Scattered Spider

Kandi Brian

SS

scattered-spider

also known as: UNC3944 Octo Tempest 0ktapus Storm-0875 Muddled Libra

A loosely organized collective of predominantly English-speaking teenagers and young adults who weaponize phone calls, identity deception, and third-party trust relationships to bypass multi-factor authentication and deploy ransomware. Responsible for the MGM Resorts breach ($100M+), the Caesars Entertainment ransom ($15M), the 2025 UK retail campaign that cost M&S an estimated £300 million and Co-op an estimated £206 million, the Aflac breach affecting 22.65 million individuals, and a sustained sweep through U.S. insurance carriers and global airlines. Five members have been federally indicted in the U.S. and at least eleven arrested internationally as of mid-2025. Rather than fragmenting under law enforcement pressure, the group formalized a merger with ShinyHunters and LAPSUS$ in August 2025, operating as the Scattered LAPSUS$ Hunters (SLH) alliance — an extortion-as-a-service collective with a federated structure, centralized Telegram infrastructure, and documented reach across dozens of Fortune 500 targets.

attributed originUSA / United Kingdom

affiliation"The Com" online community

first observed~2022

primary motivationFinancial — ransomware / extortion

primary targetsRetail, Insurance, Airlines, Hospitality, Healthcare, BPO, Critical Infrastructure

known campaigns$1B+ estimated damages*

mitre att&ck groupG1015

ransomware partnerDragonForce / SLH Alliance (2025)

threat levelHIGH

* Damage estimate is a floor, not a precise figure. It aggregates confirmed losses: MGM ($100M+), Clorox ($380M in total impact), M&S (£300M / ~$400M), Co-op (£206M / ~$277M), plus Aflac, insurance sector, and airline victims where totals remain partial or undisclosed. Many breaches attributed to this ecosystem have not disclosed financial impact. The $1B+ threshold is conservative given what is publicly confirmed.

Overview

a note on naming — why there is so much conflicting information online

If you have searched for this group, you have already encountered contradictions. Different vendors call them by different names: Scattered Spider (CrowdStrike, FBI/CISA official advisories, press), UNC3944 (Google Mandiant), Octo Tempest (Microsoft), Muddled Libra (Palo Alto Unit 42), Storm-0875 (earlier Microsoft tracking), and 0ktapus (Group-IB, used specifically for the 2022 phishing campaign). These are not different groups — they are overlapping tracking designations applied by different intelligence vendors to the same or substantially overlapping cluster of activity. The FBI and CISA use "Scattered Spider" in all official advisories and that is the name used throughout this profile. Importantly, the group has no fixed membership roster. It is a loose collective drawing from "The Com" underground community, meaning any given campaign may involve different individuals operating the same learned playbook. This is why some vendors have concluded the group "ceased operations" after arrests while others report continued activity — both observations can be simultaneously true for different subsets of participants. This profile acknowledges attribution gaps explicitly where they exist.

Scattered Spider defies the conventional profile of a sophisticated threat actor. There are no state sponsors, no custom implants developed by a professional engineering team, no classified intelligence support. The group is, by every account, primarily composed of teenagers and young adults — many of whom were still in secondary school during their earliest operations. What they lack in technical sophistication, they compensate for with something significantly harder to defend against: an almost instinctive understanding of how organizations trust people over the phone.

A note on the "teenagers" characterization: this is accurate and sourced, but it gets contested online. Some commentators push back on it as sensationalism. The indicted members in the November 2024 U.S. federal case were aged 20–23 at the time of indictment, and the July 2025 UK arrests included three teenagers. The group recruits from gaming communities and Discord servers where members are often minors when they begin participating. "Teenagers and young adults" is the phrase used in the FBI's own characterization and in CISA advisories, and it is used here for the same reason: it is accurate, and understanding the recruitment pipeline matters for defenders trying to anticipate who is calling their help desk. The point is not to minimize the threat — the damage figures speak to that — but to illustrate that technical sophistication is not a prerequisite for nine-figure damages when social engineering is the primary vector.

The group emerged from "The Com" — a sprawling online criminal community that recruits from gaming platforms like Roblox and Discord, mentors members in social engineering techniques, and has produced some of the most financially damaging cybercriminals of the 2020s. Scattered Spider's members are native English speakers, which eliminates the accent-based suspicion that trips up many non-English-speaking attackers when calling corporate help desks. According to CISA and FBI, the group is considered "experts in social engineering" — a characterization they have repeatedly earned in practice.

Their defining technique is straightforward in concept and devastatingly effective in practice: call a company's IT help desk, impersonate an employee, and convince the help desk operator to reset MFA or grant access. In September 2023, a single phone call to MGM Resorts' IT help desk — made after researching a target employee on LinkedIn — gave Scattered Spider full network access, ultimately costing the company more than $100 million. That same month, Caesars Entertainment paid approximately $15 million — roughly half their originally demanded ransom of $30 million — to prevent disclosure of stolen loyalty program data. In July 2025, Clorox filed a $380 million lawsuit against IT provider Cognizant, alleging that a Scattered Spider affiliate obtained credentials by simply calling Cognizant's service desk and asking for a password reset. The complaint includes recorded call transcripts showing Cognizant agents providing passwords and resetting MFA without any identity verification. As the lawsuit states: "Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over." Clorox spent more than $49 million on direct remediation and sustained hundreds of millions more in lost revenue and distribution disruption.

The technique has since evolved: the group and closely affiliated actors now place those calls over Microsoft Teams, exploiting a default Teams configuration that allows external accounts to initiate calls with internal users — enabling impersonation of IT helpdesk staff without needing to compromise anything in advance. In parallel, in August 2025, Scattered Spider, ShinyHunters, and LAPSUS$ formalized a merger under the banner of the Scattered LAPSUS$ Hunters (SLH) alliance, creating what Trustwave SpiderLabs described as a "federated collective" with centralized infrastructure for ransomware deployment, data leak sites, and target reconnaissance. The alliance has cycled through at least 16 Telegram channels since August 2025, rebuilding within hours of each takedown. Mandiant's M-Trends 2026 report, published March 2026, confirmed that voice phishing rose to the second-most common initial infection vector in 2025, appearing in 11% of investigations where a vector could be identified — up from negligible levels just three years prior.

warning

Scattered Spider's primary attack vector — voice-based social engineering of IT help desks — is not stopped by technical controls. Organizations that do not have explicit callback verification and out-of-band identity confirmation processes for MFA resets are vulnerable regardless of the strength of their technical security stack.

Microsoft Teams IT Helpdesk Impersonation

Scattered Spider built its reputation on phone-based vishing — but the underlying technique has evolved into a more technically layered attack chain that exploits Microsoft's own collaboration infrastructure. The group's confirmed TTPs include IT helpdesk impersonation via Microsoft Teams, documented by MITRE ATT&CK (G1015), MOXFIVE, and implicitly by the July 2025 FBI/CISA joint advisory referencing "more sophisticated social engineering techniques." Closely affiliated actors — particularly Storm-1811 (tracked by Microsoft), STAC5777 (tracked by Sophos), and Sangria Tempest — operate what is effectively the same playbook and have produced the most forensically documented examples of the full Teams-to-Quick Assist chain. The overlap is significant: MITRE links Storm-1811 directly to Black Basta, Sophos links STAC5777 to Storm-1811, and multiple vendors note Scattered Spider's social engineering template underpins all of these groups. Where specific techniques below are confirmed for the affiliated actors but reported-rather-than-confirmed for Scattered Spider directly, this is noted explicitly.

Why some sources say "Scattered Spider" and others say "Storm-1811" or "STAC5777" for the same techniques: This is one of the most common sources of confusion when researching this group. Storm-1811 and STAC5777 are separate tracking designations used by Microsoft and Sophos respectively for actors that use near-identical email bombing and Teams-based vishing techniques. Whether those actors are the same individuals as Scattered Spider, former Scattered Spider members, or independent groups that learned from Scattered Spider's playbook is not definitively established. What is established is that the mechanics are essentially identical. This profile attributes confirmed techniques to the specific actors they are confirmed for, and notes the Scattered Spider connection where it is reported but not independently verified by a government advisory. The defensive response is the same regardless of which label is applied.

The Email Bombing Precursor

The Teams-based variant typically begins not with a call, but with an inbox attack. The target employee's Outlook mailbox is flooded with subscription spam — in documented Storm-1811 and STAC5777 incidents investigated by Sophos, this reached over 3,000 messages in under 45 minutes. The flood is deliberate: it creates genuine distress, gives the employee a real reason to contact IT, and — critically — gives the attacker a pretext when they call first. The employee is already expecting someone to help them. When the Teams call arrives offering to fix the spam problem, the social engineering has already done most of its work before a word is spoken. MOXFIVE reports Scattered Spider using a functionally identical precursor in its Teams-based campaigns.

The Teams Call and Why It Works

The attacker operates a purpose-registered external Microsoft 365 tenant — a fully legitimate account, not a compromised one — and uses it to place a Teams voice or video call directly to the target employee. This exploits a Microsoft Teams default configuration that permits users on any external domain to initiate calls and chats with internal users. The call appears in Teams exactly as a legitimate internal support call would. The attacker's display name is set to something plausible — "Help Desk Manager," "IT Support," or a variant of the organization's actual IT team name.

Organizations using managed service providers for IT support face compounded exposure: their employees are already conditioned to receive support calls from accounts outside their primary domain. When a call arrives from an external account claiming to be the MSP's helpdesk, the scenario matches exactly what employees have been trained to expect as normal. Sophos documented this precisely in a November 2024 STAC5777 incident: the targeted employee accepted the call without suspicion because the organization's IT was managed externally, making external Teams accounts an expected contact channel. Microsoft's DART team confirmed the same social context in a November 2025 intrusion case — two employees recognized the call as suspicious and refused; a third did not.

Quick Assist Takeover — Attribution and Mechanics

Once the call is established, the attacker guides the employee through opening Windows Quick Assist, a remote assistance utility built into Windows that requires no installation and carries no inherent security warnings to most users. This technique is firmly and multiply confirmed for Storm-1811 (Microsoft, May 2024) and STAC5777 (Sophos, January 2025). MOXFIVE explicitly states the technique "was first observed in late 2024 during incidents involving Black Basta and has since been adopted by Scattered Spider." That adoption claim is from a single private vendor and is not yet corroborated by independent advisories naming Scattered Spider and Quick Assist together — but given the degree of TTP overlap between Scattered Spider and these affiliated actors, and the group's established pattern of rapidly incorporating effective techniques from its network, it is assessed as plausible and operationally significant for defenders to treat as current.

With remote control established, the documented post-access chain in Storm-1811 and STAC5777 intrusions proceeds as follows: the attacker uses the Quick Assist session to open a browser, downloading malicious payloads staged on Microsoft Azure Blob Storage subdomains (subdomains of blob.core.windows.net) and attacker-controlled SharePoint links — both of which are Microsoft infrastructure, deliberately chosen because traffic to these domains generates few or no alerts in standard network monitoring. Payloads observed include trojanized executables that sideload malicious DLLs using trusted Windows mechanisms, encrypted loaders, and the BackConnect malware for persistent C2. DarkGate has been observed as a follow-on payload in separate but related campaigns. The attacker also uses the Quick Assist session to access RDP configuration files and network topology diagrams to plan lateral movement — Sophos documented one incident where a Visio network diagram was accessed for exactly this purpose.

Command-and-control traffic is routed through proxy infrastructure specifically to blend with normal enterprise outbound connections and avoid triggering network anomaly detection. In intrusions investigated by Microsoft's DART team, this approach successfully obscured attacker activity until DART was called in — and even then, forensic reconstruction required correlating Quick Assist session artifacts, browser history, and DLL sideloading indicators across multiple systems.

critical — energy sector

Energy, utilities, and other critical infrastructure organizations are specifically named in the July 2025 FBI/CISA joint advisory as active Scattered Spider targets. These organizations face compounded exposure to the Teams/Quick Assist variant because many rely on outsourced IT and OT support contracts — meaning employees are already conditioned to receive help desk calls from external accounts, which is the exact social context the attack exploits. In the affiliated Storm-1811/STAC5777 intrusions, attackers specifically targeted VPN configuration files and domain credentials after gaining access — material that, in energy sector environments, can represent a pathway from the IT network toward operational technology systems. While direct confirmed Scattered Spider intrusions into energy sector OT environments have not been publicly documented, the July 2025 advisory's explicit naming of critical infrastructure as an active target sector, combined with the group's pattern of rapidly escalating within and across sectors, makes this a credible near-term risk rather than a theoretical one.

Signature Attack Chain

The Scattered Spider playbook is consistent across campaigns. Understanding the chain is the first step to breaking it.

standard attack sequence — 2022–2026

01

Target Reconnaissance

LinkedIn, company directories, and social media to identify employee names, titles, IT staff, and third-party vendors. The goal is to sound like an insider when calling.

02

Vishing — Help Desk Call or Teams Impersonation

Caller impersonates a target employee or, in the evolved variant, places an inbound Microsoft Teams call from an attacker-controlled external M365 tenant posing as IT helpdesk. Often preceded by email bombing the target's inbox to create urgency. Native English fluency and pre-researched personal details make the call convincing regardless of channel.

03

Remote Access Tool Deployment

Scattered Spider is confirmed by CISA, Cyble, and multiple incident responders to deploy numerous legitimate RMM tools post-access — AnyDesk, ScreenConnect, Zoho Assist, Splashtop, TeamViewer, and others — sometimes installing half a dozen simultaneously to ensure persistence if one is discovered. In the Teams-based variant, closely affiliated actors Storm-1811 and STAC5777 are confirmed to use Windows Quick Assist as the initial remote access mechanism, guided via the Teams call. MOXFIVE reports this Quick Assist technique has since been adopted by Scattered Spider itself; this is not yet corroborated by a major government advisory or major vendor report naming both Scattered Spider and Quick Assist together explicitly, but given the documented TTP overlap it is considered a credible and active risk.

04

SIM Swap (alternative initial access)

Where help desk or Teams access fails, SIM swapping with mobile carriers to take over phone numbers used for SMS-based MFA. Enables account takeover without company interaction.

05

Identity Provider Compromise

Target Okta, Azure AD, or similar IdP systems to establish persistent access and create new admin accounts. Broad access to SSO-integrated systems immediately follows.

06

Third-Party Vendor Pivot

Leverage vendor or contractor access as an alternative entry point when direct employee impersonation is unsuccessful. Third parties often have less rigorous verification procedures.

07

Data Exfiltration & Credential Theft

Systematic collection of sensitive data — customer records, financial data, internal communications — for double-extortion leverage before ransomware deployment. In Quick Assist-based intrusions attributed to Storm-1811 and STAC5777 (confirmed by Sophos), attackers specifically targeted VPN configuration files, RDP credential files, and domain credentials to support lateral movement. This post-access credential targeting behavior is consistent with Scattered Spider's broader pattern of cloud identity and SSO exploitation, and represents a particular concern in critical infrastructure environments where VPN material may provide pathways toward OT-adjacent systems.

08

Ransomware Deployment (DragonForce)

Final-stage encryption using DragonForce ransomware (2025 campaigns) or BlackCat/ALPHV (2023). Ransom demand combined with threat to publish exfiltrated data.

Target Profile

Scattered Spider follows a documented pattern of targeting one industry at a time — attacking multiple organizations in rapid succession before shifting to the next sector. Google Mandiant has noted this behavior explicitly, observing that "the group has a habit of focusing on a single sector at a time, while keeping their core TTPs consistent." The pattern is not coincidental: sector concentration amplifies media pressure on victims, normalizes the attacker's presence in that industry's news cycle, and allows the group to reuse reconnaissance and social engineering scripts across multiple targets with minimal retooling. As of the joint FBI/CISA advisory (July 29, 2025), the group's confirmed active targeting scope includes critical infrastructure sectors.

Some researchers dispute the "one sector at a time" framing, noting that the 2025 campaigns against retail, insurance, and airlines overlapped in timing rather than occurring in strict sequence. Halcyon's analysis describes Scattered Spider as demonstrating "a calculated and opportunistic targeting strategy, rotating across industries and geographies based on visibility, payout potential, and operational heat" — which is slightly different from a rigid sequential model. Both characterizations describe real observed behavior; the distinction is whether the pattern is deliberate sector-by-sector sequencing or opportunistic clustering. The practical implication for defenders is the same either way: if this group has recently hit your industry, your organization needs to be on heightened alert regardless of whether a "rotation" to another sector is underway.

Critical infrastructure and energy: Confirmed as an active targeting category in the July 29, 2025 multi-agency advisory, co-signed by the FBI, CISA, RCMP, ASD's Australian Cyber Security Centre, Australian Federal Police, Canadian Centre for Cyber Security, and UK NCSC. Energy and utilities organizations are particularly exposed due to outsourced IT and OT support contracts, where employees are conditioned to receive help desk calls from external accounts — exactly the scenario the Teams-based vishing technique exploits. Successful credential compromise in these environments creates potential pathways from IT networks into operational technology systems.
Hospitality and casinos: MGM Resorts (September 2023, $100M+ in losses) and Caesars Entertainment (September 2023, $15M ransom paid). Large organizations with complex vendor relationships, high employee turnover, and many contractors — all of which increase social engineering attack surface. Caesars was breached via a third-party IT vendor. MGM declined to pay but sustained over a week of operational disruption across multiple properties.
Retail: Marks & Spencer, Co-op, and Harrods in the April–July 2025 UK campaign. The UK Cyber Monitoring Centre classified the M&S and Co-op incidents as a single combined cyber event with a financial impact of £270–440 million ($363–592 million). M&S's chairman Archie Norman confirmed Scattered Spider and DragonForce ransomware involvement directly before a UK Parliament committee in July 2025. M&S estimated its loss at £300 million; Co-op assessed revenue losses at £206 million. The M&S breach began as early as February 2025, when attackers compromised a Tata Consultancy Services (TCS) contractor — M&S's IT helpdesk provider — and extracted the NTDS.dit Active Directory file, enabling offline password hash cracking and lateral movement across the network. DragonForce ransomware was deployed against M&S's VMware ESXi infrastructure on April 19, 2025. Co-op detected the intrusion before encryption could proceed and shut down its own systems; attackers had already exfiltrated data on approximately 20 million members. Harrods isolated its network quickly, limiting operational impact. Additional 2025 retail victims bearing hallmarks of Scattered Spider activity include Victoria's Secret, The North Face, Cartier, Adidas, Coca-Cola, and United Natural Foods (UNFI), the primary supplier for Amazon's Whole Foods.
Insurance: In a five-day period beginning June 7, 2025, Scattered Spider pivoted to the U.S. insurance sector with a coordinated campaign. Erie Insurance (June 7), Philadelphia Insurance Companies (June 9), Aflac (June 12), and Tokio Marine North America (June 13) all disclosed incidents. Allianz Life Insurance of North America disclosed a breach in July 2025 affecting 1.4 million customers, compromised through a third-party cloud-based CRM system via social engineering. The Aflac breach — confirmed in December 2025 — exposed the personal information of 22.65 million individuals, including Social Security numbers, health information, and insurance claims data. Google Threat Intelligence Group confirmed awareness of multiple U.S. insurance intrusions bearing Scattered Spider hallmarks. Keith Wojcieszek of Kroll noted that insurers are uniquely valuable targets because they hold not only customer PII but detailed cybersecurity assessments of insured organizations — data that could inform future attacks against other companies.
Airlines and transportation: Following the insurance campaign, the group pivoted to the aviation sector in late June 2025. Hawaiian Airlines (June 26, 2025), Canada's WestJet (incident beginning June 13, 2025), and Qantas (June 30, 2025, breach of a third-party contact center platform affecting customer names, email addresses, phone numbers, birthdates, and Frequent Flyer numbers) were all confirmed as targets. The FBI issued a formal warning on June 28, 2025 that Scattered Spider had expanded into the airline sector. Mandiant confirmed awareness of multiple airline and transportation incidents "which resemble the operations of UNC3944 or Scattered Spider." In its warning, the FBI stated that attackers "rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access."
Technology companies: Twilio, Okta, Mailchimp, Cloudflare, LastPass, DoorDash, and over 130 other technology companies targeted in the 0ktapus SMS phishing campaign (2022). Access to identity providers creates downstream risk for hundreds of organizations simultaneously. Tyler Buchanan, an indicted member, was tied to the 2022 campaign through phishing domains registered from a Scottish IP address traced to his Virgin Media account by the FBI. In 2025, Google's corporate Salesforce instance was compromised as part of the broader SLH Salesforce campaign, with attackers exfiltrating CRM data through OAuth-connected app abuse.
Business process outsourcing (BPO) and telecommunications — original targets (2022): Before the casino attacks brought widespread attention, Scattered Spider's first documented campaigns in 2022 focused on CRM providers, BPO firms, and telecommunications companies. CrowdStrike documented this in December 2022 as "Not a SIMulation." Remington Ogletree — the sixth federally charged member — told the FBI that the group deliberately targets BPO companies because "outsourcing companies they have less security" than the organizations they serve. The group confirmed having compromised at least five major BPO companies. This BPO-first targeting logic explains why third-party IT providers like Cognizant (Clorox) and TCS (M&S) remain such reliable entry points: they are a deliberate, strategic choice, not an opportunistic one.
Healthcare: HHS's Health Sector Cybersecurity Coordination Center (HC3) issued a dedicated Scattered Spider threat actor profile for healthcare organizations in October 2024, explicitly warning that the group has targeted healthcare. The NCA's September 2025 arrest statement for Owen Flowers noted that his September 2024 arrest had led to the discovery of evidence connecting him to cyberattacks on American healthcare companies. Healthcare organizations present the same social engineering attack surface as other large enterprises with outsourced IT — help desks, vendor relationships, and cloud identity platforms — combined with exceptionally valuable data (PHI, insurance records, research IP).
Cloud storage — Snowflake (2024): Two Scattered Spider members were connected to the 2024 Snowflake customer breach wave, in which roughly 165 organizations were targeted through account takeover attacks using stolen credentials harvested from historical infostealer infections. Confirmed public victims included AT&T, Ticketmaster, Santander, Advance Auto Parts, LendingTree, and Neiman Marcus — collectively impacting hundreds of millions of individuals. The Snowflake campaign was primarily attributed to ShinyHunters, but the Scattered Spider connection reinforces the overlap between these groups that later formalized into the SLH alliance.
Transport for London (2024): TfL was breached in September 2024 using social engineering consistent with The Com group techniques, requiring approximately 5,000 employees to attend in person to verify identities as part of remediation. Attribution to Scattered Spider specifically is ecosystem-assessed rather than officially confirmed — see the dedicated campaign entry for sourcing and arrest detail.

Tactics, Techniques & Procedures

MITRE ATT&CK IDs reference the Enterprise framework v14. Where a technique is confirmed for closely affiliated actors but attributed-rather-than-confirmed for Scattered Spider directly, this is noted in the description. "T1566.004 (variant)" in the original advisory refers to the Teams-based delivery mechanism, which MITRE maps to the same spearphishing voice technique ID — the "(variant)" label is used here for clarity, not as an official MITRE sub-technique.

mitre id	technique	description
T1566.004	Spear-phishing via Voice (Vishing)	Primary initial access vector. Native English-speaking callers impersonate employees to IT help desks, requesting MFA resets or credential changes. Highly convincing due to pre-researched personal details sourced from LinkedIn, company directories, and social media.
T1566.004	IT Helpdesk Impersonation via Microsoft Teams	Attacker registers an external Microsoft 365 tenant and places Teams voice or video calls to target employees posing as IT helpdesk or "Help Desk Manager." Exploits the default Teams configuration permitting external domain users to initiate calls with internal users — no prior compromise required. Typically preceded by email bombing to manufacture urgency. Confirmed for Scattered Spider by MITRE ATT&CK (G1015) and MOXFIVE. Firmly confirmed for closely affiliated actors Storm-1811 (Microsoft, May 2024) and STAC5777 (Sophos, January 2025). Note: This technique maps to the same MITRE ID as phone vishing — both are T1566.004 — because MITRE does not sub-distinguish the delivery channel.
T1621	MFA Request Generation (Push Bombing)	Confirmed by CISA and FBI in all three advisories (2023 and 2025). The attacker floods the target with repeated MFA push approval requests until the user accepts one out of fatigue or confusion. Sometimes combined with a vishing call offering to "help" resolve the MFA flood — turning the victim's attempt to fix the problem into the compromise vector itself. Distinct from SIM swapping: push bombing requires no carrier interaction and works against any push-based MFA implementation.
T1219	Remote Access via Quick Assist	In the Teams-based variant, victim is guided through launching Windows Quick Assist and granting full remote control. Subsequent hands-on-keyboard activity includes steering the user to a spoofed credential-harvesting page, DLL sideloading via trusted Windows mechanisms, encrypted loader deployment, and C2 via proxy infrastructure. Payload staging uses Microsoft Azure Blob Storage subdomains and SharePoint links to evade network monitoring. Firmly confirmed for Storm-1811 (Microsoft) and STAC5777 (Sophos). MOXFIVE reports adoption by Scattered Spider; not yet independently corroborated by a major government advisory naming Scattered Spider and Quick Assist together, but assessed as a credible active risk given documented TTP overlap between these actor clusters.
T1586.002	Compromise Accounts (Phone) — SIM Swapping	Convincing mobile carriers to transfer a target's phone number to an attacker-controlled SIM, enabling interception of SMS MFA codes and password reset links without any direct interaction with the target company. Confirmed in the original 2023 FBI/CISA advisory and in the 0ktapus campaign. Effective specifically against SMS-based and voice-call-based MFA; entirely ineffective against FIDO2 hardware keys or passkeys.
T1556	Modify Authentication Process	Once inside identity providers (Okta, Azure AD/Entra ID), registers new MFA devices under the compromised account to maintain persistent access that survives password resets. Creates a persistent foothold that can outlast the initial breach discovery if identity provider audit logs are not actively monitored.
T1199	Trusted Relationship Exploitation	Exploitation of managed service provider and vendor access relationships where verification procedures are less rigorous than direct employee processes. Confirmed in MGM (via unnamed vendor), Caesars (via third-party IT vendor), M&S (via TCS), and Clorox (via Cognizant). The most operationally reliable pattern in all documented campaigns.
T1078.004	Cloud Accounts	Targets cloud identity and SSO systems (Okta, Entra ID) for broad access across all integrated applications rather than targeting individual systems. A single compromised identity provider account can yield access to dozens of downstream SaaS applications simultaneously.
T1114	Email Collection / Incident Monitoring	Confirmed by CISA and FBI: after gaining access, Scattered Spider searches victim Slack, Microsoft Teams, and Microsoft Exchange for emails and conversations about the intrusion to determine whether their activity has been discovered. The group also joins active incident response and remediation calls to monitor defender activity in real time, creating new identities within the environment backed by fake social media profiles to maintain access to these calls.
T1486	Data Encrypted for Impact	Final stage deployment of DragonForce (2025) or BlackCat/ALPHV (2023) ransomware after data exfiltration. Encryption is the culmination of a patient multi-stage campaign — in the M&S breach, attackers dwell time spanned roughly February to April 2025 before deploying ransomware. The encryption event is the moment of detection, not the moment of breach.
T1219	Remote Access Software (RMM Tools)	Installs multiple legitimate RMM tools (AnyDesk, ConnectWise ScreenConnect, TeamViewer, Zoho Assist, Splashtop) simultaneously — sometimes six or more — to ensure persistence if any one is discovered and removed. Use of legitimate, allowlisted software bypasses most endpoint detection solutions.

Known Campaigns

SLH Alliance Formation — Scattered LAPSUS$ HuntersAugust 2025–Present

On August 8, 2025, a Telegram channel emerged claiming to unite Scattered Spider, ShinyHunters, and LAPSUS$ under the banner "Scattered LAPSUS$ Hunters" (SLH). Trustwave SpiderLabs and Resecurity subsequently confirmed this as a coordinated alliance — not merely rebranding — with fewer than five core operators managing roughly 30 personas. ShinyHunters (tracked as UNC6040/UNC6240 by Google Mandiant) contributed Salesforce vishing and data exfiltration automation; LAPSUS$ brought media manipulation and extortion expertise; Scattered Spider provided initial access through help desk social engineering. The alliance has operated at least 16 Telegram channels since formation, rebuilding within hours of each takedown. On September 12, 2025, the FBI issued a FLASH alert connecting a string of Salesforce breaches to UNC6040 and UNC6395 (the latter tied to Scattered Spider). Trustwave confirmed the alliance is positioning itself as an extortion-as-a-service platform. In late 2025, the group announced an operational pause and then, in a subsequent Telegram message, denied retirement — consistent with prior temporary withdrawals by The Com groups following arrest waves. Mandiant's M-Trends 2026 report confirmed UNC3944 continued targeting help desk staff through the first half of 2025, with the broader hand-off model appearing in 9% of investigations, up from 4% in 2022.

Debate note: There is genuine disagreement in the threat intelligence community about how real this "merger" is. Mandiant maintains strict group-based attribution — tracking UNC3944, UNC6040, and LAPSUS$ as distinct clusters — and has been cautious about calling the SLH formation a true operational merger rather than a theatrical joint branding exercise. Obsidian Security researchers concluded a partnership or merger had occurred, noting overlapping IOCs and coordination on specific campaigns. Cian Heasley of Acumen Cyber stated plainly that the Telegram posts "seem far-fetched" and that "Scattered Lapsus$ Hunters is running scared." The practical position taken in this profile — consistent with the FBI's September 2025 FLASH alert — is that whether the alliance is operationally genuine or partly performative, the TTPs being executed under the SLH banner are real, the victims are real, and defenders cannot afford to wait for definitive attribution before acting on the shared playbook.

U.S. Airlines & Transportation CampaignJune–July 2025

Following the insurance pivot, Scattered Spider moved to the airline sector in June 2025. Hawaiian Airlines disclosed a cybersecurity incident on June 26, 2025, affecting some IT systems while maintaining full flight operations. WestJet (Canada) reported an incident beginning June 13, 2025, disrupting its mobile app and website. Qantas disclosed on June 30, 2025 that attackers had breached a third-party contact center platform, accessing customer names, email addresses, phone numbers, birthdates, and Frequent Flyer numbers for 5.7 million passengers. The FBI issued an official sector alert on June 28, warning that Scattered Spider had "recently observed" targeting of the airline sector using social engineering and impersonation of employees or contractors to deceive IT help desks. Darktrace's global head of threat analysis assessed the Qantas breach as consistent with Scattered Spider activity, likely achieved through compromise of a third-party SaaS platform such as Salesforce or Zendesk. Mandiant confirmed awareness of multiple airline incidents resembling UNC3944 operations. Neither Hawaiian nor WestJet has officially attributed their incidents to Scattered Spider.

Attribution note: Neither Hawaiian Airlines nor WestJet has officially named Scattered Spider as the responsible party. Qantas has not either. The FBI's sector warning named the group generically without naming specific victims. The attribution here rests on Mandiant's confirmation of multiple airline incidents resembling UNC3944 operations, Darktrace's technical assessment of the Qantas breach mechanism, and the timing pattern consistent with Scattered Spider's documented sector-targeting behavior. This is assessed attribution, not victim-confirmed attribution — a distinction that matters and is acknowledged here. The defensive recommendations remain unchanged regardless of which actor is ultimately confirmed.

U.S. Insurance Sector CampaignJune–July 2025

A five-day cluster of insurance company breaches beginning June 7, 2025: Erie Insurance (unusual network activity, June 7), Philadelphia Insurance Companies (network outage, June 9), Aflac (unauthorized access, June 12), and Tokio Marine North America (suspicious activity, June 13). Allianz Life Insurance of North America followed in July 2025, when attackers accessed a cloud-based CRM system via social engineering, compromising 1.4 million customers. The Aflac breach, confirmed in full in December 2025, exposed the personal information of 22.65 million individuals — including Social Security numbers, health information, and claims data for customers, employees, and agents. Aflac identified the intrusion within hours and confirmed the system was not affected by ransomware. Google GTIG publicly confirmed awareness of multiple insurance intrusions bearing Scattered Spider hallmarks. Law firm Maynard Nexsen stated in June 2025: "The threat actor, Scattered Spider, is now focusing on the insurance industry." Multiple class action lawsuits have been filed against the affected insurers. Keith Wojcieszek of Kroll noted that insurers hold not only customer PII but also detailed cybersecurity assessments of insured organizations — data that could inform future attacks against those clients.

Attribution precision: The insurance campaign attribution to Scattered Spider is assessed, not formally confirmed by all affected companies. Aflac stated the threat actor "may be affiliated with a known cyber-criminal organization" without naming the group in its breach notice, and noted that "federal law enforcement and third-party cybersecurity experts have indicated that this group may have been targeting the insurance industry at large." Erie Insurance and Philadelphia Insurance did not attribute their incidents by name. The attribution rests on Google GTIG's confirmed awareness of multiple insurance intrusions bearing Scattered Spider hallmarks, the timing pattern matching the group's documented sector-rotation behavior, and Maynard Nexsen's June 2025 explicit naming. It is included as attributed rather than confirmed for this reason, and this profile uses the same cautious language Aflac itself used.

Critical Infrastructure Targeting — FBI/CISA AdvisoryJune–July 2025

A joint advisory published July 29, 2025 by the FBI, CISA, RCMP, ASD's Australian Cyber Security Centre, AFP, Canadian Centre for Cyber Security, and UK NCSC — the third government advisory on Scattered Spider since November 2023 — confirmed the group was actively targeting commercial facilities and critical infrastructure sectors through at least June 2025. The advisory documented new tactics including more sophisticated social engineering techniques and additional ransomware variants. VMware ESXi hypervisors and vSphere environments were specifically identified as compromise targets. DragonForce ransomware was confirmed as the primary current payload. CISA's acting executive assistant director for cybersecurity Chris Butera stated that Scattered Spider "represents a serious and ongoing threat to U.S. organizations, using sophisticated social engineering and intrusion tactics to disrupt operations and extort victims." Mandiant CTO Charles Carmakal noted that following UK arrests in July 2025, Mandiant had not observed new intrusions directly attributable to UNC3944 — but emphasized that UNC6040 and other groups were continuing to employ identical tactics.

2025 UK Retail & Services CampaignApril–July 2025

Scattered Spider compromised M&S systems as early as February 2025, exfiltrating the NTDS.dit Active Directory file from M&S's IT infrastructure managed by Tata Consultancy Services (TCS). With offline password hash cracking complete, DragonForce ransomware was deployed against M&S's VMware ESXi infrastructure on April 19, 2025 — Easter weekend — taking online ordering, contactless payments, and gift card terminals offline. Online sales were suspended April 25, 2025. M&S CEO Stuart Machin received a ransom demand directly from DragonForce, sent from a compromised TCS employee account. CrowdStrike, Microsoft, and Fenix24 conducted the forensic investigation. M&S's chairman Archie Norman confirmed Scattered Spider involvement before a UK Parliament committee in July 2025. M&S estimated its loss at £300 million; Co-op — which was compromised through IT helpdesk impersonation and shut down its own systems before encryption could be deployed — assessed revenue losses at £206 million and confirmed all 20 million member records were exfiltrated. Harrods detected the attack early and isolated its network, limiting impact. The UK Cyber Monitoring Centre classified M&S and Co-op as a single combined event with a total financial impact of £270–440 million ($363–592 million). Four individuals, three of whom were teenagers, were arrested by UK law enforcement in July 2025 in connection with these attacks. Brian Krebs reported that the 19-year-olds arrested included Owen David Flowers (aliases: bo764, Holy) and Thalha Jubair (aliases: Earth2Star, Operator). Mandiant's Carmakal called the arrests "a significant win" and "a critical window for organizations to fortify their defenses."

Debate note — "Scattered Spider" or "DragonForce"? You will find some sources attributing the M&S and Co-op attacks to "DragonForce" and others to "Scattered Spider." Both are correct and refer to different parts of the same attack. Scattered Spider is the threat actor — the group that performed the social engineering, compromised the TCS contractor, extracted NTDS.dit, and moved laterally through the network. DragonForce is the ransomware-as-a-service platform whose encryptor they deployed as the final payload. This is the RaaS affiliate model: the threat actor and the ransomware are separate entities. M&S chairman Archie Norman confirmed both in his parliamentary testimony in July 2025. SentinelOne specifically declined to officially attribute the attacks to Scattered Spider in a May 2025 report, noting only that the attackers "exhibit behavioral and operational characteristics consistent with those previously associated with The Com" — a more cautious position that some media outlets interpreted as contradiction when it is actually a different attribution threshold. The forensic investigation by CrowdStrike, Microsoft, and Fenix24 concluded Scattered Spider involvement. That finding, combined with Archie Norman's parliamentary confirmation, is why this profile attributes the attack to Scattered Spider.

Read NoHacky briefing

Clorox Breach — IT Vendor LawsuitAugust 2023 (lawsuit filed July 2025)

In August 2023, Scattered Spider breached Clorox by calling Cognizant's service desk — which managed Clorox's IT help desk — and impersonating employees. Cognizant agents provided passwords and reset MFA credentials without any identity verification. The attack disrupted manufacturing and distribution capabilities for months, causing product shortages and costing Clorox approximately $380 million in total damages, including more than $49 million in direct remediation. In July 2025, Clorox filed a lawsuit against Cognizant in California Superior Court. The complaint includes recorded call transcripts. In one recording, an attacker says "I don't have a password, so I can't connect" — and the Cognizant agent responds "Oh, ok. So let me provide the password to you, ok?" and provides a new password. The lawsuit states: "Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques." Cognizant responded that "Clorox had such an inept internal cybersecurity system to mitigate this attack." The case is ongoing.

MGM Resorts BreachSeptember 2023

A phone call to MGM's IT help desk — made after researching a target employee on LinkedIn — gave Scattered Spider full network access. Attackers specifically targeted accounts with Super Administrator privileges within MGM's Okta tenant, then used inbound federation to register an attacker-controlled identity provider, yielding broad access across MGM's cloud and internal infrastructure. Slot machines, ATMs, electronic room keys, and reservations systems went offline. The breach disrupted hotel operations for over a week and cost more than $100 million in Q3 2023 losses alone. MGM CEO William Hornbuckle stated the company was "completely in the dark" about its properties. MGM declined to pay the ransom. BlackCat/ALPHV ransomware was deployed across more than 100 ESXi hypervisors. A 17-year-old UK suspect was arrested in July 2024 in connection with the hack. A separate federal indictment of five alleged members was unsealed in November 2024. In January 2025, MGM agreed to a $45 million class-action settlement covering approximately 37 million customers affected by the 2019 and 2023 breaches combined. MGM separately committed $50 million to cybersecurity upgrades following the attack.

Sourcing note: The widely-cited detail that the breach began with a "ten-minute phone call" originates from vx-underground, a cybercrime-focused research account, and was reported by numerous outlets. It is plausible and consistent with Scattered Spider's documented methods, but it has not been corroborated in official FBI documents, the November 2024 federal indictment, or MGM's official disclosures. Analyst1's threat profile states "full tenant compromise was achieved in a single call lasting less than ten minutes" — however this is secondary reporting, not primary sourcing. The broader facts of a LinkedIn-researched social engineering call to the IT help desk and Okta Super Administrator compromise are confirmed by CISA and multiple incident responders. The "ten-minute" duration is widely reported but not formally sourced, and is not used as a stated fact in this profile.

Caesars Entertainment RansomSeptember 2023

Breached via a third-party IT vendor using the same social engineering playbook as MGM. Caesars paid approximately $15 million — roughly half the originally demanded ransom of $30 million — to prevent disclosure of stolen loyalty program data including driver's license numbers and potentially Social Security numbers for a "significant number" of customers. The breach was disclosed only after payment, raising governance questions about ransomware disclosure obligations.

0ktapus — SMS Phishing Campaign2022

Mass SMS phishing campaign targeting Twilio, Okta, Mailchimp, LastPass, DoorDash, Cloudflare, and over 130 other technology companies. Harvested over 9,900 credentials from Okta customers by phishing identity provider login pages — a figure sourced from Group-IB's August 2022 research report, which coined the "0ktapus" name for this campaign. The campaign established the group's signature playbook of targeting identity infrastructure for downstream access to hundreds of organizations simultaneously. Tyler Buchanan (aka "tylerb"), later charged federally, was tied to this campaign through phishing domains registered from a Scottish IP address traced to his Virgin Media account. FBI investigators determined Buchanan and co-conspirators targeted at least 45 companies across the U.S., Canada, India, and the UK.

Transport for LondonSeptember 2024

TfL was breached in September 2024, disrupting internal systems and requiring approximately 5,000 staff to attend in person to verify their identities as part of the remediation process — an unusual step that illustrates the depth of credential compromise. Oyster card refund information for approximately 5,000 customers was compromised. Owen Flowers (18, Walsall) was first arrested in September 2024 in connection with the TfL hack; the NCA stated that arrest led to the discovery of evidence that Flowers had also participated in cyberattacks on American healthcare companies. In September 2025, both Flowers and Thalha Jubair (19, East London) were re-arrested and formally charged with conspiring to commit unauthorised acts against TfL under the UK Computer Misuse Act. NCA head of National Cyber Crime Unit Paul Foster called the arrests "a key step in what has been a lengthy and complex investigation." These September 2025 TfL-specific arrests are distinct from the July 2025 arrests tied to the M&S, Co-op, and Harrods retail attacks.

Attribution note: TfL and UK law enforcement have not officially attributed this attack to Scattered Spider as an organisation. The connection is based on attack methodology consistent with The Com group techniques, the involvement of named individuals also linked to other Scattered Spider-associated activity, and reporting by cybersecurity outlets. It is included here as ecosystem-attributed rather than formally confirmed. The NCA's arrest of Flowers and Jubair ties named individuals to both the TfL hack and to broader Scattered Spider-linked activity, including confirmed connections to U.S. healthcare sector attacks.

Tools & Malware

DragonForce ransomware: The primary ransomware payload in 2025 campaigns, confirmed by the July 2025 FBI/CISA joint advisory. DragonForce originated as a pro-Palestine hacktivist group (DragonForce Malaysia, active since August 2021) before pivoting to ransomware-as-a-service. The ransomware binary has been observed based on a leaked LockBit Black (LockBit 3.0) builder. Cross-platform: capable of encrypting Windows systems and Linux/VMware ESXi environments simultaneously. In the M&S breach, DragonForce was deployed specifically against ESXi hosts to encrypt virtual machines. Note on the RansomHub claim: In March 2025, DragonForce publicly claimed to have taken over RansomHub's RaaS infrastructure after RansomHub ceased operations. This claim came from DragonForce itself and has not been independently verified by a government advisory or major forensic firm. It is widely reported in cybersecurity media but should be treated as self-reported until corroborated.
BlackCat/ALPHV: Ransomware used in the 2023 MGM campaign. Rust-based, cross-platform, triple extortion model (encrypt, exfiltrate, publish). Now defunct following law enforcement disruption, but the ransomware affiliate relationships it enabled persist through DragonForce and RansomHub successors.
Sh1nySp1d3r (SLH ransomware): A custom ransomware platform developed as part of the Scattered LAPSUS$ Hunters alliance, written in Go and believed to have been deployed in late 2025. Hooks Event Tracing for Windows (ETW) to prevent encryption activity from being logged to the Windows Event Viewer. Also deletes shadow volume copies and overwrites free space with random data to prevent forensic recovery. Organizations relying solely on Windows event logs for ransomware detection will have no visibility into its activity. Verification note: Sh1nySp1d3r's technical capabilities are documented by Trustwave SpiderLabs and Kraven Security in late 2025 research. It has not yet been confirmed in a government advisory with the same specificity as DragonForce. It is included here because the ETW-hooking capability is operationally significant and the SLH alliance context is confirmed by multiple vendors. Treat its deployment as a credible risk, not a government-confirmed certainty.
NTDS.dit extraction: In the M&S breach, Scattered Spider exfiltrated the NTDS.dit file — the Active Directory database containing password hashes for every user on the corporate Windows domain, including usernames, group memberships, and system structure. With NTDS.dit in hand, attackers crack hashes offline, enabling credential access to all domain accounts without further interaction with target systems. This technique bypasses most endpoint detection controls because no malware is involved: the file is a legitimate Windows database copied using standard administrative tools.
Raccoon Stealer: Listed in the original FBI/CISA advisory as a credential-harvesting tool used post-access to capture login credentials from browsers, applications, and stored passwords on compromised endpoints.
Windows Quick Assist (affiliated actors confirmed; Scattered Spider reported): A remote assistance utility built into Windows that requires no installation and presents no security warnings to users. Firmly confirmed as the initial remote access mechanism in Teams-based intrusions attributed to Storm-1811 (Microsoft, May 2024) and STAC5777 (Sophos, January 2025). MOXFIVE reports adoption by Scattered Spider following documented effectiveness in Black Basta-linked campaigns in late 2024. This specific attribution to Scattered Spider is not yet corroborated by a major government advisory; however, given the demonstrated TTP overlap between Scattered Spider and these affiliated actors, defenders should treat Quick Assist as a risk tool in any environment where this actor cluster is a concern.
DarkGate / BackConnect (confirmed for affiliated actors): Malware deployed post-access in Storm-1811 and STAC5777 intrusions. BackConnect — confirmed by Trend Micro and Sophos in Black Basta/Cactus campaigns — provides persistent remote command execution and credential theft. DarkGate observed as a follow-on payload after Teams-based initial access. Both tools are associated with the Black Basta-adjacent ecosystem Scattered Spider overlaps with through shared ransomware affiliate relationships.
AnyDesk / ConnectWise ScreenConnect / TeamViewer / Zoho Assist / Splashtop: Legitimate remote management tools deployed for persistent access post-compromise. CISA and multiple incident responders have confirmed Scattered Spider installs multiple RMM tools simultaneously — sometimes six or more — to ensure persistence if any one is discovered. Use of legitimate software makes detection significantly harder than custom backdoors.
Salesforce OAuth app abuse (SLH / UNC6040): In the 2025 SLH alliance campaigns, attackers used voice phishing to convince employees to authorize a malicious Salesforce-connected app disguised as "Data Loader" or similar legitimate integration. Once authorized, the app provides API-level access to bulk-export CRM data including customer records, contact details, and sales pipeline data. Google confirmed Salesforce itself was not exploited — all observed incidents relied purely on social engineering to obtain OAuth authorization. Custom Python automation tools were used to perform bulk data exports at scale.
Mimikatz / DCSync: Credential harvesting and replication attacks for lateral movement after initial access. Used to extract additional credentials from Active Directory beyond the initial compromised account.
Azure AD / Entra ID and Okta exploitation: Native cloud identity platform tools abused to register new MFA devices, create admin accounts, and maintain persistence across password resets. CISA noted the group specifically searches for SharePoint sites, credential storage documentation, VMware vCenter infrastructure, backups, and VPN setup instructions after gaining initial access.
Telecom Enemies / Gorilla Call Bot (Com infrastructure): Silent Push researchers documented that The Com — the broader community Scattered Spider operates within — uses a "Developer-as-a-Service" group called "Telecom Enemies" (also known as "Telecom Clowns") that builds and maintains tooling used across The Com. Their products include the "Gorilla Call Bot," used for automating voice phishing campaigns and abusing Google Voice, and an "All-in-One" (AIO) phishing kit containing pre-built templates for Coinbase, Gemini, Kraken, Microsoft, Google, iCloud, LastPass, MetaMask, and dozens of other commonly targeted services. This infrastructure explains why Scattered Spider campaigns can be executed by members with limited technical development skills — the tooling is rented or purchased from a shared ecosystem. This "script kiddie" component of The Com's operational model is important context: high-impact breaches do not require sophisticated custom development when shared infrastructure handles phishing kit creation and call automation.

Mitigation & Defense

Callback verification for MFA resets — the single most critical control: Implement mandatory out-of-band callback verification to a number already on file before completing any MFA reset, account recovery, or password change. This single procedural control directly breaks Scattered Spider's primary attack vector. The Clorox/$380M breach occurred because Cognizant agents reset credentials and MFA without any identity verification; the M&S breach entered through a TCS helpdesk compromise that bypassed verification. CISA states: "After identifying usernames, passwords, PII, and conducting SIM swaps, the threat actors then use social engineering techniques to convince IT help desk personnel to reset passwords and/or MFA tokens." Document verification requirements in contracts with all third-party IT providers and audit compliance regularly.
Phishing-resistant MFA: Replace SMS and voice-call MFA with FIDO2/hardware keys or passkeys. SIM swapping is entirely ineffective against hardware-bound credentials. CISA's fact sheet on implementing phishing-resistant MFA provides implementation guidance for common identity platforms. Note on terminology confusion: "phishing-resistant MFA" is used inconsistently online. Some vendors market authenticator apps or email OTPs as "phishing-resistant" — they are not resistant to the social engineering techniques Scattered Spider uses, because an attacker can simply call the victim and ask them to read out or approve the code. True phishing-resistant MFA for this threat means hardware-bound credentials (FIDO2, physical security keys, device-bound passkeys) where the authentication is cryptographically tied to the legitimate domain and cannot be intercepted or socially engineered out of the user. App-based push MFA without hardware binding is vulnerable to push bombing. SMS MFA is vulnerable to SIM swapping. Neither qualifies as phishing-resistant against this threat actor.
Active Directory hardening — protect NTDS.dit: The M&S breach pivoted on NTDS.dit extraction. Restrict access to domain controllers and audit who can perform ntdsutil, Volume Shadow Copy, or similar operations. Enable advanced audit policies to log and alert on NTDS.dit access attempts. Implement tiered administration to ensure that credentials for operational systems cannot be harvested through a single identity layer compromise.
Help desk security training and vishing simulation: Train all help desk staff — including third-party contractors — specifically on social engineering red flags: urgency, pressure, requests that skip normal procedures, callers who offer excessive personal detail to establish legitimacy. Run regular vishing simulation exercises using scenarios that mirror documented Scattered Spider techniques. Mandiant's Carmakal has recommended: "the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts." Contractually require third-party IT providers to maintain equivalent training standards.
Identity provider monitoring: Alert on new MFA device registrations, new admin account creation, bulk permission changes, and new SSO application authorizations in Okta, Entra ID, and similar platforms. These are reliable indicators of Scattered Spider post-compromise activity. CISA confirmed the group searches SharePoint sites, credential storage documentation, VMware vCenter infrastructure, backups, and VPN setup instructions after gaining access — detection of these search patterns within an identity-adjacent environment warrants immediate investigation.
Restrict Microsoft Teams external access: In Microsoft 365 admin settings, restrict inbound Teams calls and messages to trusted external domains only, or disable external communication entirely if not operationally required. The default configuration allowing any external M365 tenant to initiate calls with internal users is the direct enabler of the Teams-based vishing variant. Organizations with outsourced IT should define and enforce an explicit allowlist of external domains from which Teams calls will be accepted.
Salesforce and CRM OAuth app governance: Audit all authorized Salesforce-connected applications. Establish an approval workflow for any new OAuth app authorization and require security review before employees can authorize third-party integrations. Alert on bulk API data exports and anomalous Data Loader activity. The SLH/UNC6040 Salesforce campaign did not exploit any platform vulnerabilities — all breaches relied on employees being socially engineered into authorizing malicious apps.
Disable or restrict Quick Assist: If Quick Assist is not used by your IT support team, disable it via Microsoft Intune or Group Policy. Where remote support tools are required, replace Quick Assist with a managed solution that enforces authenticated sessions. Alert on Quick Assist execution where it remains permitted. The same control applies to all unapproved RMM software: maintain an allowlist and alert on installation of any non-approved remote management tool.
Vendor and MSP access hardening: Apply the same verification standards to vendor and MSP access requests as to internal employees. The M&S breach entered through TCS; the Clorox breach entered through Cognizant; the Caesars breach entered through a third-party IT vendor. Scattered Spider systematically exploits the lower scrutiny applied to third-party callers. Include mandatory identity verification procedures in IT outsourcing contracts, with explicit provisions for audit and liability in the event of non-compliance.
Incident response call security: CISA confirmed that Scattered Spider actors join victim incident remediation and response teleconferences — creating new identities within the environment to monitor how security teams are hunting them. Restrict incident response calls to verified internal participants only. Use out-of-band communication channels not accessible from potentially compromised corporate accounts. Treat any account created within hours or days of the initial compromise as suspect until verified through multiple independent channels.
Offline backups — CISA recommendation: Maintain offline, encrypted backups of critical data stored separately from source systems. The July 2025 FBI/CISA joint advisory specifically calls out offline backups as one of three immediate actions organizations can take. DragonForce and Sh1nySp1d3r both target shadow volume copies and backup infrastructure as part of ransomware deployment — offline backups are the primary recovery mechanism that survives these operations.
Network segmentation — IT/OT separation: For critical infrastructure, energy, and OT-adjacent organizations: network segmentation between IT and OT environments is the primary architectural control limiting downstream impact from an IT-layer compromise. The July 2025 advisory explicitly names critical infrastructure as an active targeting category. VPN configuration files and domain credentials harvested from IT endpoints can provide pathways toward OT-adjacent systems if segmentation is insufficient.

analyst note — on arrests, retirement claims, and what actually changes

Law enforcement pressure has not stopped Scattered Spider — it has restructured it. The known arrest and charge timeline as of early 2026: Noah Urban (January 2024, Florida — SIM swapping charges); a 17-year-old UK suspect (July 2024, arrested in connection with the MGM hack, released on bail); Tyler Buchanan (June 2024, Spain, extradited to U.S. April 2025); four individuals federally indicted in November 2024 — Ahmed Elbadawy, Joel Evans, Evans Osiebo, and Buchanan as indicted co-conspirator; Remington Ogletree (December 2024, Fort Worth TX — the sixth federal charge, tied to telecom and financial institution phishing; he told the FBI he knows "key Scattered Spider members" and that the group targets BPO companies specifically "because outsourcing companies they have less security"); four individuals arrested by UK NCA in July 2025 in connection with the M&S, Co-op, and Harrods retail attacks (two 19-year-olds, one 17-year-old, one 20-year-old woman); Owen Flowers and Thalha Jubair charged in September 2025 for the TfL hack; and a juvenile suspect who surrendered to Clark County Juvenile Detention Center in Las Vegas on September 17, 2025. Each arrest wave produced a temporary operational pause, then a resurgence.

Following the July 2025 UK arrests, Mandiant CTO Charles Carmakal stated: "Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the UK, Mandiant Consulting hasn't observed any new intrusions directly attributable to this specific threat actor. This presents a critical window of opportunity that organizations must capitalize on." That window has historically been short.

On the September 2025 "retirement" announcement: In September 2025, a Telegram channel associated with the SLH alliance published what was widely reported as a farewell message — apologizing to families of arrested members, announcing an operational pause, and signing off. Some media outlets reported this as the group shutting down. It was not. Within days, the same operators published follow-up messages denying retirement and claiming the pause was strategic misdirection. Cian Heasley of Acumen Cyber assessed the farewell post as the group "running scared," not genuinely retiring. The pattern is consistent with prior Com group behavior: a public withdrawal announcement followed by reemergence under a modified structure. The FBI and CISA did not issue any advisory indicating the threat had passed. Mandiant continued tracking UNC3944 and related clusters through the period. The "retirement" framing should be treated as threat actor theater, not operational fact.

The August 2025 formalization of the Scattered LAPSUS$ Hunters alliance with ShinyHunters and LAPSUS$ is the clearest evidence that arrest pressure accelerates restructuring rather than dissolution. Defenders should treat this as a single adaptive threat ecosystem rather than a collection of discrete groups with stable memberships and firm operational boundaries. The attribution label matters less than the playbook — and the playbook is now being executed by an expanding number of affiliated actors, some of whom may have no direct connection to the original Scattered Spider membership at all.