Blog
Scattered Spider: A Threat Profile
In this post, we break down Scattered Spider’s history, their recent campaigns, and their evolving tactics, tools, and procedures.
Table Of Contents
The cyber threat landscape is in constant flux, yet few groups have adapted and evolved as rapidly as “Scattered Spider.” Comprised primarily of teenagers and young adults in the United States and the United Kingdom, the collective has become a prolific and formidable threat to organizations in 2025. Using social engineering as an initial access vector, Scattered Spider has infiltrated numerous high-profile global organizations, extorting millions in the process.
What is Scattered Spider?
Scattered Spider is a cybersecurity industry designation to refer to activity involving social engineering, credential theft, and SIM swapping, initial access, ransomware deployment, and data theft and extortion. The term, primarily used for tracking and reporting, encompasses activity from Telegram channels and groups such as “The Com,” “Star Fraud,” and “LAPSUS$.”
The TTPs used by this group also overlap with data leak and extortion collectives like “Shiny Hunters.” Last summer, several extortion demands were observed from users going by “SpidermanData,” “Sp1d3r” and “Sp1d3r Hunters.” Most recently, they have been observed through the Telegram channel, “scattered lapsus$ hunters.”
Additional industry designations for this group include:
- Octo Tempest
- Oktapus
- Muddled Libra
- UNC3944
- UNC6040
Group members have also been associated with Ransomware-as-Service (RaaS) groups, such as:
- ALPHV/BlackCat
- Qilin
- DragonForce
- RansomHub
- Hellcat
The group recently claimed to develop a RaaS group called “ShinySpider” or “ShinySp1d3r.”
Who Does Scattered Spider Target?
Scattered Spider adopts a wave approach, where they choose a particular industry, and then attack as many organizations operating within that sector over a short period. Industries are likely chosen based on perceived profitability or ease of social engineering. While this campaign style is not unique to threat actors, it is a distinct feature of this group’s operations.
These sector-based wave attacks included a focused campaign against financial services in late 2023, food service companies in May 2024, and a high-profile retail sector campaign against UK and US retailers into 2025. The group has also been known to target cryptocurrency services and gaming. They favor large enterprises for greater impact and ransom leverage.
Scattered Spider’s Recent Campaign Activity
2025 has been particularly active for Scattered Spider. The below timeline highlights the group’s wave approach, pivots to new sectors, and its use of supply-chain attacks.
Scattered Spider’s Known Tactics, Tools, and Procedures (TTPs)
| ATT&CK Tactic | Technique Name | ATT&CK ID |
| Initial Access | Phishing | T1566 |
| Smishing | T1566.002 | |
| Vishing | T1566.004 | |
| Trusted Relationships Abuse | T1199 | |
| Credential Access | Steal Credentials (infostealers and keylogging) | N/A |
| OS Credential Dumping | T1003 | |
| Persistence | Create Account | T1136 |
| Add MFA Device | T1556.006 | |
| External IdP Trust | T1484.002 | |
| Privilege Escalation | Valid Accounts | T1078 |
| Abuse Federated Identity for SSO Privilege | T1484.002 | |
| Defense Evasion | Disable Security Tools (via BYOVD) | N/A |
| Abusing Allowed Admin Tools | T1219 | |
| Discovery and Lateral | Account Discovery | N/A |
| Movement | Cloud Infrastructure Discovery | T1538 |
| Remote Services | T1021 | |
| Cloud Instance Creation | T1578.002 | |
| Exfiltration | Automated Exfil to Cloud Storage | T1567 |
| Data Staging | T1074 | |
| Impact | Data Encryption for Impact | T1486 |
Social Engineering and Phishing
A common Scattered Spider tactic involves employing Short Message Service (SMS) phishing to lure targets to spoofed custom SSO portals. Typical fraudulent domain names include a brand or company name spelled closely to the legitimate source. Through these messages, the group directs employees to enter their credentials into the attacker’s site, serving as the initial access point.
In many cases, the group also employs MFA fatigue attacks, where they bombard the target with repeated push notifications or onetime password prompts until they acquiesce and approve one.
Scattered Spider Shifts to Vishing
Flashpoint has also observed Scattered Spider shifting to using voice-based phishing (vishing) as its primary social engineering technique to gain initial access. The attackers manipulate IT and help desk personnel into resetting passwords and MFA settings by posing as employees, sometimes using generative AI to create convincing impersonations.
Additionally, Scattered Spider sometimes targets employees directly, posing as the organization’s own help desk. In these cases, the attackers attempt to trick victims into downloading and executing malicious software such as remote access trojans (RATs) to take control of their desktop.
Lateral Movement
After gaining access to the victim via compromised credentials, Scattered Spider heavily abuses built-in admin tools and other legitimate software to avoid detection. During their social engineering schemes, the group will often convince victims to install remote management and monitoring (RMM) tools under the guise of IT support. Common RMM tools leveraged by Scattered Spider include:
- TeamViewer
- AnyDesk
- ScreenConnect
- Splashtop
- FleetDeck
- Level.io
- Pulseway
To facilitate lateral movement, the attackers also utilize cloud-based virtual private network (VPN) and proxy servers to tunnel into networks. Because these are allowed applications in many enterprises, the threat actors can operate with less suspicion. In some cases, Scattered Spider has been observed to hijack a victim’s own Endpoint Detection and Response (EDR) tool by using its remote shell or script execution features, effectively turning the defender’s tool into a backdoor.
Malware Toolsets
Scattered Spider has been known to deploy the following malware for specific purposes:
- Information-stealing malware: The group has used information stealers like Racoon and Vidar to harvest credentials, browser cookies, and session tokens. They have also distributed RedLine malware.
- Remote access trojans (RATs): Scattered Spider has leveraged RATs such as Ave Maria and its custom malware, Spectre RAT, with an updated variant seen in 2024 and 2025 campaigns.
Extortion
Financial gain has consistently been the primary motivator for the threat actor group. Since late 2023, Scattered Spider has adopted a double extortion model, which leverages both data theft and file encryption. The group has deployed ransomware payloads from believed affiliate groups such as ALPHV/Blackcat, RansomHub, and DragonForce.
Protect Against Threat Actors Using Flashpoint
The tactics employed by Scattered Spider demonstrate their ability to exploit weaknesses in security programs by targeting people rather than strictly systems or technical vulnerabilities.
Their use of social engineering, via vishing, smishing, and MFA fatigue attacks, proves that even the most advanced technical defenses can be circumvented through human deception.
To defend against threat actor groups like Scattered Spider, organizations must implement a holistic threat intelligence program. This not only involves staying current on the latest developments, but also ensuring that security teams are equipped with actionable intelligence that empowers quick identification and response. To learn more about Scattered Spider, in addition to other prolific threat actor groups, request a demo today.