{ "id": "b65cff37-7423-4635-89e0-2b183d3c484b", "created_at": "2026-04-06T00:16:48.335838Z", "updated_at": "2026-04-10T03:31:49.90233Z", "deleted_at": null, "sha1_hash": "cc4cd86ab9312376c23ce7dad79b913db1ef5784", "title": "Scattered Spider | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 202237, "plain_text": "Scattered Spider | CISA\r\nPublished: 2025-07-29 · Archived: 2026-04-05 13:33:57 UTC\r\n1. Maintain offline backups of data that are stored separately from the source systems and tested\r\nregularly.\r\n2. Enable and enforce phishing-resistant multifactor authentication (MFA).\r\n3. Implementing application controls to manage and control software execution.\r\nSummary\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal\r\nCanadian Mounted Police (RCMP), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre\r\n(ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s\r\nNational Cyber Security Centre (NCSC-UK)—hereafter referred to as the authoring organizations—are releasing\r\nthis joint Cybersecurity Advisory in response to recent activity by Scattered Spider threat actors against the\r\ncommercial facilities sectors, subsectors, and other sectors. This advisory provides tactics, techniques, and\r\nprocedures (TTPs) obtained through FBI investigations as recently as June 2025.\r\nNote: Originally published Nov. 16, 2023, this advisory has been updated through several iterations: \r\nNov. 16, 2023: Initial version.\r\nNov. 21, 2023: Updated password recommendation language on page 12.\r\nJuly 29, 2025: U.S. and international federal organizations identified new TTPs associated with the\r\nScattered Spider cybercriminal group. In addition to new TTPs that include more sophisticated social\r\nengineering techniques, the advisory describes additional malware and ransomware variants used to\r\nexfiltrate data and encrypt targeted organizations’ systems.\r\nScattered Spider is a cybercriminal group that targets large companies and their contracted information technology\r\n(IT) help desks.\r\nUpdate July 29, 2025:\r\nPer trusted third parties, Scattered Spider threat actors typically engage in data theft for extortion and also use\r\nseveral ransomware variants, most recently deploying DragonForce ransomware alongside their usual TTPs.\r\nWhile some TTPs remain consistent, Scattered Spider threat actors often change TTPs to remain undetected. \r\nUpdate End\r\nThe authoring organizations encourage critical infrastructure organizations and commercial facilities to implement\r\nthe recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Scattered\r\nSpider malicious activity.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 1 of 16\n\nDownload the original PDF version of this report:\r\nDownload the PDF version of this report:\r\nThe referenced media source is missing and needs to be re-embedded.\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® Matrix for Enterprise framework, version 17. See the MITRE\r\nATT\u0026CK Tactics and Techniques section of this advisory for tables of the threat actors’ activity mapped to\r\nMITRE ATT\u0026CK tactics and techniques.\r\nOverview\r\nScattered Spider (also known as, UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled\r\nLibra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors use multiple\r\nsocial engineering techniques—including push bombing—and subscriber identity module (SIM) swap attacks, to\r\nobtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to\r\npublic reporting, Scattered Spider threat actors have:[2]\r\nPosed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from\r\nemployees and gain access to the network [T1598 ] [T1656 ].\r\nPosed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools\r\nenabling initial access [T1204 ] [T1219 ] [T1566 ].\r\nPosed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication\r\ncode.\r\nUpdate July 29, 2025:\r\nPosed as employees to convince IT and/or helpdesk staff to provide sensitive information, reset the\r\nemployee’s password, and transfer the employee’s MFA to a device they control on separate devices. \r\nUpdate End\r\nSent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as\r\nMFA fatigue) [T1621 ].[3]\r\nConvinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card in their\r\npossession, gaining control over the phone and access to MFA prompts.\r\nMonetized access to targeted organization’s networks in numerous ways including extortion enabled by\r\nransomware and data theft [T1657 ].\r\nThe FBI observed Scattered Spider threat actors, after gaining access to networks, using publicly available,\r\nlegitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider repurposed and\r\nused for their criminal activity.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 2 of 16\n\nNote: The use of these legitimate tools alone is not indicative of malicious activity. Users should review the\r\nScattered Spider IOCs and TTPs discussed in this advisory to determine whether they have been compromised.\r\nTable 1: Legitimate Tools Used by Scattered Spider\r\nTool Intended Use\r\nFleetdeck.io Enables remote monitoring and management of systems.\r\nLevel.io Enables remote monitoring and management of systems.\r\nMimikatz [S0002\r\n]\r\nExtracts credentials from a system.\r\nNgrok [S0508 ] Enables remote access to a local web server by tunneling over the internet.\r\nPulseway Enables remote monitoring and management of systems.\r\nScreenconnect Enables remote connections to network devices for management.\r\nSplashtop Enables remote connections to network devices for management.\r\nTactical.RMM Enables remote monitoring and management of systems.\r\nTailscale Provides virtual private networks (VPNs) to secure network communications.\r\nTeamViewer Enables remote connections to network devices for management.\r\nUpdate July 29,\r\n2025: \r\nTeleport.sh\r\nEnables remote access to a local system by tunneling over the internet.\r\nAnyDesk\r\nEnables remote access to network devices for management, bypassing security alerts\r\ndue to AnyDesk being a legitimate application.\r\nTeleport.sh\r\nEnables remote access to a local system by tunneling over the internet.\r\nUpdate End\r\nIn addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some\r\nof the malware used by Scattered Spider.\r\nTable 2: Malware Used by Scattered Spider\r\nMalware Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 3 of 16\n\nMalware Use\r\nAveMaria (also known as\r\nWarZone [S0670 ])\r\nEnables remote access to a targeted organization’s systems.\r\nRaccoon Stealer [S1148 ]\r\nSteals information including login credentials [TA0006 ], browser\r\nhistory [T1217 ], cookies [T1539 ], and other data.\r\nVIDAR Stealer\r\nSteals information including login credentials, browser history, cookies,\r\nand other data.\r\nUpdate July 29, 2025:\r\nRattyRAT\r\nJava-based remote access trojan, used for persistent, stealth access and\r\ninternal reconnaissance.[4]\r\nDragonForce Ransomware\r\nInfiltrates networks, encrypts data, and demands ransom.\r\nUpdate End\r\nScattered Spider threat actors historically evade detection on target networks by using living off the land (LOTL)\r\ntechniques and allowlisted applications to navigate a targeted organization’s network, as well as frequently\r\nmodifying their TTPs. For additional information on LOTL techniques, see the joint advisory, Identifying and\r\nMitigating Living Off the Land Techniques.\r\nScattered Spider threat actors have observably exfiltrated data [TA0010 ] after gaining access and threatened to\r\nrelease it without deploying ransomware.\r\nUpdate July 29, 2025:\r\nRecently, this includes exfiltration to multiple sites including MEGA[.]NZ and U.S.-based data centers such as\r\nAmazon S3 [T1567.002 ].\r\nUpdate End\r\nRecent Scattered Spider TTPs\r\nFile Encryption\r\nUpdate July 29, 2025:\r\nThe FBI has identified that Scattered Spider threat actors may exfiltrate data from targeted organization’s systems\r\nfor extortion and then encrypt data on the system for ransom [T1486 ]. After exfiltrating and/or encrypting data,\r\nScattered Spider threat actors communicate with targeted organizations via TOR, Tox, email, or encrypted\r\napplications. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 4 of 16\n\nUpdate End\r\nReconnaissance, Resource Development, and Initial Access\r\nScattered Spider intrusions historically began with broad phishing [T1566 ] and smishing [T1660 ] attempts\r\nagainst a target using organization-specific crafted domains, such as the domains listed in Table 3 [T1583.001 ].\r\nTable 3: Domains Used by Scattered Spider Threat Actors\r\nDomains\r\ntargetsname-sso[.]com\r\ntargetsname-servicedesk[.]com\r\ntargetsname-okta[.]com\r\nUpdate July 29, 2025: \r\ntargetsname-cms[.]com\r\ntargetsname-helpdesk[.]com\r\noktalogin-targetcompany[.]com\r\nThe targeted organization’s name is often appended with either a -helpdesk or a type of single sign-on (SSO)\r\nsolution to add credibility. While Scattered Spider threat actors have not been observed using these techniques\r\nrecently, the group continuously evolves its TTPs and these methods could be reused.\r\nScattered Spider threat actors currently use a variety of methods to gain initial access to a targeted organization’s\r\nnetwork. In some instances, the threat actors purchase employee or contractor credentials on illicit marketplaces\r\nsuch as Russia Market [T1597.002 ]. In other cases, the threat actors compromise third party services with\r\naccess to several potential targeted organization’s networks [T1199 ]. It is common for the threat actors to gather\r\nthe personally identifiable information (PII) of users with elevated access to their network using online open-source information.\r\nWhile Scattered Spider initially began their activity relying upon broad phishing campaigns, the threat actors are\r\nnow employing more targeted and multilayered spearphishing and vishing operations. Scattered Spider searches\r\nbusiness-to-business websites to gather information and ultimately determine the individual’s role in a target\r\norganization [T1594 ].\r\nAfter identifying usernames, passwords, PII [T1589 ], and conducting SIM swaps, the threat actors then use\r\nlayered social engineering techniques [T1656 ] which frequently occur over several calls [T1598.004 ]. The\r\nsocial engineering attempts are designed to first learn what steps are needed to conduct password resets from\r\nhelpdesks. Once that information is identified, the threat actors continue to conduct phone calls to employees and\r\nhelp desks to gather password reset specific information of a targeted employee.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 5 of 16\n\nFinally, the threat actors conduct spearphising calls to convince IT help desk personnel to reset passwords and/or\r\ntransfer MFA tokens [T1078.002 ] [T1199 ] [T1566.004 ]. At which point, the threat actors perform account\r\ntakeovers against the users in SSO environments. These social engineering attempts are enriched by access to\r\npersonal information derived from social media [T1593.001 ], open-source information, commercial intelligence\r\ntools, and database leaks. Scattered Spider threat actor tactics and techniques also make it more difficult for\r\nnetwork defenders to warn targeted organizations or to use threat hunting tools to proactively identify intrusions.\r\nUpdate End\r\nExecution, Persistence, and Privilege Escalation\r\nScattered Spider threat actors then register their own MFA tokens [T1556.006 ] [T1606 ] and deploy remote\r\nmonitoring and management (RMM) tools [T1219 ] after compromising a user’s account to establish persistence\r\n[TA0003 ]. Historically, the threat actors added a federated identity provider to the targeted organization’s SSO\r\ntenant and activated automatic account linking [T1484.002 ]. While the threat actors may still be using this\r\ntactic, it has not been identified as a current TTP.\r\nThe threat actors were then able to sign into any account by using a matching SSO account attribute. At this stage,\r\nScattered Spider threat actors already controlled the identity provider and then could choose an arbitrary value for\r\nthis account attribute. This activity allowed the threat actors to perform privilege escalation [TA0004 ] and\r\ncontinue logging in even when passwords were changed [T1078 ]. Threat actors achieve elevated privileges by\r\nleveraging internal communication tools to contact employees and social engineering.\r\nDiscovery, Lateral Movement, and Exfiltration\r\nOnce persistence is established on a target network, Scattered Spider threat actors often perform discovery,\r\nspecifically searching for SharePoint sites [T1213.002 ], credential storage documentation [T1552.001 ],\r\nVMware vCenter infrastructure [T1018 ], backups, and instructions for setting up/logging into Virtual Private\r\nNetworks (VPNs) [TA0007 ]. The threat actors enumerate the targeted organization’s Active Directory (AD) and\r\nthen perform discovery and exfiltration of the targeted organization’s code repositories [T1213.003 ], code-signing certificates [T1552.004 ], and source code [T1083 ] [TA0010 ]. Threat actors activate Amazon Web\r\nServices (AWS) Systems Manager Inventory [T1538 ] to discover targets for lateral movement [TA0007 ]\r\n[TA0008 ], then move to both preexisting [T1021.007 ] and actor-created [T1578.002 ] Amazon Elastic\r\nCompute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat\r\nactors use actor-installed extract, transform, and load (ETL) tools [T1648 ] to bring data from multiple data\r\nsources into a centralized database [T1074 ] [T1530 ].\r\nUpdate July 29, 2025:\r\nIn many instances, Scattered Spider threat actors search for a targeted organization’s Snowflake access to\r\nexfiltrate large volumes of data in a short time, often running thousands of queries immediately [T1567 ].\r\nAccording to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may\r\nhave deployed DragonForce ransomware onto targeted organizations’ networks—thereby encrypting VMware\r\nElastic Sky X integrated (ESXi) servers [T1486 ].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 6 of 16\n\nUpdate End\r\nTo determine if their activities have been detected and to maintain persistence within the compromised system,\r\nScattered Spider threat actors often search a targeted organization’s Slack, Microsoft Teams, and Microsoft\r\nExchange Online for emails [T1114 ] or conversations regarding the threat actors’ intrusion and any security\r\nresponse. The threat actors frequently join incident remediation and response calls and teleconferences, likely to\r\nidentify how security teams are hunting them and proactively develop new avenues of intrusion in response to a\r\ntargeted organizations’ defenses.\r\nUpdate July 29, 2025:\r\nThis is sometimes achieved by creating new identities in the environment [T1136 ] and is often upheld with fake\r\nsocial media profiles [T1585.001 ] to backstop newly created identities. Scattered Spider threat actors\r\nconsistently use proxy networks [T1090 ] and rotate machine names to further hamper detection and response. \r\nUpdate End\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 4 to Table 17 for all referenced threat actor tactics and techniques in this advisory. For assistance with\r\nmapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s Best\r\nPractices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 4: Reconnaissance\r\nTechnique Title ID Use\r\nGather Victim Identity\r\nInformation\r\nT1589\r\nScattered Spider threat actors gather usernames, passwords,\r\nand PII for targeted organizations.\r\nPhishing for Information T1598\r\nScattered Spider threat actors use phishing to obtain login\r\ncredentials, gaining access to a targeted organization’s\r\nnetwork.\r\nSearch Closed Sources:\r\nPurchase Technical Data\r\nT1597.002 Scattered Spider threat actors purchase credentials from\r\nillicit marketplaces.\r\nSearch Victim-Owned\r\nWebsites\r\nT1594\r\nScattered Spider threat actors search targeted organization-owned websites to gather information such as work roles and\r\ncontact information.\r\nPhishing for Information:\r\nSpearphishing Voice\r\nT1598.004 Scattered Spider threat actors call targeted organizations to\r\nelicit sensitive and actionable information.\r\nSearch Open\r\nWebsites/Domains: Social\r\nMedia\r\nT1593.001\r\nScattered Spider threat actors scour targeted organizations’\r\nsocial media to gather further information about roles and\r\ninterests of staff.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 7 of 16\n\nTable 5: Resource Development\r\nTechnique Title ID Use\r\nAcquire Infrastructure:\r\nDomains\r\nT1583.001 Scattered Spider threat actors create domains for use in phishing\r\nand smishing attempts against targeted organizations.\r\nEstablish Accounts: Social\r\nMedia Accounts\r\nT1585.001\r\nScattered Spider threat actors create fake social media profiles\r\nto backstop newly created user accounts in a targeted\r\norganization.\r\nTable 6: Initial Access\r\nTechnique Title ID Use\r\nPhishing T1566\r\nScattered Spider threat actors use broad phishing attempts against a\r\ntarget to obtain information used to gain initial access.\r\nScattered Spider threat actors pose as helpdesk personnel to direct\r\nemployees to install commercial remote access tools.\r\nPhishing (Mobile) T1660\r\nScattered Spider threat actors send SMS messages, known as\r\nsmishing, when targeting an organization.\r\nPhishing:\r\nSpearphishing Voice\r\nT1566.004\r\nScattered Spider threat actors use voice communications to\r\nconvince IT help desk personnel to reset passwords and/or MFA\r\ntokens.\r\nTrusted Relationship T1199\r\nScattered Spider threat actors abuse trusted relationships of\r\ncontracted IT help desks to gain access to targeted organizations.\r\nValid Accounts:\r\nDomain Accounts\r\nT1078.002 Scattered Spider threat actors obtain access to valid domain\r\naccounts to gain initial access to a targeted organization.\r\nTable 7: Execution\r\nTechnique\r\nTitle\r\nID Use\r\nServerless\r\nExecution\r\nT1648 Scattered Spider threat actors use ETL tools to collect data in cloud\r\nenvironments.\r\nUser\r\nExecution\r\nT1204\r\nScattered Spider threat actors impersonating helpdesk personnel direct\r\nemployees to run commercial remote access tools thereby enabling access to the\r\ntargeted organization’s network.\r\nTable 8: Persistence\r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 8 of 16\n\nTechnique Title ID Use\r\nPersistence TA0003\r\nScattered Spider threat actors seek to maintain persistence\r\non a targeted organization’s network.\r\nCreate Account T1136\r\nScattered Spider threat actors create new user identities in\r\nthe targeted organization.\r\nModify Authentication Process:\r\nMulti-Factor Authentication\r\nT1556.006 Scattered Spider threat actors may modify MFA tokens to\r\ngain access to a targeted organization’s network.\r\nValid Accounts T1078\r\nScattered Spider threat actors abuse and control valid\r\naccounts to maintain network access even when\r\npasswords are changed.\r\nTable 9: Privilege Escalation\r\nTechnique Title ID Use\r\nPrivilege Escalation TA0004\r\nScattered Spider threat actors escalate account privileges\r\nwhen on a targeted organization’s network.\r\nDomain Policy Modification:\r\nDomain Trust Modification\r\nT1484.002\r\nScattered Spider threat actors add a federated identity\r\nprovider to the targeted organization’s SSO tenant and\r\nactivate automatic account linking.\r\nTable 10: Defense Evasion\r\nTechnique Title ID Use\r\nModify Cloud Compute\r\nInfrastructure: Create Cloud\r\nInstance\r\nT1578.002 Scattered Spider threat actors create cloud instances for\r\nuse during lateral movement and data collection.\r\nImpersonation T1656\r\nScattered Spider threat actors pose as company IT and/or\r\nhelpdesk staff to gain access to targeted organization’s\r\nnetworks.\r\nScattered Spider threat actors use social engineering to\r\nconvince IT helpdesk personnel to reset passwords and/or\r\nMFA tokens.\r\nTable 11: Credential Access\r\nTechnique Title ID Use\r\nCredential Access TA0006\r\nScattered Spider threat actors use tools, such as Raccoon\r\nStealer, to obtain login credentials.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 9 of 16\n\nTechnique Title ID Use\r\nForge Web Credentials T1606\r\nScattered Spider threat actors may forge MFA tokens to gain\r\naccess to a targeted organization’s network.\r\nMulti-Factor Authentication\r\nRequest Generation\r\nT1621\r\nScattered Spider sends repeated MFA notification prompts to\r\nlead employees to accept the prompt and gain access to the\r\ntarget network.\r\nUnsecured Credentials:\r\nCredentials in Files\r\nT1552.001 Scattered Spider threat actors search for insecurely stored\r\ncredentials on targeted organization’s systems.\r\nUnsecured Credentials:\r\nPrivate Keys\r\nT1552.004 Scattered Spider threat actors search for insecurely stored\r\nprivate keys on targeted organization’s systems.\r\nSIM Swap T1451\r\nScattered Spider threat actors steal OTPs, credentials, and\r\nsecurity answers.\r\nTable 12: Discovery\r\nTechnique Title ID Use\r\nDiscovery\r\nTA0007\r\nUpon gaining access to a targeted network, Scattered Spider threat actors\r\nseek out SharePoint sites, credential storage documentation, VMware\r\nvCenter, infrastructure backups and enumerate AD to identify useful\r\ninformation to support further operations.\r\nBrowser\r\nInformation\r\nDiscovery\r\nT1217 Scattered Spider threat actors use tools (e.g., Raccoon Stealer) to obtain\r\nbrowser histories.\r\nCloud Service\r\nDashboard\r\nT1538 Scattered Spider threat actors leverage AWS Systems Manager Inventory to\r\ndiscover targets for lateral movement.\r\nFile and\r\nDirectory\r\nDiscovery\r\nT1083 Scattered Spider threat actors search a compromised network to discover\r\nfiles and directories for further information or exploitation.\r\nRemote System\r\nDiscovery\r\nT1018 Scattered Spider threat actors search for infrastructure, such as remote\r\nsystems, to exploit.\r\nSteal Web\r\nSession Cookie\r\nT1539 Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain\r\nbrowser cookies.\r\nTable 13: Lateral Movement\r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 10 of 16\n\nTechnique Title ID Use\r\nLateral Movement TA0008\r\nScattered Spider threat actors laterally move across a target network\r\nupon gaining access and establishing persistence.\r\nRemote Services:\r\nCloud Services\r\nT1021.007 Scattered Spider threat actors use pre-existing cloud instances for\r\nlateral movement and data collection.\r\nTable 14: Collection\r\nTechnique Title ID Use\r\nData from Information\r\nRepositories: Code\r\nRepositories\r\nT1213.003 Scattered Spider threat actors search code repositories for data\r\ncollection and exfiltration.\r\nData from Information\r\nRepositories: SharePoint\r\nT1213.002 Scattered Spider threat actors search SharePoint repositories for\r\ninformation.\r\nData Staged T1074\r\nScattered Spider threat actors stage data from multiple data\r\nsources into a centralized database before exfiltration.\r\nEmail Collection T1114\r\nScattered Spider threat actors search targeted organization’s\r\nemails to determine if the organization has detected the\r\nintrusion and initiated any security response.\r\nData from Cloud Storage T1530\r\nScattered Spider threat actors search data in cloud storage for\r\ncollection and exfiltration.\r\nTable 15: Command and Control\r\nTechnique\r\nTitle\r\nID Use\r\nRemote Access\r\nSoftware\r\nT1219\r\nImpersonating helpdesk personnel, Scattered Spider threat actors direct\r\nemployees to run commercial remote access tools thereby enabling access to,\r\nand command and control of, the targeted organization’s network.\r\nScattered Spider threat actors leverage third-party software to facilitate lateral\r\nmovement and maintain persistence on a target organization’s network.\r\nProxy\r\nT1090 Scattered Spider threat actors use proxy networks to disguise the source of\r\nmalicious traffic.\r\nTable 16: Exfiltration\r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 11 of 16\n\nTechnique Title ID Use\r\nExfiltration\r\nTA0010 Scattered Spider threat actors exfiltrate data from a target network\r\nfor data extortion.\r\nExfiltration Over Web\r\nService\r\nT1567\r\nScattered Spider threat actors exfiltrate data using the Snowflake\r\nData Cloud.\r\nTable 17: Impact\r\nTechnique Title ID Use\r\nData Encrypted for Impact T1486\r\nScattered Spider threat actors recently began encrypting data\r\non a target network and demanding a ransom for decryption.\r\nScattered Spider threat actors have been observed encrypting\r\nVMware ESXi servers.\r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage\r\nT1567.002 Scattered Spider threat actors exfiltrate data to multiple sites\r\nincluding U.S.-based data centers and MEGA[.]NZ.\r\nFinancial Theft T1657\r\nScattered Spider threat actors monetized access to targeted\r\norganization’s networks in numerous ways including extortion-enabled ransomware and data theft.\r\nMitigations\r\nThe authoring agencies recommend organizations implement the mitigations below to improve your\r\norganization’s cybersecurity posture based on the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and\r\nTechnology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST\r\nrecommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks\r\nand guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit\r\nCISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline\r\nprotections.\r\nUpdate July 29, 2025:\r\nFollowing speculation in the press about Scattered Spider targeting entities in the UK in May 2025, the NCSC\r\nreleased a blog post with recommended actions for organizations to take. \r\nUpdate End\r\nImplement application controls to manage and control execution of software, including allowlisting\r\nremote access programs. Application controls should prevent installation and execution of portable\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 12 of 16\n\nversions of unauthorized remote access and other software. A properly configured application allowlisting\r\nsolution will block any unlisted application execution. Allowlisting is important because antivirus solutions\r\nmay fail to detect the execution of malicious portable executables when the files use any combination of\r\ncompression, encryption, or obfuscation.\r\nReduce the threat of malicious actors using remote access tools by:\r\nAuditing remote access tools on your network to identify currently used and/or authorized\r\nsoftware.\r\nReviewing logs for execution of remote access software to detect abnormal use of programs\r\nrunning as a portable executable [CPG 2.T].\r\nUsing security software to detect instances of remote access software being loaded only in\r\nmemory.\r\nRequiring authorized remote access solutions to be used only from within your network over\r\napproved remote access solutions, such as virtual private networks (VPNs) or virtual desktop\r\ninterfaces (VDIs).\r\nBlocking both inbound and outbound connections on common remote access software ports and\r\nprotocols at the network perimeter.\r\nApplying recommendations in the Guide to Securing Remote Access Software.\r\nUpdate July 29, 2025:\r\nNote: The threat actors’ exact remote access tool will vary. One open-source resource for identifying IOCs\r\nand Sigma rules associated with remote access tools is LOLRMM .\r\nUpdate End\r\nImplement FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA. These\r\nMFA implementations are resistant to phishing and not susceptible to push bombing or SIM swap attacks,\r\nwhich are techniques known to be used by Scattered Spider actors. See CISA’s fact sheet Implementing\r\nPhishing-Resistant MFA for more information.\r\nStrictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. If RDP is\r\nnecessary, rigorously apply best practices, for example [CPG 2.W]:\r\nAudit the network for systems using RDP.\r\nClose unused RDP ports.\r\nEnforce account lockouts after a specified number of attempts.\r\nApply phishing-resistant MFA.\r\nLog and monitor for RDP login attempts.\r\nIn addition, the authoring agencies recommend network defenders apply the following mitigations to limit\r\npotential adversarial use of common system and network discovery techniques, and to reduce the impact and risk\r\nof compromise by ransomware or data extortion actors:\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 13 of 16\n\nMaintain offline backups of data and regularly test restoration (no less than once a year). By instituting\r\nthis practice, an organization limits the severity of disruption to its business practices [CPG 2.R].\r\nRequire all accounts with password logins (e.g., service accounts, admin accounts, and domain admin\r\naccounts) to comply with NIST’s standards for developing and managing password policies.\r\nUse “strong” passwords that are unique and random, as well as contain at least fifteen or more\r\ncharacters [CPG 2.B].\r\nDo not reuse passwords [CPG 2.C].\r\nConsider implementing industry-recognized password managers that align with organizational\r\ntechnology procurement policies.\r\nImplement multiple failed login attempt account lockouts [CPG 2.G].\r\nDisable password “hints.”\r\nRefrain from requiring recurring password changes.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent\r\npassword resets. Frequent password resets are more likely to result in users developing password\r\n“patterns” cyber criminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nRequire phishing-resistant multifactor authentication (MFA) for all services to the extent possible,\r\nparticularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG\r\n2.H]. Organizations should continue to perform diligent employee training against vishing and\r\nspearphishing.\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most\r\nefficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.\r\nPrioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the\r\nspread of ransomware by controlling traffic flows between—and access to—various subnetworks and by\r\nrestricting adversary lateral movement [CPG 2.F].\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated\r\nransomware with a networking monitoring tool. To aid in detecting the ransomware, leverage a tool that\r\nlogs and reports all network traffic and activity, including lateral movement, on a network. Endpoint\r\ndetection and response (EDR) tools are particularly useful for detecting lateral connections as they have\r\ninsight into common and uncommon network connections for each host [CPG 3.A].\r\nUpdate July 29, 2025:\r\nEnhance monitoring against unauthorized account misuse. Look for “risky logins” within\r\nenvironments where sign-in attempts have been flagged as potentially compromised due to suspicious\r\nactivity or unusual behavior.\r\nUpdate End\r\nDisable unused ports and protocols [CPG 2.V].\r\nConsider adding an email banner to emails received from outside your organization [CPG 2.M].\r\nDisable hyperlinks in received emails.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 14 of 16\n\nEnsure all backup data is encrypted, immutable, is stored separately from the source files, and is\r\ntested regularly and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].\r\nValidate Security Controls\r\nIn addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your\r\norganization's security program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise\r\nframework in this advisory. The authoring organizations recommend testing your existing security controls\r\ninventory to assess how they perform against the ATT\u0026CK techniques.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 4 to Table 17).\r\n2. Align security technologies against the technique.\r\n3. Test technologies against the technique.\r\n4. Analyze detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nThe authoring organizations recommend continually testing your security program, at scale, in a production\r\nenvironment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nReporting\r\nYour organization has no obligation to respond or provide information back to FBI in response to this joint\r\nadvisory. If, after reviewing the information provided, your organization decides to provide information to FBI,\r\nreporting must be consistent with applicable state and federal laws.\r\nFBI is interested in any information that can be shared, to include boundary logs showing communication to and\r\nfrom foreign IP addresses, a sample ransom note, communications with Scattered Spider threat actors, Bitcoin\r\nwallet information, decryptor files, and/or a benign sample of an encrypted file.\r\nAdditional details of interest include a targeted company point of contact, status and scope of infection, estimated\r\nloss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and\r\nnetwork-based indicators.\r\nThe authoring agencies do not encourage paying ransom, as payment does not guarantee targeted organization’s\r\nfiles will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations,\r\nencourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.\r\nRegardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to\r\npromptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or\r\nCISA via the agency’s Incident Reporting System or its 24/7 Operations Center at SOC@mail.cisa.dhs.gov or\r\n1-844-Say-CISA (1-844-729-2472).\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 15 of 16\n\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not\r\nendorse any commercial entity, product, company, or service, including any entities, products, or services linked\r\nwithin this document. Any reference to specific commercial entities, products, processes, or services by service\r\nmark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or\r\nfavoring by the FBI and CISA.\r\nVersion History\r\nNovember 16, 2023: Initial version.\r\nNovember 21, 2023: Updated password recommendation language on page 12.\r\nJuly 29, 2025: Updated to reflect new co-sealers and TTPs.\r\nNotes\r\n[1]\r\n Phelix Oluoch and Trellix, “Scattered Spider: The Modus Operandi,” Trellix (blog), Trellix, last modified\r\nAugust 17, 2023, https://www.trellix.com/en-us/about/newsroom/stories/research/scattered-spider-the-modus-operandi.html .\r\n[2]\r\n Tim Parisi, “Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and\r\nBPO Companies,” Crowdstrike (blog), Crowdstrike, last modified December 1, 2022,\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/ ;\r\n Crowdstrike Intelligence Team, SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security, Crowdstrike (blog), Crowdstrike,\r\nlast modified January 19, 2023, https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/ ; and Christopher Boyd, “Ransomware group steps up, issues\r\nstatement over MGM Resorts compromise,” ThreatDown Intelligence (blog), Malwarebytes, last modified\r\nSeptember 18, 2023, https://www.malwarebytes.com/blog/personal/2023/09/ransomware-group-steps-up-issues-statement-over-mgm-resorts-compromise .\r\n[3]\r\n Boyd, “Ransomware group steps up, issues statement over MGM Resorts compromise .”\r\n[4]\r\n Ayelen Torello, “Emulating the Unyielding Scattered Spider,” AttackIQ (blog), AttackIQ, last modified May 29,\r\n2025, https://www.attackiq.com/2025/05/29/emulating-scattered-spider/ .\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a" ], "report_names": [ "aa23-320a" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434608, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc4cd86ab9312376c23ce7dad79b913db1ef5784.pdf", "text": "https://archive.orkl.eu/cc4cd86ab9312376c23ce7dad79b913db1ef5784.txt", "img": "https://archive.orkl.eu/cc4cd86ab9312376c23ce7dad79b913db1ef5784.jpg" } }