Cyble investigates the notorious Scattered Spider APT group, which has recently been in the limelight for compromising major entertainment and hospitality firms in the United States and other key targets worldwide.
Scattered Spider is no longer a story about casino hacks and teenagers. In 2025, the group has become a blueprint for how identity-based attacks render traditional security investments nearly useless — and its recent campaign across UK retail and US insurance has delivered the most expensive proof yet.
Scattered Spider initially gained notoriety by obtaining Okta identity credentials and multifactor authentication (MFA) codes to execute supply chain attacks against Okta’s clients. Over time, their capabilities have expanded to include bring-your-own-vulnerable-driver (BYOVD) attacks and techniques to evade endpoint detection and response products. Known for maintaining a high operational tempo, the group primarily targets firms specializing in customer relationship management, business process outsourcing, telecommunications, and the technology sector. However, they have increasingly been observed targeting global financial institutions.
How They Get In
Scattered Spider’s entry point is never a zero-day. It is always a person.
The group begins with reconnaissance — mapping the target organisation’s employee directory via LinkedIn, company websites, and open-source intelligence tools. They identify help desk staff, IT administrators, and executives with elevated access. They note naming conventions, internal jargon, and third-party vendor relationships. This phase happens entirely outside your network perimeter, generating no alerts in your SIEM.
Armed with this profile data, the group makes the call. A threat actor impersonates a senior employee — often citing a travel scenario or urgent system lockout — and contacts the IT help desk. They provide convincing PII gathered from public sources or previously compromised credentials purchased from dark web markets. Their goal: a password reset or MFA bypass.
Where social engineering alone isn’t sufficient, Scattered Spider layers in SIM swapping to intercept SMS-based one-time passwords, and MFA fatigue attacks — flooding a target’s authenticator app with repeated push notifications until the user approves one simply to stop the noise.
Once inside, they move fast. The NTDS.dit file — Active Directory’s core database containing every domain user’s password hash — is a primary target. With those hashes, the group can impersonate any user in the environment and escalate without triggering conventional endpoint alerts.
Why EDR and Perimeter Tools Don’t Stop This
Here is the fundamental problem: by the time Scattered Spider’s payload arrives, the attacker is already authenticated.
Endpoint Detection and Response (EDR) tools are designed to catch malicious binaries, suspicious process behaviour, and known malware signatures. They are not designed to distinguish a legitimate employee using AnyDesk from a threat actor who has been handed those credentials by a compromised help desk agent. Perimeter firewalls cannot block a VPN session made by someone holding valid credentials.
Scattered Spider’s operators understand this deeply. They use commercial RMM tools — AnyDesk, Splashtop, TeamViewer, and others — precisely because these appear as legitimate business software. They use Mullvad and NordVPN to mask their geolocation. They disable EDR products from within the EDR’s own administrative console, using the same access that legitimate IT staff would use.
The attack surface Scattered Spider exploits is not technical. It is the gap between what your identity stack trusts and what your security team can see.
Targeted Sectors: 2026 Update
Scattered Spider’s known victim sectors now include:
- Retail
- Insurance
- Telecommunications
- Business Process Outsourcing
- Technology and Cloud Services
- Financial Services
- Hospitality
- Airlines and Logistics
Ransomware Partner Update: DragonForce Replaces BlackCat
The original profile noted Scattered Spider’s affiliation with ALPHV/BlackCat. That relationship has evolved. Following law enforcement disruption of BlackCat in late 2023 and the subsequent collapse of RansomHub’s infrastructure, Scattered Spider has forged a working alliance with the DragonForce ransomware cartel — a Conti-derived ransomware-as-a-service operation with over 200 victims on its leak site. DragonForce’s encryptor was used in the M&S attack. The relationship represents a maturing affiliate model rather than a single fixed partnership.
CISA’s July 2025 advisory confirmed this shift, noting DragonForce as Scattered Spider’s most recently deployed ransomware variant alongside updated TTPs including more sophisticated social engineering techniques.
Scattered Spider Lifecycle
Scattered Spider’s attacks typically begin with SMS phishing, phone calls to victim help desks, and SIM swapping. Once they compromise credentials through social engineering techniques, the TAs utilize legitimate software such as AnyDesk and ScreenConnect to maintain persistence. They then employ malicious tools like Mimikatz and secretdump to escalate privileges. Following this, they move laterally through the network using RDP, SSH, and other services. In the final stages, they disable security and recovery services, exfiltrate data, and conduct ransomware operations.
Initial Infection
Scattered Spider has been known to gain initial access to its intended victims primarily via social engineering. SMS phishing campaigns, in particular, are frequently used alongside calls to victim help desks to assist the TAs in obtaining password reset links or MFA bypass codes.
SIM Swapping
Scattered Spider’s tactics often involve SIM-swapping attacks, which are followed by establishing persistence through compromised accounts. Once they have secured persistence, Scattered Spider is known to modify and steal data from within the victim organization’s environment.
SIM swapping, also known as SIM hijacking, occurs when a fraudster manipulates the device linked to a customer’s phone number. This tactic is often used to receive OTPs or one-time security codes from banks, crypto exchanges, and other financial institutions.
Typically, SIM hijacking follows the acquisition of a customer’s personal information through phishing attacks or by purchasing compromised account credentials from dark web marketplaces. Victims often have their email accounts compromised beforehand, enabling threat actors to intercept communications from telecom providers such as Verizon. Phishing involves sending fraudulent requests for personal information, usually posing as a company or government agency.
SMS Phishing
In most of the cases where the initial access vector was identified, Scattered Spider obtained access to the victim’s environment in the wake of a successful smishing attack. Smishing is a type of social engineering attack in which cybercriminals use fraudulent mobile text messages to deceive individuals into installing malware, disclosing sensitive information, or transferring money. The term “smishing” is derived from “SMS,” which stands for “short message service,” the technology powering text messages, and “phishing.” The figure below shows the smishing message received by Cloudflare employees.
Figure 1 – Smishing Message (Source: Cloudflare)
After obtaining credentials, the TAs have impersonated employees in calls to victim organizations’ service desks, attempting to secure multifactor authentication (MFA) codes or password resets. During these calls, they provided the verification information requested by help desk employees, including usernames, employee IDs, and other types of personally identifiable information (PII) associated with the employees.
Phishing Kits
Scattered Spider has utilized phishing kits in their previous campaigns. Between late 2021 and mid-2022, they deployed a phishing kit known as EIGHTBAIT. Starting in Q3 2022, Scattered Spider began launching credential phishing campaigns with a new kit that seems to have been created by copying a webpage from a targeted organization. By mid-2023, they were using a third phishing kit alongside the second one.
Figure 2 – Phishing Page (Source: Google Mandiant)
Exploited Vulnerabilities
The Scattered Spider group has exploited vulnerability CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows in previous attacks.
Persistence
Scattered Spider is particularly focused on maintaining access to targeted environments. While TAs commonly use free or demo versions of Remote Monitoring and Management (RMM) tools, Scattered Spider often installs half a dozen or more to ensure a backdoor remains even if one is discovered. The use of commercial RMM tools is problematic since these legitimate, business-critical applications are frequently used for daily administration in enterprise networks. Observed tools include Zoho Assist, AnyDesk, Splashtop, TeamViewer, ITarian, FleetDeck, ASG Remote Desktop, RustDesk, and ManageEngine RMM.
Defense Evasion
Demonstrating proficiency with numerous security controls, Scattered Spider effectively evaded common defenses. Their tactics include disabling antivirus and host-based firewalls, attempting to delete firewall profiles, creating defender exclusions, deactivating or uninstalling EDR and other monitoring products, and setting up unmanaged cloud virtual machines. They also elevated access in virtual desktop environments and re-enabled existing Active Directory accounts to bypass SIEM monitoring rules. Additionally, Scattered Spider operated within EDR administrative consoles to clear alerts. Prioritizing operational security, they consistently used commercial VPN services to obscure their geographic location, preferring Mullvad VPN but also utilizing ExpressVPN, NordVPN, Ultrasurf, Easy VPN, and ZenMate.
Tools used by Scattered Spider
Scattered Spider employs a diverse range of tools at various stages of their campaigns. These tools include ADRecon, AnyDesk, DCSync, FiveTran, FleetDeck, gosecretsdump, Govmomi, Hekatomb, Impacket, LaZagne, LummaC2, Mimikatz, Ngrok, PingCastle, ProcDump, PsExec, Pulseway, Pure Storage FlashArray, RedLine, Rsocx, RustDesk, ScreenConnect, SharpHound, Socat, Spidey Bot, Splashtop, Stealc, TacticalRMM, Tailscale, TightVNC, VIDAR, WinRAR, WsTunnel, and various Living off the Land techniques.
Figure 3 – Scattered Spider Tools (Source: Cyble Vision)
ADRecon: ADRecon is a tool that extracts and compiles various artifacts from an Active Directory (AD) environment. It generates a specially formatted Microsoft Excel report, which includes summary views with metrics to facilitate analysis. This provides a comprehensive overview of the target AD environment’s current state. TAs use this tool to enumerate victim networks.
DCSync: DCSync is a late-stage kill chain attack that enables an attacker to simulate the behavior of a Domain Controller (DC) to retrieve password data through domain replication. Once TAs gain access to a privileged account with domain replication rights, they can use replication protocols to mimic a domain controller and achieve persistence.
FleetDeck: FleetDeck is a new Remote Desktop & Virtual Terminal solution tailored for techs to securely manage large fleets of computers. TAs use this tool after initial infection to achieve persistence
gosecretsdump: This tool is a Golang conversion of the Impacket secrets dump module, designed for high-speed data extraction. It significantly accelerates operations, reducing processes that typically take hours to just minutes. It can dump SAM/SYSTEM backups and also local SAM/SYSTEM files when run as the user account or SYSTEM.
Hekatomb: Hekatomb is a Python script that connects to an LDAP directory to retrieve information about all computers and users. It then downloads all DPAPI blobs for all users from all computers. Finally, it extracts the domain controller’s private key via RPC and uses it to decrypt all credentials.
Impacket: Impacket is an open-source collection of Python modules designed for programmatically constructing and manipulating network protocols. It includes various tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay cyber attacks.
LaZagne: LaZagne is a post-exploitation, open-source tool designed to recover stored passwords on a system. It features modules for Windows, Linux, and OSX, with a primary focus on Windows systems. LaZagne is publicly available on GitHub and used by TAs.
LummaC2: Lumma Stealer, also known as LummaC2, is a subscription-based information stealer that first emerged in 2022. Written in C, it offers a broad range of capabilities. Primarily used to steal cryptocurrency wallets and sensitive information like usernames and passwords, Lumma Stealer also has the functionality to deliver additional payloads.
Mimikatz: Mimikatz offers a comprehensive suite of tools for collecting and utilizing Windows credentials on target systems. It enables the retrieval of cleartext passwords, Lan Manager hashes, NTLM hashes, certificates, and Kerberos tickets. These tools are effective across all Windows versions from XP onward, though functionality may be somewhat limited in Windows 8.1 and later versions.
Ngrok: Ngrok creates secure tunnels to expose local servers behind NATs and firewalls to the public internet, which helps TAs evade network-based detections.
ProcDump: ProcDump is a command-line utility for monitoring CPU spikes and generating crash dumps, aiding in diagnosing issues. However, TAs could exploit it to monitor ransomware and exfiltration operations to evade detection from EDR solutions.
Pulseway: Pulseway is a remote monitoring and management (RMM) software designed to help managed service providers (MSPs) and IT teams minimize downtime and set new efficiency standards through automation. TAs use this tool to achieve persistence in the victim system.
RedLine: RedLine Stealer, first identified in 2020, is one of the most notorious stealers available. It utilizes a Simple Object Access Protocol (SOAP) for communication with its command-and-control center and supports various plugins. RedLine Stealer collects data from browsers, email applications, and cryptocurrency wallets and is often linked to sophisticated phishing campaigns that can deliver additional payloads such as ransomware or advanced malware.
Rsocx: A high-performance SOCKS5 proxy server featuring support for both bind and reverse proxying. TAs use this tool as a proxy server for C&C communication.
RustDesk: RustDesk is a fully-featured, open-source remote control solution designed for self-hosting and security with minimal configuration required. TAs use this tool to achieve persistence in the victim system.
SharpHound: A C# rewrite of the BloodHound Ingestor. Bloodhound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment. TAs use this tool to enumerate the AD network.
Spidey Bot: Spidey Bot is a relatively uncommon information stealer that first appeared in 2019. It is designed to extract stored passwords and other data from various sources within infected environments. The information targeted can include VPN credentials, internet browsers, email clients, gaming software, and cryptocurrency data.
Stealc: Stealc is a relatively new malware family, first observed in early 2023. It is known as a copycat information stealer, featuring a suite of functionalities reminiscent of VIDAR, Raccoon, Mars, and RedLine stealers. By default, Stealc targets data from web browsers, browser extensions, cryptocurrency applications, and email messaging software.
TacticalRMM: Tactical RMM is a remote monitoring and management tool developed using Django and Vue.
VIDAR: Vidar is a derivative of Arkei malware, notable for being among the first to target information from 2FA software and the Tor Browser. The TAs use this tool as a payload after the initial infection.
WsTunnel: Wstunnel utilizes the WebSocket protocol, which is compatible with HTTP, to bypass firewalls and proxies. It enables TAs to tunnel malicious traffic and access the resources or sites you need without detection.
What Brand and Executive Monitoring Catches
The recon phase is the most detectable point in Scattered Spider’s kill chain — but only if you are watching the right signals.
Before any call is made to your help desk, the group has already assembled a dossier on your organisation. They are scraping your brand assets, employee names, org-chart structures, and vendor relationships. They may register lookalike domains to host credential phishing pages. They may impersonate your brand on social platforms to harvest employee credentials. Executive names and titles harvested from LinkedIn become the ammunition for help desk impersonation calls.
Cyble Vision monitors precisely these pre-attack signals. When a lookalike domain mimicking your brand is registered, Cyble Vision surfaces it. When executive PII appears in dark web credential dumps or criminal forums, Cyble Vision flags it. When phishing infrastructure targeting your employees is stood up, Cyble Vision identifies it — before anyone makes the call that triggers the breach.
This is the intelligence layer that endpoint tools structurally cannot provide. EDR lives inside your network. Brand and identity monitoring lives in the same external spaces where Scattered Spider conducts its reconnaissance.
In the M&S case, the attacker’s dwell time was approximately two months before detonation. Two months of signals — domain lookups, credential harvesting, social engineering prep — that brand-aware threat intelligence could have surfaced.
Network Activities
In several instances, Muddled Libra sought to establish reverse proxy shells or SSH tunnels for command-and-control exfiltration. They utilized tunneling software like RSocx and employed common file transfer sites such as put[.]io, transfer[.]sh, wasabi[.]com, and gofile[.]io for data exfiltration and to retrieve attack tools. Additionally, they were observed using Cyberduck as a file transfer agent.
Conclusion
Scattered Spider’s power comes from knowing your organisation better than your help desk does — before they ever make a call.
Cyble Vision detects the recon and impersonation signals that precede these attacks: lookalike domains, dark web credential exposure, phishing infrastructure, and brand abuse targeting your employees and vendors.
See how Cyble Vision detects Scattered Spider activity. Subscribe for weekly threat actor profiles
Recommendations:
To counter the Scattered Spider campaign effectively, consider implementing the following recommendations:
Enhance Phishing Defenses: Deploy advanced anti-phishing solutions and train employees to recognize and report phishing attempts. Implement multi-factor authentication (MFA) to reduce the risk of credential theft.
Monitor and Manage Remote Tools: Regularly audit and manage remote monitoring and management (RMM) tools. Restrict the installation of unauthorized software and monitor for unusual activity.
Strengthen SIM Security: Educate users about the risks of SIM swapping and implement measures to secure mobile accounts, such as contacting mobile carriers to set up additional security features.
Improve Incident Response: Develop and regularly update an incident response plan to swiftly address and contain breaches. Conduct regular security drills to ensure readiness.
Regularly Update Systems: To mitigate vulnerabilities, ensure that all systems and software are up-to-date with the latest security patches.
Monitor Network Traffic: Implement advanced network monitoring tools to detect and respond to suspicious activities, including the use of VPNs and tunneling protocols.
Review Access Controls: Implement and rigorously uphold stringent access restrictions, guaranteeing that solely individuals with proper authorization can access vital systems and information.
Utilize Threat Intelligence: Leverage threat intelligence feeds to stay informed about emerging threats and tactics used by groups like Scattered Spider.
Implementing these recommendations can help organizations enhance their defenses against Scattered Spider’s sophisticated tactics and improve their overall cybersecurity posture.
MITRE Attack Techniques Associated with Scattered Spider
Figure 4 – MITRE ATT&CK (Source: Cyble Vision)
Phishing (T1566): Scattered Spider obtains credentials by SMS phishing and phone calls to victim help desks.
Valid Accounts (T1078): They gain access through compromised credentials and social engineering.
Command and Scripting Interpreter (T1059): They use tools like Mimikatz and PowerShell for executing commands and scripts.
Create Account (T1136): They may create or use existing accounts to maintain access.
Disable or Modify Security Tools (T1562): To avoid detection, they disable antivirus, firewalls, and EDR systems.
Credential Dumping (T1003): They use tools like Mimikatz and secretsdump to extract credentials.
Remote Desktop Protocol (RDP) (T1076): They move laterally using RDP and SSH.
