{ "id": "c03fb5ae-1884-4920-bf11-7df64a8bb3e2", "created_at": "2026-04-06T00:15:44.282026Z", "updated_at": "2026-04-10T13:12:20.458899Z", "deleted_at": null, "sha1_hash": "df798a27d7b6a19d0066b2d85cda91f0b43ca40d", "title": "SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1603415, "plain_text": "SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic\r\nBy CrowdStrike Intelligence Team\r\nArchived: 2026-04-05 18:49:06 UTC\r\nIn December 2022, CrowdStrike reported on a campaign by SCATTERED SPIDER, targeting\r\norganizations within the telecom and business process outsourcing (BPO) sectors with an end objective of\r\ngaining access to mobile carrier networks.\r\nIn the weeks since that post, the CrowdStrike Falcon® platform prevented a novel attempt by\r\nSCATTERED SPIDER to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in\r\nthe Intel Ethernet diagnostics driver.\r\nThe activity exploits a well known and pervasive deficiency in Windows security that enables adversaries\r\nto bypass Windows kernel protections with the Bring-Your-Own-Vulnerable-Driver tactic.\r\nCrowdStrike Services has observed the actor attempting to bypass other endpoint tools including Microsoft\r\nDefender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne using more traditional defense\r\nevasion techniques targeting Windows registry hives.\r\nIntroduction\r\nIn December, CrowdStrike reported that beginning in June 2022, the CrowdStrike Services, CrowdStrike® Falcon\r\nOverWatch™ and CrowdStrike Intelligence teams observed an increase in the targeting of telco and BPO\r\nindustries. CrowdStrike Intelligence attributed this campaign with low confidence to the SCATTERED SPIDER\r\neCrime adversary.\r\nSCATTERED SPIDER (aka Roasted 0ktapus, UNC3944) leverages a combination of credential phishing and\r\nsocial engineering to capture one-time-password (OTP) codes or overwhelms targets using multifactor\r\nauthentication (MFA) notification fatigue tactics. Having obtained access, the adversary avoids using unique\r\nmalware, instead favoring a wide range of legitimate remote management tools to maintain persistent access.\r\nIn the weeks since that blog post, the Falcon platform detected a novel attempt by this adversary to deploy a\r\nmalicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver for\r\nWindows ( iqvw64.sys ).\r\nMicrosoft Windows Security Deficiencies Leave Devices Vulnerable\r\nThis vulnerability has been used by adversaries for several years to deploy malicious drivers into the Windows\r\nkernel. This technique is known as “Bring Your Own Vulnerable Driver” (BYOVD) and is a tactic that has\r\npersisted due to a gap in Windows security.\r\nhttps://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/\r\nPage 1 of 6\n\nIn an attempt to limit the amount of capabilities that malware can gain access to on a Windows system, starting\r\nwith 64-bit Windows Vista, Windows does not allow unsigned kernel-mode drivers to run by default. BYOVD\r\n“makes it easy for an attacker with administrative control to bypass Windows kernel protections,” allowing an\r\nadversary to install a legitimately signed but malicious driver to execute an attack. Publicly available tools, such\r\nas KDMapper, allow adversaries to easily take advantage of BYOVD to map non-signed drivers into memory.\r\nIn 2021, Microsoft stated that “Increasingly, adversaries are leveraging legitimate drivers in the ecosystem and\r\ntheir security vulnerabilities to run malware,” and that “drivers with confirmed security vulnerabilities will be\r\nblocked on Windows 10 devices in the ecosystem using Microsoft Defender for Endpoint attack surface reduction\r\n(ASR) and Microsoft Windows Defender Application Control (WDAC) technologies to protect devices against\r\nexploits involving vulnerable drivers to gain access to the kernel.”\r\nHowever, as noted by multiple security researchers (e.g., here, here and here) over the past two years, the issue\r\ncontinues to persist as Microsoft fails to block vulnerable drivers by default.\r\nIn this instance, the adversary attempted to load a malicious driver that was prevented from running and\r\nquarantined by CrowdStrike Falcon® Prevent machine learning (ML) and identified by Falcon OverWatch. This\r\ndriver is designed to use the privileged driver space provided by the vulnerable Intel driver to overwrite specific\r\nroutines in the CrowdStrike Falcon sensor driver with adversary-created trampoline code. While this was\r\nprevented by the Falcon sensor and immediately escalated to the customer with human analysis, a series of\r\nrecommendations to protect Microsoft kernel memory can be found in the \"Recommendations\" section below.\r\nIn the past months, CrowdStrike Services has observed the actor attempting to bypass other endpoint tools\r\nincluding Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne.\r\nTechnical Analysis\r\nCrowdStrike has identified various versions of a malicious driver that are signed by different certificates and\r\nauthorities — including stolen certificates originally issued to NVIDIA and Global Software LLC, as well as a\r\nself-signed test certificate. The intent of the adversary is to disable the endpoint security products visibility and\r\nprevention capabilities so the actor can further their actions on objectives.\r\nVersions of the sample are small, 64-bit Windows kernel drivers with less than 35 relatively simple functions.\r\nAn example driver with SHA256 hash\r\nb6e82a4e6d8b715588bf4252f896e40b766ef981d941d0968f29a3a444f68fef has its build time set to 1970-01-01\r\n00:01:35 UTC . It contains various status messages and calls to DbgPrintEx() , as a means to provide status\r\nmessages to the threat actor. The file is signed using a certificate with the following parameters:\r\nserial: 31 11 00 fb 8d ee 5e 09 37 6b 69 a8 f6 23 e0 ee\r\nissued to: Global Software, LLC\r\nvalid from: 2018-05-14 valid to: 2021-06-18\r\nhttps://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/\r\nPage 2 of 6\n\nThe same certificate has been observed signing other malicious files dating back to at least 2018, suggesting that\r\nother threat actors have copies of it.\r\nThe driver walks the list of loaded kernel modules, searching for csagent.sys (the CrowdStrike Falcon kernel\r\ncomponent), and scans the identified module for a hard-coded pattern of 64 bytes. In addition to the search\r\npattern, the scanning function retrieves the mask string \" xxxxxxxxxxxxxxxxxxx??\r\nxxxxxxxxxxxxxxxxxxxxxxxxxxxx??xx \" as an argument that masks out bytes corresponding to absolute memory\r\naddresses. These change when the driver code is mapped to a different base address, and should therefore be\r\nexcluded. The mask string is only 61 bytes long, 3 bytes shorter than the code pattern, possibly due to incomplete\r\nadjustments.\r\nA second sample with SHA256 hash e23283e75ed2bdabf6c703236f5518b4ca37d32f78d3d65b073496c12c643cfe\r\nhas a PE build timestamp of 2022-12-23 15:11:27 UTC that matches the signing date. This file is digitally signed\r\nwith what appears to be a test certificate with the following parameters:\r\nserial: 23 43 9d 9d d3 2a a7 b2 4b bb 6e 31 64 fb 47 53\r\nissued to: WDKTestCert guid0,133162475712847553\r\nvalid from: 2022-12-23\r\nvalid to: 2032-12-23\r\nThis sample is intended to be loaded using BYOVD techniques and hence does not require a verifiable digital\r\nsignature. No other files signed with this test certificate were available at the time of analysis.\r\nUpon startup, the driver decrypts a hard-coded string of targeted security products using a basic XOR loop:\r\nfor i in len(name): name ^= i % 56 + 49\r\nThe malicious driver then finds the target driver using the same method and patches it, in memory, at hard-coded\r\noffsets. The patching routine operates on a list where each element represents a hook structure that contains a\r\npointer to the target function, a pointer to the malware routine and trampoline code to invoke that routine. The\r\ninstalled malware routines signal success to the Falcon sensor in every case even though the routines perform no\r\noperation.\r\nWhile the outlined activity appears to target specific industries, organizations of all types should apply the lessons\r\nlearned to harden defenses against such threats. CrowdStrike recommends that organizations employ a rigorous,\r\ndefense-in-depth approach that monitors endpoints, cloud workloads, identities and networks to defend against\r\nadvanced, persistent adversaries. The holistic deployment of security tooling paired with a high operational tempo\r\nin responding to alerts and incidents are critical to success.\r\nRecommendations\r\nThe described activity will be prevented and quarantined by the Falcon platform if configured as outlined in our\r\nprevention policy best practices recommendations.\r\nhttps://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/\r\nPage 3 of 6\n\nPrevention Policy Settings\r\nWith regard to the malicious activity detailed here, in particular confirm the Windows prevention policy settings\r\nlisted are set as follows:\r\nSensor Tampering Protection enabled\r\nCloud Anti-malware Prevention slider at Moderate or higher\r\nSensor Anti-malware Prevention slider at Moderate or higher\r\nSuspicious Processes enabled\r\nSuspicious Kernel Drivers enabled\r\nThe complete list of our best practices recommendations for prevention policies may be found in the support\r\nportal here: Prevention Policy Best Practice Guidelines\r\nMitigate CVE-2015-2291\r\nCrowdStrike customers should ensure they have the ability to locate and patch the vulnerable Intel Ethernet Driver\r\nspecified in CVE-2015-2291. Prioritizing the patching of vulnerable drivers can help mitigate this and similar\r\nattack vectors involving signed driver abuse.\r\nCrowdStrike Falcon® Spotlight customers can search for the presence of this driver by navigating to: Spotlight \u003e\r\nVulnerabilities. US-1 | US-2 | EU | Gov\r\nEvaluate Enabling Microsoft Memory Integrity Capabilities\r\nDue to the inherent flaws in Microsoft protection of kernel memory permitting these types of BYOVD attacks,\r\nadditional functionality has been incorporated into modern Windows Operating Systems. Hypervisor-Protected\r\nCode Integrity (HVCI), a component of Virtualization-Based Security (VBS) is designed to prevent users with\r\nelevated privilege from being able to read and write to kernel memory. The protections were implemented in order\r\nto address the security flaw of not enforcing kernel memory protections.\r\nWhile CrowdStrike has not identified any issues with the Falcon platform running in environments with these\r\nfeatures enabled, there have been intermittent reports of performance issues in various other environments tied to\r\nspecific applications and some processors. CrowdStrike Falcon® Insight XDR customers can view the status of\r\nHVCI by navigating to: Host setup and management \u003e Zero Trust Assessment.\r\nhttps://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/\r\nPage 4 of 6\n\n(Click to enlarge)\r\nEnable Traffic Inspection for CrowdStrike Falcon Identity Threat Protection\r\nAs the adversary is largely leveraging valid accounts as the initial access vector, additional scrutiny of legitimate\r\nlogin activity and two-factor authentication approvals from unexpected assets, accounts or locations are highly\r\nrecommended.\r\n(Click to enlarge)\r\nhttps://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/\r\nPage 5 of 6\n\nAdditional Resources\r\nRequest a free trial of the industry-leading CrowdStrike Falcon platform.\r\nRead about adversaries tracked by CrowdStrike in 2022 in the 2023 CrowdStrike Global Threat Report\r\nand in the 2023 Threat Hunting Report.\r\nRequest a free CrowdStrike Intelligence threat briefing and learn how to stop adversaries targeting your\r\norganization.\r\nLearn how CrowdStrike Services can help your organization prepare to defend against sophisticated\r\nthreats, respond and recover from incidents with speed and precision, and fortify your cybersecurity\r\npractices.\r\nWatch an introductory video on the CrowdStrike Falcon console and register for an on-demand demo of\r\nthe market-leading CrowdStrike Falcon platform in action.\r\nSource: https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/\r\nhttps://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/\r\nPage 6 of 6\n\n00:01:35 UTC messages to . It contains various the threat actor. status messages The file is signed and calls using a certificate to DbgPrintEx() with the following , as a means parameters: to provide status\nserial: 31 11 00 fb 8d ee 5e 09 37 6b 69 a8 f6 23 e0 ee\nissued to: Global Software, LLC \nvalid from: 2018-05-14 valid to: 2021-06-18 \n Page 2 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/" ], "report_names": [ "scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic" ], "threat_actors": [ { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434544, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df798a27d7b6a19d0066b2d85cda91f0b43ca40d.pdf", "text": "https://archive.orkl.eu/df798a27d7b6a19d0066b2d85cda91f0b43ca40d.txt", "img": "https://archive.orkl.eu/df798a27d7b6a19d0066b2d85cda91f0b43ca40d.jpg" } }