The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have issued a joint Cybersecurity Advisory in response to recent activity by Scattered Spider threat actors against commercial facilities sectors, subsectors, and other sectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as June 2025.
Update July 29, 2025:
Scattered Spider threat actors are observed to typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual TTPs. While some TTPs remain consistent, Scattered Spider threat actors frequently change TTPs to remain undetected.
Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.
Actions for Organizations to Take Today to Mitigate Malicious Cyber Activity
- 1.Maintain offline backups of data that are stored separately from the source systems and tested regularly.
- 2.Enable and enforce phishing-resistant multifactor authentication (MFA).
- 3.Implement application controls to manage and control software execution.
We are a company specialized in Information Technology and Cybersecurity.
We offer on-site services in France and provide remote support to businesses across Europe.
Our team delivers customized IT and cybersecurity solutions, including outsourcing, and deploys skilled professionals for on-site support when required.
For availability in your region, please contact us at sales@vertrasec.com.
Who is Scattered Spider?
Scattered Spider, also known as UNC3944, is a hacking group primarily composed of teenagers and young adults, with most believed to reside in the United States and the United Kingdom. The group is known for its affiliation with the cybercriminal network “The Com,” notorious for its crimes against minors.
The group gained notoriety for its involvement in the hacking and extortion of Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States. Scattered Spider has also targeted Visa, Marks & Spencer, PNC Financial Services Group Inc., Transamerica, New York Life Insurance Co., Synchrony Financial, Truist Bank, and Twilio. Members of Scattered Spider have been linked to attacks against Snowflake cloud storage customers in the U.S. More recently, members of Scattered Spider have been linked to attacks against Qantas, Australia’s flag carrier airline.
Alternative Names
The group’s most common name, used in press releases and by journalists, is Scattered Spider, although many other names have been attributed to the group. Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra have all been used previously to refer to the group.
Scattered Spider is a component of a larger global hacking community, known as “the Community” or “the Com,” which has members who have hacked major American technology companies.
Early History
Scattered Spider is believed to have been founded in May 2022, initially focusing its efforts on attacks against telecommunications companies. The group utilized SIM swap scams, multi-factor authentication (MFA) fatigue attacks, and phishing campaigns via SMS and Telegram. The group typically exploited the security flaw CVE-2015-2291, a cybersecurity issue in Windows’ anti-DoS software, to terminate security software, allowing the group to evade detection. The group is believed to have a deep understanding of Microsoft Azure, the ability to conduct reconnaissance in cloud computing platforms powered by Google Workspace and AWS, and utilizes legitimately developed remote access tools.
The group later became known for targeting critical infrastructure before moving on to its 2023 casino hacks.
Casino Hacks (2023)
Scattered Spider gained access to both Caesars’ and MGM’s internal systems through the use of social engineering. The group managed to bypass multi-factor authentication technologies by obtaining login credentials and one-time passwords. The group claims it targeted MGM because they caught the group attempting to rig slot machines in their favor.
Caesars Hack
Caesars Entertainment paid a ransom of 15milliontoScatteredSpider,halfoftheiroriginaldemandof15 million to Scattered Spider, half of their original demand of 15milliontoScatteredSpider,halfoftheiroriginaldemandof30 million. Scattered Spider, using tactics similar to their attack on MGM, was able to access driver’s license numbers and possibly Social Security numbers for a “significant number” of Caesars customers. Statements made by Caesars noted that while the company cannot guarantee the deletion of the information obtained by Scattered Spider, the casino operator will take all necessary actions to achieve such a result.
Sources differ on whether Scattered Spider was the group that targeted Caesars, with some believing it was the British-American group, while others say the perpetrators were not the group or were unknown.
MGM Resorts Hack
Scattered Spider collaborated with ALPHV, a software development team that provides ransomware as a service. Scattered Spider called MGM’s help desk, posing as an employee they found on LinkedIn to gain internal access. The group gained access on September 11, 2023.
MGM Resorts first disclosed the cyberattack on September 12, 2023, in a Form 8-K report to the SEC the following day. The company stated that although it has “dealt” with the cyberattack, many of the computer systems at its resorts remain offline, including, but not limited to, credits for food, beverages, and free credits. The attack further disabled on-site ATMs, as well as remote room keys, and prevented MGM from charging customers for parking.
In July 2024, a 17-year-old hacker from the United Kingdom was arrested in connection with the attack and attempted ransom. He was released on bail pending trial. The arrest was coordinated by local and international law enforcement.
Aftermath of Casino Hacks
MGM and the U.S. FTC and FBI are currently investigating the cyberattack, and the casino operator temporarily took down its website. Moody’s Corporation stated that due to MGM’s heavy reliance on computers for much of its operations, its credit rating could drop as a result of the cyberattack. Following the announcement of both companies’ attacks, the stock prices for both Caesars and MGM fell. MGM’s CEO, William Hornbuckle, noted at an industry conference that the hack caused the company to be “completely in the dark” about its properties.
Both MGM and Caesars were sued in class-action lawsuits following the hacks, with all claiming that the failure of both casino operators to adequately secure their data constituted a breach of contract. The law firms’ clients also all demanded jury trials. In January 2025, MGM agreed to pay a $45 million settlement to the victims of the breach.
Snowflake Attacks
Two members of the group have been linked to attacks against Snowflake cloud computing customers. The hackers accessed and stole customer data, demanding millions of dollars in extortion not to publicly release the data. Nearly one hundred victims were targeted, including: AT&T, Ticketmaster, Advance Auto Parts, Lending Tree, and Neiman Marcus.
Arrests
In January 2024, Noah Michael Urban, a member of the group and known as “Sosa,” “King Bob,” “Elijah,” and other aliases, was arrested in Florida for the cumulative theft of approximately $800,000 in cryptocurrency. Sosa used SIM-swapping techniques to compromise victims’ email and financial account details.
In June 2024, the alleged leader of the group, Tyler Buchanan (aka TylerB), was arrested in Spain while attempting to board a flight to Italy. At the time of his arrest, Spanish police allege that Buchanan possessed Bitcoins worth $27 million.
In July 2024, the West Midlands Police, with the help of the FBI, arrested a 17-year-old in connection with the MGM cyberattacks. The suspect, who lives in Walsall and whose name was not published, was released on bail while law enforcement examined his devices.
19-year-old Remington Ogletree was arrested in November 2024 on charges related to his alleged involvement with the group.
Tactics, Techniques, and Procedures (TTPs) of Scattered Spider
Scattered Spider (also known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra) engages in data extortion and various other criminal activities. Scattered Spider threat actors use multiple social engineering techniques – including ‘push bombing’ – and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).
According to public reports, Scattered Spider threat actors:
•Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network.
•Posed as company IT and/or helpdesk staff to direct employees to execute commercial remote access tools, allowing initial access.
•Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.
•Update July 29, 2025: Posed as employees to convince IT and/or helpdesk staff to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices.
•Sent repeated MFA notification prompts, leading employees to press the “Accept” button (also known as MFA fatigue).
•Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card in their possession, gaining control over the phone and access to MFA prompts.
•Monetized access to targeted organizations’ networks in numerous ways, including extortion enabled by ransomware and data theft.
The FBI observed that Scattered Spider threat actors, after gaining access to networks, use legitimate and publicly available remote access tunneling tools. Table 1 details a list of legitimate tools that Scattered Spider repurposed and used for their criminal activity.
Note: The use of these legitimate tools alone is not indicative of malicious activity. Users should review the Scattered Spider IOCs and TTPs discussed in this advisory to determine if they have been compromised.
In addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider.
| Malware | Use |
| AveMaria (also known as WarZone) | Enables remote access to a targeted organization’s systems. |
| Raccoon Stealer | Steals information, including login credentials, browser history, cookies, and other data. |
| VIDAR Stealer | Steals information, including login credentials, browser history, cookies, and other data. |
| RattyRAT (Update July 29, 2025) | Java-based remote access trojan, used for persistent, stealth access and internal reconnaissance. |
| DragonForce Ransomware (Update July 29, 2025) | Infiltrates networks, encrypts data, and demands ransom. |
Scattered Spider threat actors historically evade detection on target networks by using ‘living off the land’ (LOTL) techniques and allowed applications to navigate a targeted organization’s network, in addition to frequently modifying their TTPs. For additional information on LOTL techniques, see the joint advisory, Identifying and Mitigating Living Off the Land Techniques.
Scattered Spider threat actors have observably exfiltrated data after gaining access and threatened to release it without deploying ransomware.
Update July 29, 2025: Recently, this includes exfiltration to various sites, including MEGA.NZ and U.S.-based data centers such as Amazon S3.
Recent Scattered Spider TTPs
File Encryption
Update July 29, 2025: The FBI has identified that Scattered Spider threat actors may exfiltrate data from targeted organizations’ systems for extortion and then encrypt data on the system for ransom. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with targeted organizations via TOR, Tox, email, or encrypted applications.
Reconnaissance, Resource Development, and Initial Access
Scattered Spider intrusions historically began with broad phishing and smishing attempts against a target using organization-specific crafted information. The group uses a variety of tools and techniques to conduct reconnaissance, including the use of open-source intelligence (OSINT) to identify potential targets and gather information about their infrastructure and employees. They may also use network scans and other tools to identify vulnerabilities and entry points.
The Relentless Rise of Scattered Spider: A Constantly Evolving Threat in the Global Cyber Landscape
In the ever-shifting landscape of cybersecurity, few threat groups have emerged with the same notoriety and disruptive capability as Scattered Spider. This cybercriminal collective, predominantly composed of talented and sometimes reckless young individuals, has redefined attack tactics, demonstrating an agility and adaptability that challenge traditional defenses. Their meteoric rise, marked by high-profile attacks against corporate giants, not only underscores the sophistication of their operations but also serves as a grim reminder of the inherent vulnerability of even the most robust organizations. Scattered Spider’s ability to rapidly transition from initial access to data encryption in a matter of hours, as warned by experts, highlights the urgency of understanding their methodologies and strengthening defenses against their incursions. This article will deepen the understanding of Scattered Spider, exploring its origins, evolution, distinctive tactics, techniques, and procedures (TTPs), and the implications of its actions for global cybersecurity. Furthermore, we will offer a perspective on how companies like Vertrasec.com are addressing this persistent threat, providing valuable insights for proactive protection against this constantly evolving adversary.
The Genesis and Evolution of an Unprecedented Cyber Threat
The history of Scattered Spider, though relatively recent, is a testament to the rapid evolution of the cyber threat landscape. The group is believed to have emerged in May 2022, initially focusing its efforts on attacks against telecommunications companies. This initial phase was characterized by the use of tactics that, while effective, were less complex than those they would later employ. SIM swap scams, multi-factor authentication (MFA) fatigue attacks, and phishing campaigns via SMS and Telegram were the preferred tools in their arsenal. Their ability to exploit vulnerabilities such as CVE-2015-2291, a cybersecurity flaw in Windows’ anti-DoS software, allowed them to disable security software and operate under the radar, a tactic that would become a hallmark of their methodology. [1]
What distinguishes Scattered Spider from the outset is their deep understanding of cloud computing environments. They have demonstrated proficiency in platforms like Microsoft Azure, Google Workspace, and AWS, leveraging this knowledge to conduct reconnaissance and, subsequently, attacks. The use of legitimate remote access tools, a concept known as ‘living off the land’ (LOTL), allowed them to blend into normal network traffic, making detection by traditional security systems difficult. This approach, which minimizes the use of custom malware, is one of the pillars of their resilience and continued success. [2]
Over time, Scattered Spider’s focus expanded. From attacks on critical infrastructure, they transitioned to high-value targets, culminating in the notorious casino attacks in 2023. This shift in strategy not only demonstrated their ambition but also their ability to scale operations and adapt their tactics to maximize impact and profit. The transition to more lucrative targets, such as large gaming and entertainment corporations, signaled a new phase in the group’s evolution, where data extortion and ransomware became central components of their operations. [3]
The Vertrasec.com Perspective: Unraveling the Web of Scattered Spider
At Vertrasec.com, we closely monitor the evolution of threat groups like Scattered Spider, and our analysis leads us to a clear conclusion: cyber resilience today demands a multifaceted and proactive approach. Scattered Spider is not just another hacking group; they represent a new generation of adversaries who combine technical sophistication with astute social engineering, making them particularly dangerous. We believe that the key to combating this threat lies in a deep understanding of their tactics and the implementation of adaptive defenses.
Our experience shows that human vulnerability remains the weakest link in the security chain. Scattered Spider’s reliance on tactics such as phishing, smishing, and MFA fatigue underscores the critical need for continuous employee training and awareness. It’s not enough to merely have the best tools; it is imperative that every individual in the organization is an active line of defense, capable of identifying and reporting social engineering attempts. Vertrasec.com emphasizes the importance of regular phishing simulations and education programs that empower users to become more resistant to these manipulations.
Furthermore, Scattered Spider’s ability to operate using ‘living off the land’ (LOTL) techniques and legitimate tools demands a paradigm shift in detection strategies. We can no longer rely solely on detecting known malware. It is crucial for organizations to implement security solutions that can monitor anomalous behaviors and suspicious activities within their environments, even when performed with benign tools. This includes in-depth visibility into endpoints, networks, and cloud environments, allowing for early identification of lateral movements and data exfiltration.
Scattered Spider’s rapid transition to data encryption after initial access is another point of concern. This means that response time is critical. Vertrasec.com advocates for the implementation of well-defined and tested incident response plans that enable security teams to act quickly and effectively. Incident response automation, where applicable, can significantly reduce the time between detection and containment, minimizing the impact of an attack. Network segmentation, the principle of least privilege, and robust multi-factor authentication are essential defenses that should be prioritized to hinder the progression of an attack.
Finally, the global and collaborative nature of Scattered Spider, which affiliates with other cybercriminal networks like ALPHV (BlackCat), highlights the importance of threat intelligence. Sharing information about TTPs, indicators of compromise (IOCs), and new malware variants is vital to building a stronger collective defense. At Vertrasec.com, we believe that collaboration among security companies, governments, and the cybersecurity community is fundamental to staying ahead of such adaptable adversaries. By adopting a proactive, continuous, and intelligence-driven security posture, organizations can strengthen their defenses and protect their most valuable assets against the persistent threat of Scattered Spider.
Mitigation and Defense Strategies Against Scattered Spider
Given the multifaceted threat that Scattered Spider represents, implementing robust mitigation and defense strategies is imperative for any organization. The complexity of their tactics, which blend social engineering with exploitation of technical vulnerabilities and the use of legitimate tools, demands a layered and adaptive security approach. Below, we detail the main strategies that organizations should consider to protect themselves against this threat group.
Strengthening Basic Cyber Hygiene
Although Scattered Spider is sophisticated, many of their intrusions still rely on basic cyber hygiene failures. CISA and other security agencies emphasize the importance of:
•Offline and Segregated Backups: Maintaining critical data backups in locations physically or logically separate from production systems, and testing them regularly, is fundamental. This ensures that even in the event of a successful ransomware attack, the organization can restore its data without yielding to the attackers’ demands.
•Phishing-Resistant Multi-Factor Authentication (MFA): MFA fatigue and SIM swap attacks are common tactics of Scattered Spider. Implementing phishing-resistant MFA, such as hardware security keys (FIDO2/WebAuthn), can significantly mitigate these attack vectors. It is crucial that MFA is applied to all systems and services, especially those externally accessible.
•Application Controls and Whitelisting: Restricting software execution to only approved and necessary applications can prevent Scattered Spider from executing malicious or legitimate tools for nefarious purposes. This reduces the attack surface and limits attackers’ ability to move laterally within the network.
Social Engineering Awareness and Training
Social engineering is the cornerstone of Scattered Spider’s operations. Investing in continuous awareness and training programs for all employees is vital. This includes:
•Phishing and Smishing Simulations: Conducting regular exercises to test employees’ ability to identify and report phishing and smishing attempts. Constructive feedback and targeted training can significantly improve human resilience.
•Education on Impersonation Tactics: Educating employees on how Scattered Spider impersonates IT teams, help desks, or even other employees to obtain sensitive information or access. Emphasize the importance of verifying the identity of anyone requesting unusual information or actions.
•Secure Communication Protocols: Establishing and reinforcing clear protocols for verifying requests for password changes, MFA transfers, or system access, especially when requests come via phone or unverified messages.
Advanced Detection and Response
Scattered Spider’s ability to use LOTL techniques and legitimate tools makes traditional signature-based detection less effective. Organizations need more advanced detection and response capabilities:
•Behavioral Monitoring and Anomaly Analysis: Implementing Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions that can monitor user and entity behavior (UEBA) and identify anomalous activities, even if they use legitimate tools. This includes detecting unusual lateral movements, access to unauthorized resources, or data exfiltration to suspicious destinations.
•Proactive Threat Intelligence (TI): Utilizing updated threat intelligence feeds on TTPs, IOCs, and malware variants associated with Scattered Spider. This allows security teams to adjust their defenses and proactively hunt for signs of compromise.
•Network Segmentation and Least Privilege Principle: Segmenting the network into smaller, isolated zones can limit Scattered Spider’s lateral movement if they gain an initial foothold. The principle of least privilege, ensuring that users and systems have only the minimum access necessary to perform their functions, reduces the impact of a compromised credential.
•Tested Incident Response Plans: Developing and regularly testing incident response plans that address Scattered Spider attack scenarios, including initial access, lateral movement, data exfiltration, and ransomware deployment. Practicing tabletop exercises and attack simulations can improve coordination and response effectiveness.
By combining solid cyber hygiene with awareness training, advanced detection, and effective response plans, organizations can build a more resilient security posture against Scattered Spider and other evolving cyber threats.
Global Impact and Future Perspectives: The Web of Scattered Spider Expands
The impact of Scattered Spider transcends geographical and sectoral boundaries, becoming a global concern for governments, businesses, and individuals. The transnational nature of their operations, coupled with their ability to adapt and collaborate with other cybercriminal groups, such as ALPHV (BlackCat), amplifies the complexity of the challenge they pose. Data extortion, which has become one of their primary monetization sources, not only causes significant financial losses but also lasting reputational damage and severe operational disruptions.
Attacks on major corporations, such as Caesars Entertainment and MGM Resorts International, serve as an alarming case study on the vulnerability of sectors heavily reliant on digital infrastructures. The disruption of essential services, such as payment and reservation systems, demonstrates how a cyberattack can paralyze operations and directly affect customer experience. Furthermore, the exfiltration of sensitive data, including personally identifiable information (PII) and Social Security numbers, raises serious privacy and data security concerns for customers, resulting in lawsuits and substantial regulatory fines.
Scattered Spider’s collaboration with groups that provide ransomware as a service, such as ALPHV, indicates a worrying trend of professionalization and specialization in the cybercriminal underworld. This synergy allows Scattered Spider to focus on their initial access and social engineering skills, while outsourcing the encryption and extortion part, making their operations more efficient and harder to track. The rapid adoption of new ransomware variants, such as DragonForce, and the constant modification of their TTPs, demonstrate their agility and determination to stay ahead of defenses.
Looking ahead, it is likely that Scattered Spider will continue to evolve and refine its tactics. The increasing reliance on cloud environments and the proliferation of connected devices offer new attack surfaces that the group will undoubtedly explore. Social engineering, in its various forms, will remain a primary attack vector, as it is a low-cost, high-return method. MFA fatigue and SIM swapping will continue to be challenges, requiring organizations to invest in more robust authentication solutions and continuous user education.
Moreover, the response from law enforcement and security agencies globally will be crucial. The arrests of Scattered Spider members, such as Noah Michael Urban and Tyler Buchanan, demonstrate that while the group is resilient, it is not invincible. International cooperation and intelligence sharing are essential to dismantle these criminal networks and bring those responsible to justice. However, the decentralized nature and recruitment capabilities of the group mean that complete eradication is an ongoing challenge.
Ultimately, the threat of Scattered Spider serves as a catalyst for innovation in cybersecurity. Organizations must adopt an adaptive security mindset, investing in advanced detection technologies, strengthening human resilience through awareness and training, and establishing effective incident response plans. Only through a comprehensive and collaborative approach can we build a more secure and resilient digital ecosystem against the persistent threats of groups like Scattered Spider.
