Scattered Spider and DragonForce are often discussed as though they are a single entity or a formal partnership. Neither framing is quite right. The relationship is better described as an affiliate overlap within a criminal service economy — one where an established initial access specialist acts as an affiliate for a ransomware-as-a-service cartel, bringing human-centric intrusion capabilities to bear on high-value targets in exchange for a share of the proceeds. That structural arrangement is what made the 2025 UK retail attacks possible, and understanding it is essential for defenders thinking about what comes next.
Scattered Spider: The Initial Access Specialist
Scattered Spider — tracked by Google Threat Intelligence Group as UNC3944, by Microsoft as Octo Tempest, and by MITRE as Storm-0875 — is a loosely organized collective of primarily English-speaking young adults and teenagers, many believed to be based in the United States and United Kingdom. The group is part of a broader network known as The Com, a loose-knit community of financially motivated cybercriminals who communicate via platforms like Discord and Telegram.
The group's defining characteristic is not technical sophistication but social engineering at scale. Scattered Spider conducts reconnaissance on target organizations using open-source intelligence: LinkedIn profiles, company directories, social media, and internal staff lists where accessible. From this information, operators construct convincing personas and pretexts, then contact IT help desks by phone, impersonating employees or contractors to obtain credential resets, enroll attacker-controlled devices in MFA, or gain direct remote access to systems. The pretexts are designed to sound urgent and legitimate — a contractor locked out before a critical meeting, an IT technician needing to push an emergency update, an executive who can't access email.
ReliaQuest analysis of over 600 Scattered Spider-linked domains found that 81% impersonate technology vendors. Keywords including okta, vpn, helpdesk, and sso appear recurrently in domain registrations. The group's phishing infrastructure primarily targets the authentication layer — SSO portals, MFA enrollment pages, and VPN login pages — rather than generic credential harvesting. 70% of confirmed targets fall in technology, finance, and retail trade sectors.
Where social engineering fails to deliver credentials directly, the group employs MFA fatigue — repeatedly pushing authentication approval requests to a target's device until the user approves one out of confusion or frustration — and SIM swapping, convincing mobile carriers to transfer a target's phone number to an attacker-controlled SIM, intercepting SMS-based authentication codes. Once initial access is secured, Scattered Spider signs in as the compromised user and registers an attacker-controlled device to the organization's identity platform, establishing persistent access that survives password resets targeting only the original account.
Scattered Spider's early operations focused heavily on telecommunications companies, primarily to support SIM swap operations. After shifting to ransomware and data theft extortion in 2023, the group demonstrated a characteristic targeting pattern: waves of focused attacks against prominent organizations within a single sector — casino operators in mid-2023, financial services in late 2023, food services in mid-2024, and UK retail in spring 2025. Google Threat Intelligence Group has noted that Scattered Spider specifically gravitates toward high-profile brands, likely seeking the media attention that amplifies pressure on victims to pay ransoms and burnishes the group's reputation within criminal communities.
DragonForce: The Ransomware Cartel
DragonForce entered the ransomware landscape in late 2023, initially associated — though without strong concrete evidence — with a hacktivist group called DragonForce Malaysia that had been active since 2022 conducting politically motivated attacks. Whatever the origins, the ransomware operation quickly separated itself from hacktivist framing and built into a financially motivated RaaS platform.
The group's technical lineage is traceable. Early DragonForce encryptors were built on the leaked LockBit 3.0 (LockBit Black) builder. The operation later transitioned to a customized version of the leaked Conti v3 source code — placing it in the same lineage as LockBit Green and several other post-Conti RaaS operations. Acronis Threat Research Unit analysis found that DragonForce and LockBit Green share common routines and artifacts due to this shared Conti v3 ancestry.
In terms of evasion and payload delivery, DragonForce uses Bring Your Own Vulnerable Driver (BYOVD) techniques, employing known-vulnerable drivers including truesight.sys and rentdrv2.sys to terminate security processes and disable endpoint protection before deploying the encryptor. The encryptor targets Windows, Linux, and VMware ESXi environments. ESXi targeting is particularly impactful because encrypting virtual machine infrastructure can simultaneously take down dozens of servers — a capability Scattered Spider exploited in the M&S attack.
In early 2025, DragonForce claimed to have assumed control of RansomHub's tooling after RansomHub ceased operations in March 2025. RansomHub had been a primary ransomware partner for Scattered Spider (then tracked as UNC3944) following the collapse of ALPHV/BlackCat in 2024. DragonForce's acquisition of RansomHub infrastructure represents a consolidation of multiple affiliate pipelines under one operational umbrella.
What most distinguishes DragonForce from traditional RaaS operations is its explicit cartel model. In early 2025 the group rebranded as a ransomware cartel, offering affiliates an 80% revenue share and a white-labeling service called RansomBay through which affiliates can deploy the encryptor under their own brand name while using DragonForce's infrastructure, leak site hosting, and technical support. This structure allows DragonForce to expand its operational reach while insulating the core operation from direct attribution. Affiliates that get burned or arrested are not DragonForce operators — they're customers. Forensic evidence against them may not implicate the cartel itself.
As of early 2026, DragonForce's data leak site has exposed over 200 victims since late 2023, spanning retail, airlines, insurance, managed service providers, and other enterprise sectors.
The Nature of the Overlap
The relationship between Scattered Spider and DragonForce is not a formal partnership, a merger, or an exclusive arrangement. Trustwave SpiderLabs analyst Serhii Melnyk characterized it to The Hacker News as an "affiliate-level overlap" — recurrent and effective, but opportunistic and transactional. Scattered Spider actors function as affiliates of the DragonForce RaaS, using DragonForce's encryptor and infrastructure in exchange for a revenue share, without being members of the DragonForce organization itself.
This arrangement suits both parties. Scattered Spider contributes what DragonForce lacks: fluent English, proven social engineering tradecraft against enterprise targets, and the ability to navigate corporate IT environments without triggering technical detection. DragonForce contributes what Scattered Spider would otherwise need to build or license independently: a mature ransomware payload, ESXi-capable encryption, BYOVD evasion, leak site infrastructure, and ransom negotiation support.
The model is not new. Scattered Spider previously operated as an affiliate for ALPHV/BlackCat before that operation collapsed, then as a RansomHub affiliate before RansomHub ceased operations. The group's history suggests a pattern of aligning with whatever RaaS platform offers the best capability and revenue terms at a given time, rather than building exclusive long-term relationships. DragonForce's consolidation of RansomHub's tooling in 2025 may have made the transition to DragonForce functionally seamless for Scattered Spider affiliates who had been RansomHub customers.
The 2025 UK Retail Campaign: What the Attacks Revealed
The spring 2025 attacks on UK retailers provided the clearest documented example of how the Scattered Spider and DragonForce overlap functions in practice. Three major retailers — Marks & Spencer, Co-op, and Harrods — were hit within a two-week span. The attacks were confirmed by M&S chairman Archie Norman in parliamentary testimony in July 2025 to involve the Scattered Spider collective operating with DragonForce ransomware. In July 2025, UK law enforcement arrested four individuals — three of them teenagers — on suspicion of offenses related to all three attacks.
Marks & Spencer
The M&S breach is the best-documented of the three. Initial access is believed to have been obtained in February 2025 — approximately two months before the ransomware detonated — through social engineering of M&S's IT helpdesk, which is operated by outsourcing provider Tata Consultancy Services (TCS). The attackers impersonated internal staff or contractors to obtain credentials or trigger password resets, then used that access to steal the NTDS.dit file: the Active Directory database containing password hashes for every domain account. With NTDS.dit, the attackers could crack hashes offline and access any account in the domain.
Over the subsequent weeks, the attackers conducted extensive reconnaissance — searching Slack, Microsoft Teams, and Exchange Online for references to their intrusion and for security team discussions, a documented Scattered Spider technique used to monitor for detection and adapt their approach in real time. On April 24, 2025, DragonForce ransomware was deployed across M&S's VMware ESXi infrastructure, encrypting virtual machines and taking down core systems. Online shopping was suspended within days. Food halls ran low on stock. Automated inventory and ordering systems were offline for weeks. M&S estimated the attack would cost approximately £300 million in lost profit, and the company's market value fell by over £700 million in the immediate aftermath. A ransom demand was communicated to M&S CEO Stuart Machin via an email sent from a compromised TCS employee account.
Co-op and Harrods
Co-op followed days after M&S with an intrusion that used similar social engineering techniques. Unlike at M&S, Co-op's security team detected the attackers' presence before the ransomware payload could be deployed and initiated an emergency shutdown of affected systems to contain the compromise. Significant customer data was nonetheless exfiltrated — Co-op's CEO acknowledged in communications to members that the breach was more extensive than initial disclosures indicated, with DragonForce representatives telling the BBC the same. Co-op estimated revenue losses from the incident at £206 million.
Harrods detected unauthorized access attempts on May 1, 2025 and responded by restricting internet access across its sites. Physical stores and e-commerce remained operational. The full scope of the Harrods breach has not been publicly confirmed, and DragonForce's involvement there is less definitively established than in the M&S and Co-op cases.
The Cyber Monitoring Centre classified the combined M&S and Co-op attacks as a single cyber event with a total financial impact between £270 million and £440 million. The M&S attack alone wiped over £700 million from the company's market value. These figures place the campaign among the costliest single-sector attack waves in UK cybercrime history — accomplished without any novel technical exploit, relying almost entirely on social engineering of a third-party IT provider.
The Broader Coalition: Scattered LAPSUS$ Hunters
The Scattered Spider–DragonForce relationship sits within a wider pattern of convergence among previously separate criminal groups. By late 2025, researchers at Trustwave SpiderLabs had identified a nascent collective combining Scattered Spider, LAPSUS$, and ShinyHunters into a formation they designated Scattered LAPSUS$ Hunters (SLH). The group emerged publicly in August 2025 and had created and recreated its Telegram channels at least 16 times by early reports, cycling through names as each iteration was removed from the platform.
SLH's primary business model has been extortion-as-a-service — offering other affiliates the ability to join campaigns and leverage the reputational weight of the combined brands to pressure victims into paying. The group has also hinted at a custom ransomware family named Sh1nySp1d3r, positioning itself as a potential rival to both LockBit and DragonForce rather than a permanent affiliate of either. Trustwave characterized SLH as positioned between financially motivated cybercrime and attention-driven hacktivism, using theatrical branding and platform disruption cycles as tools for building credibility within the criminal ecosystem.
This broader coalition trend is significant for defenders because it complicates attribution and defensive prioritization. When multiple groups with overlapping membership operate under different brand names, collaborate on specific operations, and shift affiliations between RaaS platforms, the question of who is attacking a given organization becomes less useful than understanding the shared TTP set that all of these actors draw from.
The Combined TTP Profile
Across documented Scattered Spider operations with DragonForce payloads, a consistent attack pattern emerges. Understanding this sequence is the most actionable element of the overlap analysis for defenders.
Phase 1 — Reconnaissance. Open-source intelligence collection on target staff using LinkedIn, social media, and public directories. Identification of IT helpdesk personnel, contractors, and third-party IT providers. Target selection within a sector is not random — Scattered Spider has consistently focused on organizations whose brand visibility amplifies pressure and media attention following an incident.
Phase 2 — Initial Access via Social Engineering. Phone-based helpdesk impersonation to obtain credential resets, MFA enrollment, or remote access tool installation. Phishing via domains impersonating SSO portals, VPN gateways, and identity providers. MFA fatigue attacks where phone-based social engineering is insufficient. SIM swapping where SMS-based MFA is in use. In the M&S case, the initial access vector was a third-party IT provider rather than M&S directly — a reminder that the attack surface extends to every organization with privileged access to the target's systems.
Phase 3 — Persistence and Lateral Movement. Device enrollment in the target's identity platform. Installation of multiple remote access tools — ScreenConnect, AnyDesk, TeamViewer, and Splashtop have all been documented — to maximize redundant persistence paths. Credential harvesting from Active Directory (NTDS.dit theft), cloud identity platforms, and local credential stores using tools including Mimikatz and LaZagne. AWS Systems Manager Inventory enumeration for cloud environment lateral movement. ETL tool use to compile gathered data into a central database for exfiltration to MEGA or Amazon S3.
Phase 4 — Surveillance and Counter-Detection. Documented Scattered Spider behavior includes actively monitoring incident response activity: searching Exchange, Teams, and Slack for evidence of discovery, and joining incident response calls to track defender actions in real time. This counter-detection capability directly extends dwell time and increases the damage window.
Phase 5 — Data Exfiltration and Ransomware Deployment. Bulk data exfiltration precedes encryption to support double extortion. DragonForce ransomware is deployed — typically targeting VMware ESXi infrastructure for maximum simultaneous impact — after data is confirmed exfiltrated. BYOVD techniques using truesight.sys or rentdrv2.sys disable security software immediately before detonation.
Defensive Priorities
- Harden IT helpdesk identity verification. The M&S breach originated through social engineering of a third-party IT provider. Helpdesk staff must verify caller identity through out-of-band channels before any credential reset, MFA device enrollment, or remote access grant. This means calling back on a number from the corporate directory — not a number provided by the caller — and confirming identity with a manager or supervisor for high-risk actions. Video verification requirements are increasingly recommended for actions that grant significant access.
- Extend security requirements to third-party IT providers. Scattered Spider exploited the weakest link in the identity chain: an outsourced helpdesk. Organizations must apply the same credential and MFA standards to IT service providers with privileged access as they apply internally, and should audit what access those providers have and how that access is authenticated.
- Deploy phishing-resistant MFA for privileged and remote access. SMS-based codes, TOTP apps, and push notifications are all bypassable through the social engineering, SIM swapping, and AiTM proxy techniques Scattered Spider uses. FIDO2/WebAuthn hardware keys and passkeys provide structural resistance. At minimum, conditional access policies should require managed and compliant devices for privileged operations.
- Protect VMware ESXi infrastructure. DragonForce's encryptor specifically targets ESXi. Segment ESXi management interfaces from general corporate networks, require MFA for vSphere/ESXi management access, and maintain offline or immutable backups of virtual machine configurations and snapshots. Ensure backup infrastructure is not accessible from the same credential set as production systems.
- Monitor for BYOVD indicators. The vulnerable drivers
truesight.sysandrentdrv2.sysare associated with DragonForce pre-detonation activity. Detection rules for known vulnerable driver hashes and loading of unsigned or unusual drivers should be active in EDR tooling. Driver blocklisting where supported by endpoint platforms reduces the BYOVD attack surface. - Monitor internal communications for breach-awareness indicators. Scattered Spider searches internal Slack, Teams, and Exchange for discussions of their intrusion. While this behavior is difficult to prevent, it is detectable: unusual search activity within corporate collaboration platforms, especially queries containing keywords like "incident," "attack," "breach," "security team," and threat actor names, should generate alerts. Logging and alerting on mass internal message searches is an underdeployed detection technique.
- Audit remote access tooling across the environment. Scattered Spider installs multiple remote access tools for redundancy. Inventory all remote access software in the environment, remove unauthorized installations, and alert on new remote access tool deployments. CISA guidance specifically recommends application allowlisting to prevent execution of unauthorized remote access software.
Key Takeaways
- The relationship is transactional, not structural. Scattered Spider operates as a DragonForce affiliate — a customer of the RaaS cartel — rather than a member of the DragonForce organization. The overlap is recurrent and effective, but Scattered Spider has demonstrated a history of switching RaaS partners as operational circumstances change. The shared TTP set matters more for defenders than the specific brand affiliation.
- Social engineering of third-party IT providers is now an established initial access vector. The M&S attack gained entry through a Tata Consultancy Services helpdesk, not M&S's own staff. The security perimeter of any organization extends to every entity with privileged access to its systems, and the weakest identity verification controls in that chain define the effective attack surface.
- DragonForce's cartel model lowers the barrier to sophisticated attacks. By providing encryptor-as-infrastructure, leak site hosting, and white-labeling to affiliates who retain 80% of proceeds, DragonForce enables actors with strong social engineering tradecraft but no ransomware development capability to run enterprise-grade extortion operations. This means the Scattered Spider–DragonForce combination is not unique — other socially-capable actors can plug into the same infrastructure.
- Counter-detection is a documented and active tactic. Scattered Spider monitors incident response communications in real time during intrusions. Organizations responding to a potential Scattered Spider intrusion should treat their incident response communications themselves as a potential intelligence source for the attacker, and conduct sensitive discussions through out-of-band channels not accessible from the compromised environment.
- The broader coalition trend — Scattered LAPSUS$ Hunters and similar formations — signals ongoing consolidation. Criminal groups that previously competed are increasingly collaborating, sharing infrastructure, and building extortion-as-a-service models that further commoditize sophisticated attack capabilities. Attribution to a single named group matters less than understanding the shared tooling, social engineering methodology, and target selection logic that runs across all of them.
The 2025 UK retail campaign demonstrated what happens when world-class social engineering tradecraft meets a mature, well-resourced ransomware cartel with ESXi-capable payloads and an affiliate model designed for exactly this kind of collaboration. Neither Scattered Spider nor DragonForce is remarkable in isolation — it is the combination, and the structural model that makes such combinations easy to form, that represents the lasting threat.