonForce",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonForce",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758",
			"created_at": "2025-07-24T02:05:00.538379Z",
			"updated_at": "2026-04-10T02:00:03.657424Z",
			"deleted_at": null,
			"main_name": "GOLD FLAME",
			"aliases": [
				"DragonForce"
			],
			"source_name": "Secureworks:GOLD FLAME",
			"tools": [
				"ADFind",
				"AnyDesk",
				"Cobalt Strike",
				"FileSeek",
				"Mimikatz",
				"SoftPerfect Network Scanner",
				"SystemBC",
				"socks.exe"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-10T02:00:03.374705Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"UNC3944",
				"Scattered Swine",
				"Octo Tempest",
				"DEV-0971",
				"Starfraud",
				"Muddled Libra",
				"Oktapus",
				"Scatter Swine",
				"0ktapus",
				"Storm-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824",
			"created_at": "2024-06-19T02:03:08.062614Z",
			"updated_at": "2026-04-10T02:00:03.655475Z",
			"deleted_at": null,
			"main_name": "GOLD HARVEST",
			"aliases": [
				"Octo Tempest ",
				"Roasted 0ktapus ",
				"Scatter Swine ",
				"Scattered Spider ",
				"UNC3944 "
			],
			"source_name": "Secureworks:GOLD HARVEST",
			"tools": [
				"AnyDesk",
				"ConnectWise Control",
				"Logmein"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775791909,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cab46c4f91b8ce6bc452dc5b0e160df2f1995ca3.pdf",
		"text": "https://archive.orkl.eu/cab46c4f91b8ce6bc452dc5b0e160df2f1995ca3.txt",
		"img": "https://archive.orkl.eu/cab46c4f91b8ce6bc452dc5b0e160df2f1995ca3.jpg"
	}
}