{ "id": "ac4ac011-4386-42bd-8116-7035fff4e559", "created_at": "2026-04-06T03:37:38.139904Z", "updated_at": "2026-04-10T03:31:50.023214Z", "deleted_at": null, "sha1_hash": "cb17cfd4d3c6aa3d991a3d61cbaf8ceb9586447a", "title": "Scattered Spider Targets Tech Companies for Help-Desk Exploitation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 203744, "plain_text": "Scattered Spider Targets Tech Companies for Help-Desk\r\nExploitation\r\nBy ReliaQuest Threat Research Team 5 June 2025\r\nPublished: 2025-06-05 · Archived: 2026-04-06 03:25:08 UTC\r\nKey Points\r\n81% of “Scattered Spider’s” domains impersonate technology vendors, targeting high-value credentials like those\r\nof system administrators and executives.\r\nThe group primarily leverages phishing frameworks like Evilginx and social engineering methods like vishing to\r\ngain initial access into organizations.\r\n70% of Scattered Spider’s targets belong to technology, finance, and retail trade sectors, making them especially\r\nvulnerable to credential theft and ransomware attacks.\r\nScattered Spider and “DragonForce” are increasingly targeting managed service providers (MSPs) and IT\r\ncontractors, exploiting their \"one-to-many\" access to breach multiple client networks through a single point of\r\ncompromise.\r\nIn May 2025, a wave of cyber attacks hit UK retailers, including Marks \u0026 Spencer, Co-op, and Harrods, with\r\nmany attributing the breaches to the notorious hacking collective “Scattered Spider” (aka UNC3944, Octo\r\nTempest). That same month, similar breaches hit major US retailers. While nothing definitive has tied these\r\nincidents to Scattered Spider, their coordinated nature hints at a broader, orchestrated campaign.\r\nScattered Spider is rewriting the rules of the digital battlefield. What started as a run-of-the-mill SIM-swapping\r\ncrew has morphed into a global threat, armed with advanced social engineering skills and relentless ambition.\r\nThis wave of retail attacks prompted us to dig deeper into Scattered Spider’s evolving playbook—exploring how\r\nthe group constructs its infrastructure and exploits human trust to secure initial access, and investigating whether\r\nthese incidents represent a coordinated attack against this industry vertical.\r\nIn this report, we identified:\r\nScattered Spider's Tactics: The group relies heavily on social engineering to exploit human trust,\r\ncombined with phishing campaigns using typosquatted domains and tools like Evilginx to bypass\r\nmultifactor authentication (MFA).\r\nA Focus on Technology: By targeting managed service providers (MSPs) and IT vendors, Scattered Spider\r\nleverages \"one-to-many\" access to breach multiple organizations through a single compromise.\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 1 of 9\n\nInfrastructure Trends: 81% of its registered domains impersonate technology vendors. The group has\r\nshifted from hyphenated domains to subdomain-based keywords to better evade detection.\r\nActionable Recommendations: Practical steps organizations can take to mitigate risks, strengthen\r\ndefenses, and respond effectively to this persistent threat.\r\nWhat is Scattered Spider?\r\nScattered Spider is a financially motivated cybercriminal gang associated with the hacking collective “The\r\nCommunity.” Originally known for SIM-swapping attacks, the group has evolved into running sophisticated social\r\nengineering campaigns. Through strategic alliances with major ransomware operators “ALPHV,” “RansomHub,”\r\nand “DragonForce,” Scattered Spider gains access to infrastructure, ransomware deployment tools, and platforms\r\nfor ransom negotiations. Often fluent in English, its members exploit help-desk systems and impersonate\r\nemployees to breach organizations, targeting high-value industries like retail trade, technology, and finance. It also\r\nfocuses on organizations with substantial capital for ransom payments or valuable data to leverage in negotiations.\r\nOur analysis of Scattered Spider’s incidents reveals a significant reliance on phishing and social engineering as its\r\nprimary methods for gaining initial access into organizations. By impersonating trusted platforms using\r\ntyposquatted domains and phishing kits, it manipulates victims into divulging credentials and session data. To\r\nbetter understand its tactics and how they link to the wave of retail attacks, we conducted a focused analysis of its\r\ndomain registration patterns (including specific keywords, hosting providers, and registrars), phishing\r\nframeworks, and operational infrastructure.\r\nScattered Spider’s Focus: 81% of Domains Target Tech\r\nResearch Methodology\r\nHistorical Domain Review\r\nWe reviewed a publicly sourced dataset comprising over 600 domains previously linked to Scattered Spider\r\nthrough community-shared indicators of compromise (IOCs) between Q1 2022 and Q1 2025. This analysis\r\nfocused on domain creation patterns such as specific keywords, registrars, and hosting providers. The goal was to\r\nidentify high-fidelity patterns that reveal how the group registers and configures domains to impersonate trusted\r\nentities and evade detection.\r\nDomain and Subdomain Impersonation Patterns\r\nTo assess whether ReliaQuest customers had been potentially targeted by Scattered Spider, we examined domain\r\nand subdomain impersonation alerts flagged by ReliaQuest’s GreyMatter Digital Risk Protection (DRP) service\r\nover the past six months. The analysis focused on identifying domain registrations matching Scattered Spider’s\r\npreviously known patterns, such as:\r\nDomains and subdomains containing specific keywords like “okta,” “vpn,” “helpdesk,” and “sso.”\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 2 of 9\n\nTyposquatting techniques that slightly alter legitimate domain names to deceive users (e.g., replacing\r\nletters with numbers, such as “c0mpany[.]com” instead of “company[.]com”).\r\nDomains hosted by providers and purchased from registrars historically linked to Scattered Spider’s\r\noperations.\r\nAnalysis of Phishing Kit Activity\r\nTo better understand Scattered Spider’s phishing tactics, we analyzed a cluster of phishing pages created using the\r\n“Evilginx” framework—a tool that mimics legitimate login pages to capture credentials and session cookies in\r\nreal time, bypassing MFA. While the dataset included phishing activity from various actors, we filtered the data to\r\nfocus on pages aligned with Scattered Spider’s tactics, such as specific domain keywords, registrars, and hosting\r\nproviders. This analysis aimed to determine whether Scattered Spider is using the Evilginx framework and to\r\nidentify the types of organizations and systems most frequently targeted through this approach.\r\nResearch Findings\r\nTech Targets\r\nIn the weeks after the UK retail attacks, investigators who were allegedly working closely with Marks \u0026 Spencer\r\nrevealed that Scattered Spider exploited compromised accounts from the global IT contractor Tata Consultancy\r\nServices (TCS) to gain initial access. The Co-op has also partnered with TCS for over a decade, but the link\r\nbetween TCS and these breaches remains unclear while the incidents are still under investigation.\r\nThese incidents illustrate Scattered Spider’s strategic focus on targeting IT providers and third-party contractors as\r\na means to infiltrate their clients’ networks, rather than attacking retail companies directly. By compromising\r\ntrusted vendors like TCS, Scattered Spider gains access to multiple organizations through a single point of entry,\r\namplifying its reach and enabling widespread attacks.\r\nOur findings further underscore this focus on IT providers and technology vendors:\r\n81% of Scattered Spider’s domains impersonate technology vendors, according to a historical dataset\r\nof 600-plus publicly shared IOCs. These domains target services like single sign-on (SSO), Identity\r\nProviders (IdP), VPNs, and IT support systems to harvest credentials from high-value users, including\r\nsystem administrators, CFOs, COOs, and CISOs.\r\n35% of domains identified in internal GreyMatter DRP alerts belonged to the technology sector,\r\nwhile 20% were tied to finance and 15% to retail trade. This demonstrates Scattered Spider’s reliance\r\non tech organizations as gateways, while also highlighting its interest in high-value industries that depend\r\non technology for critical operations and customer data.\r\n60% of the Scattered Spiders Evilginx phishing domains targeted technology organizations and\r\nvendors. These domains used advanced phishing kits to bypass MFA and gain access to critical systems\r\nacross industries.\r\nHighest-Fidelity Indicators\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 3 of 9\n\nTo help organizations detect and respond to Scattered Spider’s tactics, we detail below the highest-fidelity\r\nindicators uncovered during our analysis. These include domain creation patterns, such as specific keywords and\r\nhosting Autonomous System Numbers (ASNs), that align with the group’s known infrastructure and behaviors.\r\nIncorporating these indicators into proactive monitoring efforts allows organizations to identify malicious activity\r\nearly and disrupt Scattered Spider’s operations before it can exploit networks.\r\nRecent trends (Q1 2025 to present) show a shift in Scattered Spider’s tactics: the group has moved away from\r\nhyphenated domains (e.g., SSO-company[.]com)—once a reliable indicator—and now favors subdomain-based\r\nkeywords (e.g., SSO.company[.]com) to evade automated domain impersonation detections. Organizations must\r\nmonitor both patterns to effectively identify malicious activity.\r\nTop Keywords:\r\n“internal,” “connect,” “duo,” “vpn,” “helpdesk,” “servicenow,” “corp,” “schedule,” “okta,” “servicedesk,”\r\n“rsa,” “info,” “support,” “mfa,” “sso,” “help,” and “service.”\r\nPatterns to watch for:\r\nHyphenated domains, e.g. SSO-company[.]com\r\nSubdomain variations, e.g. SSO.c0mpany[.]com\r\nKeywords and typo squats without hyphenation, e.g. c0mpanysso[.]com\r\nTop Hosting ASNs:\r\nAS39287 (ABSTRACT, FI)\r\nAS13335 (Cloudflare, Inc)\r\nAS399486 (VIRTUO, CA)\r\nAS14061 (DIGITALOCEAN-ASN, US)\r\nAS20473 (AS-CHOOPA, US)\r\nTop Domain Registrars:\r\nNiceNIC\r\nHosting Concepts B.V.\r\nNameSilo, LLC\r\nGoDaddy\r\nWhile these indicators showed the most overlap in our analysis, Scattered Spider frequently changes its\r\ninfrastructure for domain hosting and domain registration—typically every one to two months. As such,\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 4 of 9\n\nexpanding hunts beyond the ASNs listed above is strongly recommended. To effectively hunt for these indicators,\r\nwe suggest the following:\r\nDomain Registration Analysis: Scattered Spider often creates tailored domains to target specific\r\norganizations. Look for newly registered domains containing the keywords listed above alongside your\r\norganization’s name to identify potential threats early.\r\nAutomation and Scheduling: Scattered Spider’s domains are typically active for less than seven days,\r\nmaking automated or scheduled hunting crucial for timely detection and response. Regular scans of DNS\r\ndata and network logs can significantly improve detection of these threats.\r\nNetwork Connection Monitoring: Hunt for network connections to domains that contain the listed\r\nkeywords and known Scattered Spider domains. These domains often mimic legitimate services to deceive\r\nusers and gather credentials, making vigilant monitoring critical to detecting suspicious activity.\r\nImplications for Defenders\r\nFor groups like Scattered Spider, IT providers are the master key—the ultimate shortcut to infiltrating multiple\r\norganizations at once. These providers manage critical systems and valuable data, making them irresistible targets\r\nfor hackers who want to maximize their impact with minimal effort. These tactics aren’t just limited to Scattered\r\nSpider. For instance, we observed an XSS forum user (see Figure 1) selling access to a remote monitoring and\r\nmanagement (RMM) tool dashboard that manages over 200 hosts across many small businesses.\r\nFigure 1: XSS user selling access to an MSP that manages at least 200 machines\r\nScattered Spider, in partnership with DragonForce, recently executed a sophisticated ransomware attack targeting\r\nMSPs by exploiting vulnerabilities in SimpleHelp RMM software. By compromising the MSP’s infrastructure,\r\nattackers deployed ransomware encryptors across client networks, leveraging the \"one-to-many\" structure to\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 5 of 9\n\nmaximize their reach. This approach not only enabled widespread encryption but also introduced double extortion\r\ntactics, where stolen data was used to pressure victims into paying ransoms.\r\nScattered Spider’s tactics pose a serious threat to businesses, particularly those dependent on IT providers and\r\nMSPs. By exploiting trusted platforms like RMM software, the group infiltrates supply chains, compromises\r\nsystems, and deploys ransomware at scale. It’s clear from the volume of suspicious domain registrations that\r\nScattered Spider’s strategies have inspired copycat groups. While these mimicry efforts often cast a wider net\r\ntargeting general platforms, Scattered Spider’s approach is deliberate and highly targeted, focusing on high-value\r\norganizations and individuals.\r\nThe Human Factor: Playbook for Initial Access\r\nWhen phishing doesn’t do the trick, Scattered Spider doesn’t give up—it gets creative. Using platforms like\r\nLinkedIn and ZoomInfo, the group digs into the lives of key employees within a target organization, piecing\r\ntogether everything from job titles to contact details. Once the perfect profile is built, it doesn’t target systems, it\r\ntargets people.\r\nUrgent Request or Perfect Deception?\r\nWe’ve seen it play out during our investigations: A help-desk employee receives a panicked call from their\r\n“CFO,” urgently requesting a password reset or the registration of a new MFA device. It’s a scenario of high-stakes deception, and Scattered Spider excels at exploiting trust, weaponizing human vulnerability to devastating\r\neffect.\r\nThis tactic reflects a growing trend in cybercrime, where Russia-aligned groups collaborate with English-speaking\r\nactors to target Western organizations. Previously, such partnerships were rare due to cultural differences and\r\nconcerns over operational security. But times are changing. Even the arrests of at least five alleged Scattered\r\nSpider members in 2024 have done little to slow these partnerships. Instead, Russian adversaries are doubling\r\ndown, enlisting native English speakers who can seamlessly navigate Western norms and deliver highly\r\nconvincing impersonation attacks.\r\nFigure 2: Forum user looking for English-speaking social engineers\r\nTo further refine their impersonation tactics, Russian actors actively recruit social engineers with highly specific\r\nqualifications. While monitoring cybercriminal forums, we observed discussions outlining the criteria these\r\ngroups prioritize (see Figure 2):\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 6 of 9\n\nMinimal Accent: To sound convincing and avoid raising suspicion when interacting with help-desk staff.\r\nIn some cases, we’ve even observed preferences for specific regional accents, such as a Southern accent, to\r\nmake impersonations more credible and relatable to targets.\r\nFluency at a C1 Level or Higher: Equivalent to a young adult native speaker, this level of fluency ensures\r\ncallers can navigate complex conversations and adapt their approach in real-time without tipping off their\r\nvictims.\r\nEvening Shifts Starting at 5 p.m. Moscow Time: To align with Western business hours, maximizing the\r\nchances of successfully reaching targets.\r\nPayment per Lead Plus Commission: Social engineers can reportedly earn $10,000-$25,000 monthly by\r\ngenerating leads.\r\nCallers are also provided with detailed scripts and real-time guidance from a so-called curator to help them handle\r\nany situation during the call. Notably, the job posting specifies that targets are strictly Western organizations,\r\navoiding businesses in Russia and the Commonwealth of Independent States (CIS).\r\nThe collaboration between Russian-aligned groups and English-speaking social engineers significantly raises the\r\nstakes for businesses. This partnership combines technical expertise with cultural fluency, enabling attackers to\r\nconvincingly impersonate employees and leadership, bypass security protocols, and exploit trust-based systems\r\nlike help desks.\r\nTo combat this evolving threat, businesses must invest in robust social engineering defenses, including ongoing\r\nemployee training and penetration tests against help desks, stricter identity verification protocols, and enhanced\r\nmonitoring of help-desk interactions.\r\nStep Up Your Defenses Against Scattered Spider\r\nReliaQuest’s Approach\r\nReliaQuest offers its customers a suite of capabilities to help detect Scattered Spider-related threats early and\r\nrespond rapidly.\r\nGreyMatter DRP: By monitoring domain registrations, we alert organizations to impersonation attempts like\r\ntyposquatting or phishing campaigns targeting their brand. These early warnings allow defenders to block\r\npotential attack vectors before they escalate into full-scale breaches.\r\nAI Agent: TheReliaQuest GreyMatter platform integrates an agentic AI agent that enhances security operations\r\nby autonomously analyzing threat patterns, automating ransomware detection, and enriching investigations to\r\naccelerate response times. This capability significantly cuts the mean time to contain (MTTC) threats,\r\nempowering organizations to respond to attacks more effectively while strengthening their cybersecurity defenses.\r\nDetection Rules: ReliaQuest’s tailored detection rules, built on the latest threat intelligence and research, help\r\norganizations identify Scattered Spider activity within their environment.\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 7 of 9\n\nBy deploying these tailored detections alongside the following GreyMatter Automated Response Playbooks,\r\norganizations can significantly reduce their MTTC from hours to just minutes, minimizing the impact of Scattered\r\nSpider’s ransomware and credential theft campaigns:\r\nTerminate Active Sessions and Reset Passwords: Ransomware affiliates like Scattered Spider abuse\r\nstolen credentials to move laterally and gain access to high-value data. This Playbook cuts off attackers’\r\naccess by terminating hijacked sessions and resetting compromised credentials.\r\nDelete File: This Playbook can automatically remove malware payloads from a host's directory, halting the\r\nexecution of malware before it can execute on critical systems, minimizing attack impact.\r\nDisable User: It’s very common for ransomware affiliates like Scattered Spider to compromise user or\r\nservice accounts. This Playbook allows for immediate disabling of a compromised user to stop attackers in\r\ntheir tracks.\r\nYour Action Plan\r\nAdopt Risk-Based Authentication: Dynamically adjust access requirements based on user behavior,\r\ndevice, and location. Set policies to flag unusual activity, like logins from unknown locations, to prevent\r\nbreaches before they escalate.\r\nConduct Social Engineering Assessments: Regularly test help-desk policies and train employees to\r\nrecognize and respond to social engineering attacks. These assessments ensure your organization is\r\nprepared to detect and neutralize attempts to manipulate human vulnerabilities.\r\nUse Hardened Jumpboxes with Mandatory MFA: Require MSPs, contractors, and privileged users to\r\naccess high-value systems through secured jumpboxes. Mandate the use of MFA for all RDP connections\r\nto and from the jumpbox to slow down the use of stolen contractor credentials.\r\nRestrict SharePoint Permissions: Limit access to sensitive files, such as ESXi documentation and IT\r\nnetwork diagrams, to reduce the risk of exploitation during lateral movement. Only employees with a\r\nlegitimate need should have visibility into these resources.\r\nKey Takeaways and What’s Next\r\nScattered Spider continues to rely heavily on social engineering, using human trust as a weapon alongside\r\nphishing campaigns powered by typosquatted domains and advanced tools like Evilginx to bypass MFA. Its focus\r\non MSPs and IT vendors allows it to breach multiple organizations through a single compromise, maximizing its\r\nreach and impact. Strategic alliances with ransomware operators like ALPHV and DragonForce further enhance\r\nthe group’s capabilities, solidifying Scattered Spider’s reputation as a persistent and high-stakes adversary.\r\nLooking ahead, we predict with high confidence that Scattered Spider will maintain its focus on high-value sectors\r\nlike technology, finance, and retail trade across non-CIS countries. Although most media reporting has focused on\r\nthe group’s retail victims, it is highly likely that Scattered Spider has already compromised finance or retail trade\r\noragnizations that have yet to publicly reveal an incident.\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 8 of 9\n\nIn addition, as the group refines its operations, we anticipate the adoption of deepfake AI voice technology to\r\nimpersonate employees and leadership roles, reducing the need to recruit human social engineers. This shift would\r\nstreamline the group’s ability to manipulate trust-based systems like help desks, while continuing to target\r\norganizations with substantial capital or valuable data.\r\nOrganizations must be ready to counter increasingly deceptive tactics by implementing defenses that can adapt\r\nwith these evolving threats. Staying ahead of attackers requires actionable intelligence, proactive monitoring, and\r\nresilient security measures—like those detailed in this report—to effectively combat adversaries such as Scattered\r\nSpider.\r\nSource: https://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nhttps://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/" ], "report_names": [ "scattered-spider-cyber-attacks-using-phishing-social-engineering-2025" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775446658, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb17cfd4d3c6aa3d991a3d61cbaf8ceb9586447a.pdf", "text": "https://archive.orkl.eu/cb17cfd4d3c6aa3d991a3d61cbaf8ceb9586447a.txt", "img": "https://archive.orkl.eu/cb17cfd4d3c6aa3d991a3d61cbaf8ceb9586447a.jpg" } }