A newly released joint advisory from leading global cybersecurity and intelligence agencies, including Australia’s ASD and ACSC, the FBI, CISA, the UK’s NCSC, and others, reveals a sharp escalation in Scattered Spider’s cybercriminal activities. This update, published on July 29, outlines new tactics, techniques, and procedures (TTPs) gathered from recent FBI investigations, including enhanced use of ransomware, social engineering, and credential theft.
Originally issued on November 16, 2023, and updated multiple times since, the advisory now reflects the latest intelligence on Scattered Spider operations. Also known by aliases such as UNC3944, Oktapus, Storm-0875, and Muddled Libra, this threat actor has grown more dangerous, leveraging multilayered social engineering and exploiting identity and access management systems.
In a combined statement, the authoring organizations emphasize the urgency for commercial and critical infrastructure sectors to implement robust mitigations to counteract this highly adaptive group.
From Data Theft to Ransomware Encryption
According to the updated July 2025 advisory, Scattered Spider is now deploying DragonForce ransomware, marking a shift from pure extortion via data theft to full encryption of enterprise systems. This ransomware has been observed locking down VMware ESXi servers and demanding payment via TOR, Tox, email, or encrypted apps.
The threat actor often exfiltrates large datasets prior to encryption, using cloud services like Amazon S3 and MEGA[.]NZ. The goal: maximize leverage for ransom while maintaining stealth inside compromised environments.
Social Engineering and Identity Hijacking
Scattered Spider specializes in exploiting human trust. The group uses advanced social engineering strategies such as SIM swapping, push bombing (MFA fatigue attacks), and vishing, frequently posing as help desk or IT staff to gather credentials. Victims are manipulated into granting access or transferring multi-factor authentication (MFA) tokens.
In recent campaigns, Scattered Spider actors impersonated employees across several calls to IT service desks to reset passwords and redirect MFA prompts to attacker-controlled devices. These actions led to full account takeovers inside Single Sign-On (SSO) environments.
Their phishing domains mimic real services (e.g., targetsname-okta[.]com, targetsname-helpdesk[.]com), adding legitimacy to their impersonation tactics. Even Snowflake databases have become a primary exfiltration target, with threat actors launching thousands of queries in quick succession.
Persistence and Privilege Escalation
Once inside, Scattered Spider establishes persistence by registering new MFA tokens, deploying Remote Monitoring and Management (RMM) tools such as TeamViewer, Tactical RMM, AnyDesk, and Pulseway, and by manipulating SSO identity providers. These techniques allow the threat actor to retain access even after password resets.
Federated identity abuse has been a hallmark of their past campaigns. By configuring automatic account linking, the attackers gained sweeping access across internal systems. Though no longer consistently observed, this tactic underscores their capacity for privilege escalation.
Malware Arsenal and Legitimate Tool Misuse
To conceal their activity further, the group heavily relies on living off the land (LOTL) tactics and legitimate tools repurposed for malicious ends. According to the advisory, tools such as Ngrok, Tailscale, and ScreenConnect have been used to tunnel traffic and evade perimeter detection.
Their malware toolkit includes:
- AveMaria/WarZone RAT – for remote system access
- Raccoon Stealer and VIDAR – for harvesting browser credentials and cookies
- RattyRAT – a stealthy, Java-based remote access trojan
- DragonForce Ransomware – used to encrypt systems post-exfiltration
This hybrid use of legitimate and malicious software creates serious detection challenges for defenders.
Lateral Movement, Discovery, and Data Exfiltration
Once established, the threat actor quickly expands access. The advisory outlines a consistent pattern: enumeration of Active Directory (AD), mapping of VMware vCenter environments, identification of SharePoint and VPN configurations, and the search for code repositories, signing certificates, and source code.
Lateral movement frequently includes creating new Amazon EC2 instances, activating AWS Systems Manager, and deploying custom ETL tools to centralize exfiltrated data. Exfiltration destinations include public cloud services and attacker-controlled infrastructure.
Evasion and Internal Surveillance
A uniquely troubling aspect of Scattered Spider’s campaigns is their ability to monitor internal communications. The advisory notes they infiltrate Microsoft Teams, Exchange Online, and Slack, sometimes joining incident response calls in real time to monitor and adapt to countermeasures.
The attackers create fake identities and back them with spoofed social media profiles, rotating infrastructure, and machine names to hinder investigation.
Conclusion
Cyble’s threat intelligence team has independently confirmed a troubling resurgence in Scattered Spider activity, highlighting the group’s evolution from basic credential phishing to full-scale ransomware operations. Perimeter defenses alone are no longer sufficient; instead, enterprises need to adopt proactive measures such as frequent red teaming, advanced threat detection, rigorous identity verification, and strict control over remote access tools.
With ransomware now a core component of Scattered Spider’s strategy and their TTPs constantly adapting, continuous threat hunting and behavioral analytics are essential. The joint advisory, now updated with insights as of July 2025, provides critical mitigation guidance, and organizations are strongly urged to review the full report (AA23-320A) to strengthen their cybersecurity posture.
