Scattered Spider: A Threat Profile

The cyber threat landscape is in constant flux, yet few groups have adapted and evolved as rapidly as “Scattered Spider.” Comprised primarily of teenagers and young adults in the United States and the United Kingdom, the collective has become a prolific and formidable threat to organizations in 2025. Using social engineering as an initial access vector, Scattered Spider has infiltrated numerous high-profile global organizations, extorting millions in the process.

What is Scattered Spider?

Scattered Spider is a cybersecurity industry designation to refer to activity involving social engineering, credential theft, and SIM swapping, initial access, ransomware deployment, and data theft and extortion. The term, primarily used for tracking and reporting, encompasses activity from Telegram channels and groups such as “The Com,” “Star Fraud,” and “LAPSUS$.” 

The TTPs used by this group also overlap with data leak and extortion collectives like “Shiny Hunters.” Last summer, several extortion demands were observed from users going by “SpidermanData,” “Sp1d3r” and  “Sp1d3r Hunters.” Most recently, they have been observed through the Telegram channel, “scattered lapsus$ hunters.” 

Additional industry designations for this group include:  

• Octo Tempest
• Oktapus
• Muddled Libra
• UNC3944 
• UNC6040

Group members have also been associated with Ransomware-as-Service (RaaS) groups, such as: 

• ALPHV/BlackCat 
• Qilin 
• DragonForce 
• RansomHub
• Hellcat

The group recently claimed to develop a RaaS group called “ShinySpider” or “ShinySp1d3r.”

Who Does Scattered Spider Target?

Scattered Spider adopts a wave approach, where they choose a particular industry, and then attack as many organizations operating within that sector over a short period. Industries are likely chosen based on perceived profitability or ease of social engineering. While this campaign style is not unique to threat actors, it is a distinct feature of this group’s operations.

These sector-based wave attacks included a focused campaign against financial services in late 2023, food service companies in May 2024, and a high-profile retail sector campaign against UK and US retailers into 2025. The group has also been known to target cryptocurrency services and gaming. They favor large enterprises for greater impact and ransom leverage.

ALERT—The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.… pic.twitter.com/gowmbsAbBY

— FBI (@FBI) June 27, 2025

Scattered Spider’s Recent Campaign Activity

2025 has been particularly active for Scattered Spider. The below timeline highlights the group’s wave approach, pivots to new sectors, and its use of supply-chain attacks.

Scattered Spider’s Known Tactics, Tools, and Procedures (TTPs)

ATT&CK Tactic	Technique Name	ATT&CK ID
Initial Access	Phishing	T1566
	Smishing	T1566.002
	Vishing	T1566.004
	Trusted Relationships Abuse	T1199
Credential Access	Steal Credentials (infostealers and keylogging)	N/A
	OS Credential Dumping	T1003
Persistence	Create Account	T1136
	Add MFA Device	T1556.006
	External IdP Trust	T1484.002
Privilege Escalation	Valid Accounts	T1078
	Abuse Federated Identity for SSO Privilege	T1484.002
Defense Evasion	Disable Security Tools (via BYOVD)	N/A
	Abusing Allowed Admin Tools	T1219
Discovery and Lateral	Account Discovery	N/A
Movement	Cloud Infrastructure Discovery	T1538
	Remote Services	T1021
	Cloud Instance Creation	T1578.002
Exfiltration	Automated Exfil to Cloud Storage	T1567
	Data Staging	T1074
Impact	Data Encryption for Impact	T1486

Social Engineering and Phishing

A common Scattered Spider tactic involves employing Short Message Service (SMS) phishing to lure targets to spoofed custom SSO portals. Typical fraudulent domain names include a brand or company name spelled closely to the legitimate source. Through these messages, the group directs employees to enter their credentials into the attacker’s site, serving as the initial access point.

In many cases, the group also employs MFA fatigue attacks, where they bombard the target with repeated push notifications or onetime password prompts until they acquiesce and approve one.

Scattered Spider Shifts to Vishing

Flashpoint has also observed Scattered Spider shifting to using voice-based phishing (vishing) as its primary social engineering technique to gain initial access. The attackers manipulate IT and help desk personnel into resetting passwords and MFA settings by posing as employees, sometimes using generative AI to create convincing impersonations. 

Additionally, Scattered Spider sometimes targets employees directly, posing as the organization’s own help desk. In these cases, the attackers attempt to trick victims into downloading and executing malicious software such as remote access trojans (RATs) to take control of their desktop.

Lateral Movement

After gaining access to the victim via compromised credentials, Scattered Spider heavily abuses built-in admin tools and other legitimate software to avoid detection. During their social engineering schemes, the group will often convince victims to install remote management and monitoring (RMM) tools under the guise of IT support. Common RMM tools leveraged by Scattered Spider include:

• TeamViewer
• AnyDesk
• ScreenConnect
• Splashtop
• FleetDeck
• Level.io
• Pulseway

To facilitate lateral movement, the attackers also utilize cloud-based virtual private network (VPN) and proxy servers to tunnel into networks. Because these are allowed applications in many enterprises, the threat actors can operate with less suspicion. In some cases, Scattered Spider has been observed to hijack a victim’s own Endpoint Detection and Response (EDR) tool by using its remote shell or script execution features, effectively turning the defender’s tool into a backdoor.

Malware Toolsets

Scattered Spider has been known to deploy the following malware for specific purposes:

• Information-stealing malware: The group has used information stealers like Racoon and Vidar to harvest credentials, browser cookies, and session tokens. They have also distributed RedLine malware.
• Remote access trojans (RATs): Scattered Spider has leveraged RATs such as Ave Maria and its custom malware, Spectre RAT, with an updated variant seen in 2024 and 2025 campaigns.

Extortion

Financial gain has consistently been the primary motivator for the threat actor group. Since late 2023, Scattered Spider has adopted a double extortion model, which leverages both data theft and file encryption. The group has deployed ransomware payloads from believed affiliate groups such as ALPHV/Blackcat, RansomHub, and DragonForce.

US Charges Alleged Scattered Spider Member

On September 18, 2025, the United States charged a 19-year-old UK national Thalha Jubair, who allegedly participated in 120 network intrusions, including targeting 47 US entities, as part of Scattered Spider. These charges mention specific targets, such as US critical infrastructure companies and the federal court system.

Jubair was also the Doxbin owner who attempted to fake their own kidnapping in May 2024. In April 2025, a channel was dedicated to doxxing Jubair and other alleged Doxbin administrators. Flashpoint has observed Jubair using the following aliases:

• EarthtoStar
• Earth2Star
• Brad
• Austin
• @autistic
• miku
• Everlynn
• StarAce
• Operator

Jubair allegedly used social engineering to gain unauthorized access into computer networks, steal and encrypt data, and demand ransom payments totaling $115 million USD. On the same day, UK authorities filed their own charges arresting Jubair and Owen Flowers, another suspected Scattered Spider member, claiming that they were involved in a cyberattack on Transport for London in August 2024.

Protect Against Threat Actors Using Flashpoint

The tactics employed by Scattered Spider demonstrate their ability to exploit weaknesses in security programs by targeting people rather than strictly systems or technical vulnerabilities. 

Their use of social engineering, via vishing, smishing, and MFA fatigue attacks, proves that even the most advanced technical defenses can be circumvented through human deception.

To defend against threat actor groups like Scattered Spider, organizations must implement a holistic threat intelligence program. This not only involves staying current on the latest developments, but also ensuring that security teams are equipped with actionable intelligence that empowers quick identification and response. To learn more about Scattered Spider, in addition to other prolific threat actor groups, request a demo today.

Scattered Spider Frequently Asked Questions (FAQs)

What is Scattered Spider and how does Flashpoint Ignite track them?

Scattered Spider is a highly skilled threat group within Flashpoint Ignite’s monitoring scope that specializes in social engineering and identity-based attacks. Flashpoint Ignite tracks this group by monitoring the illicit Telegram channels and dark web forums where its members coordinate. This allows Flashpoint users to see the latest phishing domains and TTPs used by the group to bypass traditional corporate defenses.

Flashpoint Tracking Feature	Security Benefit
Actor Profiles	Decodes the history and recruitment patterns of Scattered Spider members.
Domain Monitoring	Identifies new phishing URLs targeting corporate SSO pages in real-time.
Ransomware Intelligence	Tracks the group’s activity as an affiliate for major RaaS families.

How does Flashpoint help prevent the SIM swapping tactics used by Scattered Spider?

Flashpoint helps prevent SIM swapping by providing early warning of compromised employee data that threat actors use to trick mobile carriers. Flashpoint’s Fraud Intelligence monitors for leaked personally identifiable information (PII) and mobile device logs belonging to your staff. By identifying this exposure early, organizations can place extra security locks on high-value accounts before Scattered Spider can intercept MFA codes.

• Identity Protection: Finds leaked employee phone numbers and PII on the dark web.
• TTP Alerts: Notifies teams when new SIM swapping scripts are shared in illicit circles.
• Executive Protection: Monitors for specific threats against leaders who are high-priority targets.

Why is Flashpoint’s visibility into “illicit chat apps” vital for defending against this group?

Flashpoint’s visibility into illicit chat apps is vital because Scattered Spider primarily operates on encrypted platforms like Telegram. Unlike traditional ransomware groups that use leak sites, this group often coordinates attacks and negotiates ransoms in private or semi-private chats. Flashpoint provides a safe, searchable window into these conversations, giving your team the context needed to stop an active intrusion.

Information Source	Flashpoint Strategic Advantage
Encrypted Messaging	Captures real-time chatter between Scattered Spider members and affiliates.
Credential Markets	Identifies the specific “stealer logs” the group buys for initial access.
Technical Indicators	Surfaces the unique remote access tools the group favors for persistence.