Scattered Spider – Cybercriminals with a lot of nerve (and a lot of skill)

  • Home
  • Blog
  • Scattered Spider – Cybercriminals with a lot of nerve (and a lot of skill)

Scattered Spider – Cybercriminals with a lot of nerve (and a lot of skill)

Recent weeks in the world of cybersecurity have shown one thing: the Scattered Spider group has no intention of letting up. On the contrary, they’re accelerating. The FBI and CISA are sounding the alarm, and we’re seeing an increase in reports from companies that have fallen victim to their clever (and unfortunately effective) tactics.

According to TechRadar, their attack campaigns are expected to intensify in the coming months. If you haven’t heard of Scattered Spider yet, it’s time to catch up.

Who are Scattered Spiders?

Scattered Spider is an international cybercriminal group that experts classify as belonging to a broad family of threat actors, including those associated with Lapsus$ and ShinyHunters. While they also operate under other names in the industry (e.g., UNC3944, Octo Tempest), their modus operandi remains fairly consistent – maximizing the use of social engineering.

We’re not talking about cracking advanced encryption algorithms or kernel-level 0-days. They prefer to call, send a message, or fake their identity, so that it’s…….us who hand them the keys to the castle.

Scattered Spiders

What does their attack pattern look like?

They typically begin by obtaining a minimal set of data about the company and its employees – public LinkedIn profiles, social media posts, or leaks from other incidents. Then they go on the offensive:

  • Helpdesk or IT impersonation – they contact by phone or chat, pretending to be a colleague from the company who “urgently needs a password reset.”
  • SIM swapping – they hijack the victim’s phone number to obtain SMS login codes.
  • Phishing and smishing – they send spoofed emails and SMS messages, often with perfectly faked visual identification.
  • Access to virtual environments – they specifically target VMware ESXi servers, which they encrypt with the DragonForce ransomware.

What do they do once they “get in”?

This is where the real fun begins (for them, not the victim). A recent FBI warning shows they’re using a set of tools:

  • RattyRAT – malware that allows remote control of the victim’s device.
  • DragonForce ransomware – encrypts entire virtual environments and servers.
  • Keyloggers and data theft tools – they obtain passwords, customer data, and confidential documents.

Interestingly, since August 2025, Scattered Spider has been running a Telegram channel – a sort of “trophy case.” They publish a list of their victims, fragments of stolen data, and even invitations to negotiate and purchase information.

This is quite unusual behavior – most ransomware groups try to operate relatively quietly, but these ones, on the contrary, seek publicity.

Why are they so popular lately?

The reason is simple – they’ve increased the pace and scale of their operations.
The FBI confirms that the aviation sector has recently become a target. This shows that they’re not limited to a single industry – they’re attacking wherever there’s:

  • high time pressure (e.g., companies that can’t afford downtime),
  • valuable data (e.g., customer data, payment cards, personal information),
  • weak links in user verification processes.

Until recently, we spoke of them primarily in the context of attacks on large technology and financial companies. Now, the aviation sector, previously the hotel and telecommunications sectors – the list is growing.

How to defend against Scattered Spider?

While their actions may seem like “hacker magic,” in reality, many attacks are based on human error. Therefore:

  1. Employee training – especially in IT, helpdesk, and reception, as they are the first line of contact.
  2. Strong authentication – MFA based on hardware keys (e.g., YubiKey) instead of SMS codes.
  3. Verification procedures – every password reset or system access request should be confirmed through a separate channel.
  4. Monitoring logs and alerts – responding to unusual logins and access attempts from new locations.
  5. Regular social engineering testing – it’s better to undergo a simulated attack than a real incident.

Want to know more or maybe you need help?

Write to us

Summary

Scattered Spider is an example of how a hacker’s best tool is still the human who makes a mistake. Their attacks are becoming increasingly bolder, and their strategies are becoming more refined. This isn’t a group that will “disappear” in a month—they will keep trying as long as they succeed.

That’s why it’s important to take the warnings from the FBI and CISA seriously and ensure your company has real defenses in place—both technological and procedural.

And if you want to test whether your organization is prepared for Scattered Spider, we can test it in a safe, controlled environment. It’s better to draw conclusions now than when a real adversary is on the other side.

Scattered-Spiders-summary

Our knowledge, your security – a shield in the digital reality.

  • Email us
  • Niemczańska 33/6, 50-561 Wrocław, Poland
  • Mon-Fri, 9 AM – 6 PM (UTC)

Navigation

Services

karacena.eu
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.