1. Home
  2. Groups
  3. Scattered Spider

Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2]
Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5]
Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]

ID: G1015
Associated Groups: Roasted 0ktapus, Octo Tempest, Storm-0875, UNC3944
Version: 3.0
Created: 05 July 2023
Last Modified: 24 October 2025
Version Permalink

Associated Group Descriptions

Name Description
Roasted 0ktapus

[4]
Octo Tempest

[7]
Storm-0875

[7]
UNC3944

[6][8]

Campaigns

ID Name First Seen Last Seen References Techniques
C0027 C0027 June 2022 [5] December 2022 [5]

[5]

 Account Discovery: Cloud Account, Account Discovery: Email Account, Account Manipulation: Additional Cloud Roles, Account Manipulation: Device Registration, Account Manipulation: Additional Cloud Credentials, Data from Cloud Storage, Data from Information Repositories: Sharepoint, Exploit Public-Facing Application, External Remote Services, Gather Victim Identity Information: Credentials, Impersonation, Ingress Tool Transfer, Modify Cloud Compute Infrastructure: Create Cloud Instance, Multi-Factor Authentication Request Generation, Network Service Discovery, Obtain Capabilities: Tool, OS Credential Dumping: DCSync, Permission Groups Discovery: Cloud Groups, Phishing: Spearphishing Voice, Phishing for Information: Spearphishing Voice, Phishing for Information: Spearphishing Service, Protocol Tunneling, Proxy, Remote Access Tools: Remote Desktop Software, Remote Services: Cloud Services, Valid Accounts: Cloud Accounts, Web Service, Windows Management Instrumentation
Enterprise Layer
download view
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Scattered Spider has identified vSphere administrator accounts.[8]
.002 Domain Account

Scattered Spider has enumerated legitimate domain accounts which are used in the targeted environment.[3][2][9][8]
.003 Email Account

During C0027, Scattered Spider accessed Azure AD to identify email addresses.[5]
.004 Cloud Account

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.[5]
Enterprise T1098 Account Manipulation

Scattered Spider has added accounts to the ESX Admins group to grant them full admin rights in vSphere.[8]
.001 Additional Cloud Credentials

During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[5]
.003 Additional Cloud Roles

Scattered Spider has assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.[2]

During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[5]
.005 Device Registration

During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[5]
Enterprise T1583 .001 Acquire Infrastructure: Domains

Scattered Spider has registered domains to spoof legitimate corporate login portals.[10]
Enterprise T1217 Browser Information Discovery

Scattered Spider retrieves browser histories via infostealer malware such as Raccoon Stealer.[3]
Enterprise T1580 Cloud Infrastructure Discovery

Scattered Spider enumerates cloud environments including Amazon Web Services (AWS) S3 buckets to identify server and backup management infrastructure, resource access, databases and storage containers .[2][6][9]
Enterprise T1538 Cloud Service Dashboard

Scattered Spider abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement.[3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Scattered Spider has used the PowerShell cmdlet Get-ADUser.[9]
.004 Command and Scripting Interpreter: Unix Shell

Scattered Spider has used the command shell to upload and install the Teleport remote access tool to a compromised vCenter Server Appliance.[8]
Enterprise T1136 Create Account

Scattered Spider creates new user identities within the compromised organization.[3]
Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Scattered Spider has run SYSTEMD_UNIT_PATH="/lib/systemd/system/teleport.service to establish persistence for the Teleport remote access tool.[8]
Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Scattered Spider has searched for credentials in password vaults and Privileged Access Management (PAM) solutions including HashiCorp Vault.[6][8]
Enterprise T1486 Data Encrypted for Impact

Scattered Spider has used BlackCat and DragonForce ransomware to encrypt files including on VMWare ESXi servers.[3][2][9][8][10]
Enterprise T1530 Data from Cloud Storage

Scattered Spider enumerates data stored in cloud resources for collection and exfiltration purposes.[3]

During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[5]
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[5]
.003 Data from Information Repositories: Code Repositories

Scattered Spider enumerates data stored within victim code repositories, such as internal GitHub repositories.[3][2]
.005 Data from Information Repositories: Messaging Applications

Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.[3]
Enterprise T1074 Data Staged

Scattered Spider stages data in a centralized database prior to exfiltration.[3]
Enterprise T1006 Direct Volume Access

Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the NTDS.dit file.[2]
Enterprise T1484 .002 Domain or Tenant Policy Modification: Trust Modification

Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.[3]
Enterprise T1114 Email Collection

Scattered Spider searched the victim’s Microsoft Exchange for emails about the intrusion and incident response.[3]
.003 Email Forwarding Rule

Scattered Spider has redirected emails notifying users of suspicious account activity.[9]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Scattered Spider has created matching fake social media profiles to support new accounts created in victim environments.[3]
Enterprise T1041 Exfiltration Over C2 Channel

Scattered Spider has exfiltrated data from compromised VMware vCenter servers through an established C2 channel using the Teleport remote access tool.[8]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Scattered Spider has exfiltrated victim data to the MEGA file sharing site, SnowFlake, and AWS S3 buckets.[3][2][9]
Enterprise T1190 Exploit Public-Facing Application

During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[5]
Enterprise T1068 Exploitation for Privilege Escalation

Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).[4]
Enterprise T1133 External Remote Services

Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.[4]

During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.[5]
Enterprise T1083 File and Directory Discovery

Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code, user provisioning, MFA device registration, network diagrams, and shared credentials in documents or spreadsheets.[3][2][6][9][8]
Enterprise T1657 Financial Theft

Scattered Spider has deployed ransomware on compromised hosts and threatened to leak stolen data for financial gain.[3][11][9]
Enterprise T1589 Gather Victim Identity Information

Scattered Spider has used information from previous data breaches to identify employee names to be used in social engineering.[8]
.001 Credentials

During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.[5]
Enterprise T1564 .008 Hide Artifacts: Email Hiding Rules

Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.[2]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Scattered Spider has uninstalled and disabled security tools.[6]

Enterprise T1656 Impersonation

Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.[3][2] Scattered Spider has also used Microsoft Teams to pose as internal IT support or help desk personnel.[6]

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[5]
Enterprise T1070 .008 Indicator Removal: Clear Mailbox Data

Scattered Spider has manually deleted emails notifying users of suspicious account activity. [9]
Enterprise T1105 Ingress Tool Transfer

Scattered Spider has downloaded the Teleport remote access tool to compromised VMware vCenter Servers.[8]

During C0027, Scattered Spider downloaded tools using victim organization systems.[5]
Enterprise T1490 Inhibit System Recovery

Scattered Spider has stopped the Volume Shadow Copy service on compromised hosts.[6]

Enterprise T1556 .006 Modify Authentication Process: Multi-Factor Authentication

After compromising user accounts, Scattered Spider registers their own MFA tokens.[3]
.009 Modify Authentication Process: Conditional Access Policies

Scattered Spider has added additional trusted locations to Azure AD conditional access policies. [2]
Enterprise T1578 .002 Modify Cloud Compute Infrastructure: Create Cloud Instance

Scattered Spider has created Amazon EC2 instances within the victim's environment.[3]

During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[5]
Enterprise T1621 Multi-Factor Authentication Request Generation

Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.[4][10]

During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[5]
Enterprise T1046 Network Service Discovery

During C0027, used RustScan to scan for open ports on targeted ESXi appliances.[5]
Enterprise T1588 .001 Obtain Capabilities: Malware

Scattered Spider has obtained malware to use at multiple stages of operations including information stealers, remote access tools, and ransomware.[6][10]

.002 Obtain Capabilities: Tool

Scattered Spider has obtained tools for use throughout the attack lifecycle to include remote access software, protocol tunneling and proxy tools, exploitation frameworks, and reconnaissance tools.[6][9][10][3]

During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.[5]
Enterprise T1003 .003 OS Credential Dumping: NTDS

Scattered Spider has extracted the NTDS.dit file by creating volume shadow copies of virtual domain controller disks.[2][9][8]
.006 OS Credential Dumping: DCSync

During C0027, Scattered Spider performed domain replication.[5]
Enterprise T1069 Permission Groups Discovery

Scattered Spider has enumerated the vSphere Admins and ESX Admins groups in targeted environments.[8]
.002 Domain Groups

Scattered Spider has enumerated Active Directory security groups including through the use of ADExplorer, ADRecon.ps1, and Get-ADUser.[9][8]
.003 Cloud Groups

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.[5]
Enterprise T1566 .004 Phishing: Spearphishing Voice

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[5]
Enterprise T1598 Phishing for Information

Scattered Spider has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.[4]
.001 Spearphishing Service

During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.[5]
.003 Spearphishing Link

Scattered Spider has used domains mirroring corporate login portals to socially engineer victims into providing credentials.[10]
.004 Spearphishing Voice

Scattered Spider has used help desk voice-based phishing and also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.[2][9][8]

During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[5]
Enterprise T1572 Protocol Tunneling

Scattered Spider has installed protocol-tunneling tools on VMware vCenter and adversary-controlled VMs, including Teleport.sh, Chisel (configured to communicate with trycloudflare[.]com subdomains), MobaXterm, ngrok, Pinggy, and Teleport.[9][3]

During C0027, Scattered Spider used SSH tunneling in targeted environments.[5]
Enterprise T1090 Proxy

Scattered Spider has used proxy networks to hamper detection and has installed legitimate proxy tools on VMware vCenter and adversary-controlled VMs.[9][3]

During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[5]
Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including TeamViewer, AnyDesk, LogMeIn, ngrok, and ConnectWise to establish persistence on the compromised network.[3][11][6][9][10]

During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[5]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Scattered Spider has used RDP to enable lateral movement.[6]

.004 Remote Services: SSH

Scattered Spider has used SSH to move laterally in victim environments and to access the vSphere vCenter Server GUI.[6][8]
.007 Remote Services: Cloud Services

Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.[3]

During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[5]
Enterprise T1018 Remote System Discovery

Scattered Spider can enumerate remote systems, such as VMware vCenter infrastructure.[3]
Enterprise T1539 Steal Web Session Cookie

Scattered Spider retrieves browser cookies via Raccoon Stealer.[3]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.[4]
Enterprise T1082 System Information Discovery

Scattered Spider has executed scripts to identify the underlying operating system to ensure it uses the correct installation package for malicious payloads.[8]
Enterprise T1016 System Network Configuration Discovery

Scattered Spider has used network reconnaissance commands for discovery including ping and nltest.[6]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Scattered Spider Spider searches for credential storage documentation on a compromised host.[3][6][9]
.004 Unsecured Credentials: Private Keys

Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.[3]
Enterprise T1204 User Execution

Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.[3]
Enterprise T1078 Valid Accounts

Scattered Spider has used compromised credentials for initial access.[6][8]
.004 Cloud Accounts

Scattered Spider has used compromised Microsoft Entra ID accounts to pivot in victim environments.[9]

During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.[5]
Enterprise T1102 Web Service

During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[5]
Enterprise T1047 Windows Management Instrumentation

During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.[5]
Mobile T1660 Phishing

Scattered Spider has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.[2][6]

Mobile T1451 SIM Card Swap

Scattered Spider has used SIM swapping to bypass MFA and to maintain persistence on mobile carrier networks and SIM cards.[12][6][9][10]

Software

ID Name References Techniques
S1068 BlackCat Scattered Spider has deployed BlackCat ransomware to victim environments for financial gain.[3][2][6][10] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation, Account Discovery: Domain Account, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Defacement: Internal Defacement, Disk Wipe: Disk Content Wipe, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Indicator Removal: Clear Windows Event Logs, Inhibit System Recovery, Lateral Tool Transfer, Local Storage Discovery, Modify Registry, Network Share Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Service Stop, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0591 ConnectWise Scattered Spider has used ConnectWise to maintain persistence.[6][10] Command and Scripting Interpreter: PowerShell, Screen Capture, Video Capture
S0357 Impacket During C0027, Scattered Spider used Impacket for lateral movement.[5] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Lateral Tool Transfer, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0349 LaZagne Scattered Spider can obtain credential information using LaZagne.[2] Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Keychain, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, Unsecured Credentials: Credentials In Files
S0002 Mimikatz Scattered Spider has gathered credentials using Mimikatz.[3][2][6][10] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0508 ngrok Scattered Spider has used ngrok to create secure tunnels to remote web servers.[3][9][10] Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over Web Service, Protocol Tunneling, Proxy, Web Service
S1148 Raccoon Stealer [10] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Credentials from Password Stores: Credentials from Web Browsers, Data from Information Repositories, Data from Local System, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Dynamic API Resolution, Query Registry, Screen Capture, Software Discovery, Steal Web Session Cookie, Supply Chain Compromise, System Information Discovery, System Location Discovery, System Owner/User Discovery, System Time Discovery
S1040 Rclone [6] Archive Collected Data: Archive via Utility, Data Transfer Size Limits, Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery
S0183 Tor Scattered Spider has used Tor to communicate with targeted organizations.[3] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy
S0670 WarzoneRAT Scattered Spider has utilized WarzoneRAT to remotely access a compromised system.[3][10] Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Component Object Model Hijacking, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Proxy, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Rootkit, System Information Discovery, Template Injection, User Execution: Malicious File, Video Capture

References

  1. CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.
  2. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  3. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  4. CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.
  5. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  6. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  1. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  2. Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025.
  3. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.
  4. Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025.
  5. Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024.
  6. Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.