
Scattered Spider: The Evolving Threat Behind Enterprise Identity Exploits
Background
Scattered Spider, also tracked as UNC3944, Scatter Swine, or Muddled Libra, is an advanced threat actor known for its relentless and creative abuse of identity infrastructure. The group surfaced in 2022 but has surged in notoriety through 2023 and into 2025 due to a series of high-impact attacks on sectors like telecommunications, technology, healthcare, and aviation.
Unusually for a financially motivated group, Scattered Spider mimics state-backed Advanced Persistent Threats (APTs) in sophistication. Its members are often native English speakers, skilled in both social engineering and technical compromise. They are experts in exploiting identity systems, bypassing multifactor authentication (MFA), and abusing legitimate IT tools for persistence and lateral movement.
Past Activity
Scattered Spider began as a SIM-swapping and phishing group targeting telecoms and financial platforms in 2022. Their early operations hijacked mobile numbers to intercept MFA and reset passwords, focusing on cryptocurrency theft and personal data exfiltration.
By 2023, their focus expanded to enterprise networks. High-profile campaigns targeted cloud identity providers like Okta and exploited weak help-desk authentication workflows. This allowed them to escalate privileges quickly, often gaining domain-wide access within a day.
Evolution of TTPs
In 2025, Scattered Spider dramatically refined its operational playbook: moving beyond broad SIM-swap and phishing gambits, the group adopted advanced Adversary-in-the-Middle (AiTM) phishing kits to intercept MFA tokens in real time, enabling near-universal bypass of multi-factor authentication mechanisms even in hardened environments. Their phishing domains became more nuanced and targeted, often mimicking corporate SSO or help‑desk portals with naming patterns like targetsname-sso[.]com or targetsname-servicedesk[.]com, and hosted on dynamic DNS providers to evade heuristic detection.
According to the joint advisory from CISA, FBI, and partners, the group has also been targeting Okta, Azure AD, and AWS IAM, exploiting misconfigurations and identity federation issues. In many cases, they’ve abused Remote Monitoring and Management (RMM) tools like AnyDesk and ScreenConnect to maintain access and evade detection.
Social engineering also intensified through voice phishing (vishing) and smishing, frequently impersonating IT staff or third-party vendor personnel, and successfully answering verification questions to obtain credential resets or MFA enrollment links. Post-compromise, Scattered Spider blended living-off-the-land tactics using legitimate tools (e.g., Fleetdeck, TeamViewer, Ngrok) with the introduction of the Spectre RAT and new stealer malware such as Lumma, AveMaria, Raccoon, and VIDAR to maintain persistence and harvest credentials.
Crucially, the group expanded its impact by targeting VMware vCenter/ESXi environments: enabling SSH, resetting root credentials, exfiltrating AD data (such as NTDS.dit), and deploying fast-acting ransomware variants like DragonForce or BlackCat to encrypt virtual infrastructure in just hours. Meanwhile, the group’s sectoral targeting intensified, focusing campaigns on major UK retailers, insurers, and airlines, including incidents affecting millions of customers at Qantas and others, often via help‑desk impersonation of MSPs to magnify reach across multiple enterprise victims in a single operation.
Techniques and Propagation: An Identity-Focused Lifecycle
Given their strategy, TTPs and propagation methods are inseparable; each stage builds upon identity abuse and lateral movement.
Initial Access
- Phishing via SMS, email, and fake portals.
- Vishing and help-desk impersonation.
- MFA fatigue via repeated push requests.
- SIM-swapping for intercepting MFA tokens.
Post-Access and Propagation
- Session hijacking and token theft.
- Abuse of RMM tools (e.g., AnyDesk, TeamViewer, ScreenConnect).
- Cloud console manipulation in Azure, AWS, and GCP.
- Privilege escalation using tools like BloodHound and AADInternals.
- Manual lateral movement via RDP, PsExec, or GPOs.
Vulnerabilities and Devices Exploited
While Scattered Spider focuses more on abusing trust than exploiting code, some relevant vulnerabilities include:
- CVE-2023-6548 and : Related to vulnerabilities in ConnectWise ScreenConnect.
- Misconfigured Okta tenants, allowing session hijack or token replay.
- Weak MFA systems lack phishing resistance.
- Cloud admin panels exposed without Conditional Access or geo-fencing.
Exploitation Method
The group typically performs the following sequence:
- Identity impersonation: Tricking help desks or intercepting login flows.
- MFA bypass: Using SIM-swaps or push bombing.
- Token/session hijacking: Bypassing authentication entirely.
- Cloud or AD exploitation: Enumerating roles and escalating privileges.
- Persistence: Through RMM tools or valid sessions.
- Data exfiltration: Cloud storage, messaging platforms, internal shares.
Mitigation Recommendations
To counter identity-focused threats like Scattered Spider, organizations must shift from perimeter security to identity-centric detection and defense.
Harden Identity Systems
- Enforce phishing-resistant MFA (e.g., FIDO2, smartcards).
- Enable number matching and geo-restrictions on MFA.
- Rotate and monitor SSO tokens and refresh credentials regularly.
Secure Help Desks
- Implement face/biometric verification for high-risk changes.
- Require multi-approver verification for password/MFA resets.
- Monitor help-desk activity for anomalous behavior.
Limit Remote Access
- Maintain tight controls over RMM tools.
- Restrict installation via Group Policy and software allow-lists.
- Use Endpoint Detection and Response (EDR) to monitor execution.
Cloud Security Posture Management
- Implement Conditional Access Policies in Azure/Google.
- Enable MFA for admin roles with geo and device context.
- Use CSPM tools to detect misconfigurations.
Operationalize Threat Intelligence
- Integrate a Threat Intelligence Platform (TIP) to ingest IOCs and TTPs from trusted sources, automate enrichment and correlation in SIEM/SOAR, and maintain real-time awareness of evolving Scattered Spider campaigns.
- Leverage threat intelligence in detection engineering, red team simulations, and risk scoring.
Behavior-Based Detection
- Use User and Entity Behavior Analytics (UEBA) to flag unusual login hours, locations, devices, token reuse, or session anomalies.
- Conduct frequent red-teaming mimicking social engineering and RMM-based persistence.
Conclusion
Scattered Spider exemplifies the modern threat actor, human-led, identity-focused, and operationally advanced. Their shift from phishing to full-blown enterprise compromise underscores the fragility of identity systems in today’s threat landscape.
As the group continues to evolve, security leaders must go beyond antivirus and firewalls. The next frontier in defense is identity governance, behavioral analytics, and real-time threat intelligence. In this battle, the best defense isn’t just strong passwords; it’s deep visibility, smart automation, and a zero-trust mindset.
Indicator Of Compromises (IOCs)
Tools
Fleetdeck.io
Level.io
Mimikatz [S0002]
Ngrok [S0508]
Pulseway
Screenconnect
Splashtop
Tactical.RMM
Tailscale
TeamViewer
Teleport.sh
AnyDesk
Malware
AveMaria (also known as WarZone [S0670])
Raccoon Stealer [S1148]
VIDAR Stealer
RattyRAT
DragonForce Ransomware
Exfiltration Infrastructure
MEGA[.]NZ
Amazon S3
Domains
targetsname-sso[.]com
targetsname-servicedesk[.]com
targetsname-okta[.]com
targetsname-cms[.]com
targetsname-helpdesk[.]com
oktalogin-targetcompany[.]com