Comprehensive CTI Report: Scattered Spider Threat Actor Group

Purpose: To provide an exhaustive analysis of the Scattered Spider threat actor group, detailing their profile, payloads, tactics, techniques, and procedures (TTPs), MITRE ATT&CK framework mappings, methods for proactively tracking their networks using tools like Shodan, and their affiliations with…

May 7, 2025|Eric Taylor

Comprehensive CTI Report - Scattered Spider Threat Actor Group

Purpose: To provide an exhaustive analysis of the Scattered Spider threat actor group, detailing their profile, payloads, tactics, techniques, and procedures (TTPs), MITRE ATT&CK framework mappings, methods for proactively tracking their networks using tools like Shodan, and their affiliations with other threat actor groups, incorporating recent insights from the Google Mandiant report.

Executive Summary

Scattered Spider, also known as UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, Roasted 0ktapus, and Storm-0875, is a financially motivated cybercriminal group that emerged in May 2022. Comprising primarily young individuals aged 19-22 from the United States and United Kingdom, the group targets high-value organizations across telecommunications, finance, retail, gaming, food services, and healthcare sectors. Their sophisticated social engineering tactics, ransomware deployment, and use of legitimate tools make them a significant threat.

This updated report leverages Cyber Threat Intelligence (CTI) to detail Scattered Spider’s operational methods, including their payloads (e.g., BlackCat/ALPHV, Qilin, RansomHub, and potentially DragonForce ransomware), TTPs (e.g., phishing, SIM swapping, cloud and virtualization exploitation), and their alignment with the MITRE ATT&CK framework. It incorporates new findings from the Google Mandiant report, confirming their affiliation with AlphV (BlackCat/ALPHV), their shift to RansomHub in 2024, and unconfirmed ties to DragonForce ransomware, alongside their involvement in the broader hacking community known as "The Community" or "The Com" (Google Cloud Blog: Defending Against UNC3944). The report also explores proactive tracking methods using Shodan to monitor their infrastructure, focusing on exposed tools, Autonomous System Numbers (ASNs), and domain patterns. It concludes with enhanced mitigation recommendations, including specific hardening strategies for virtualization and cloud environments.

1. Introduction to Scattered Spider and Cyber Threat Intelligence

1.1 Background on Scattered Spider

Scattered Spider is a financially motivated cybercriminal group that emerged in May 2022, known for targeting large organizations with sophisticated social engineering and ransomware attacks. The group, believed to consist of young individuals aged 19-22 based in the United States and the United Kingdom, operates under multiple aliases, including UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, Roasted 0ktapus, and Storm-0875 (Cyble Threat Actor Profile Scattered Spider). Their high-profile attacks, such as the 2023 casino hacks on Caesars Entertainment and MGM Resorts International, highlight their capability to infiltrate and extort major enterprises (Scattered Spider - Wikipedia).

Despite arrests of members like Noah Michael Urban and Tyler Buchanan in 2024, Scattered Spider remains active, with recent attacks linked to the Marks & Spencer cyber incident in 2025 using DragonForce ransomware (Dark Reading: Despite Arrests, Scattered Spider Continues Hacking). Their adaptability, use of cloud and virtualization environments, and exploitation of legitimate tools necessitate robust CTI to track and mitigate their threats.

1.2 Role of Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) is a subfield of cybersecurity focused on collecting, analyzing, and disseminating data about cyber threats to enable proactive defense, incident response, and risk management (Cyber Threat Intelligence - Wikipedia). CTI integrates open-source intelligence, social media intelligence, technical intelligence, and dark web data to provide actionable insights (Cynet: What is Cyber Threat Intelligence). For Scattered Spider, CTI is critical for understanding their TTPs, anticipating attacks, tracking their infrastructure, and identifying their affiliations within the cybercriminal ecosystem.

The MITRE ATT&CK framework, a knowledge base of adversary tactics and techniques, is used to map Scattered Spider’s activities, facilitating structured analysis and defense planning (MITRE ATT&CK Group G1015 Scattered Spider). Tools like Shodan, a search engine for internet-connected devices, enhance CTI by enabling proactive monitoring of their networks (Shodan Monitor).

2. Profile of Scattered Spider

2.1 Group Characteristics

Origin and Composition: Scattered Spider comprises young cybercriminals, primarily aged 19-22, from the US and UK, known for their native English proficiency, which aids in social engineering (Sangfor: Scattered Spider Threat Actors).
Motivation: Financially driven, focusing on data theft for extortion and ransomware deployment. They also target prominent brands to gain prestige and media attention (Google Cloud Blog: Defending Against UNC3944).
Target Sectors: Initially focused on telecommunications for SIM swapping, they expanded to finance, retail, gaming, food services, and critical infrastructure, particularly healthcare, with sector-specific targeting waves (e.g., financial services in late 2023, food services in May 2024) (HC3 Warns of Scattered Spider in Healthcare, Google Cloud Blog: Defending Against UNC3944).
Notable Attacks:
- June 2023: Reddit breach, listed on AlphV’s data leak site, indicating Scattered Spider’s involvement (SANS Blog: Defending Against SCATTERED SPIDER).
- September 2023: Caesars Entertainment and MGM Resorts International casino hacks (Scattered Spider - Wikipedia).
- 2025: Marks & Spencer cyber incident using DragonForce ransomware, with additional reported attacks on UK retail organizations (Dark Reading, Google Cloud Blog: Defending Against UNC3944).

2.2 Operational Context

Scattered Spider’s operations are characterized by their adaptability and use of short-lived infrastructure, making tracking challenging. Initially focused on telecommunications for SIM swapping, they shifted to ransomware and data theft extortion in early 2023, targeting a broader range of industries. Their sector-specific targeting waves include financial services in late 2023 and food services in May 2024 (Google Cloud Blog: Defending Against UNC3944). Their reliance on social engineering, such as phishing and SIM swapping, and legitimate tools like Ngrok and Fleetdeck.io, allows them to evade traditional detection methods (Splunk: Scattered Spider). Their recent adoption of AI for voice spoofing and new ransomware variants like Qilin and DragonForce underscores their evolving threat landscape (Bleeping Computer: Microsoft Links Scattered Spider to Qilin, Google Cloud Blog: Defending Against UNC3944). A decline in activity was observed after 2024 law enforcement actions, but they have resurfaced in 2025, particularly targeting the retail sector (Google Cloud Blog: Defending Against UNC3944).

2.3 Affiliations and Connections

Scattered Spider has established connections within the cybercriminal ecosystem, most notably with the ransomware-as-a-service (RaaS) group AlphV (BlackCat/ALPHV), and has recently been linked to RansomHub and potentially DragonForce ransomware. They are also part of a broader hacking community known as "The Community" or "The Com." Below is a detailed analysis of their affiliations:

Connection to AlphV (BlackCat/ALPHV)
Scattered Spider operates as an affiliate of AlphV, utilizing their ransomware in high-profile attacks. This collaboration was first publicly indicated in June 2023 when Reddit appeared as a victim on AlphV’s data leak site, suggesting Scattered Spider’s involvement in the breach (SANS Blog: Defending Against SCATTERED SPIDER). Their use of AlphV’s ransomware was further evidenced during the September 2023 attacks on MGM Resorts and Caesars Entertainment, where they deployed BlackCat/ALPHV ransomware as part of their extortion tactics (Axios: Cybercrime Gangs Claim MGM Cyberattack). The CISA Advisory on Scattered Spider confirms that Scattered Spider has been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs, such as data theft for extortion. The Bushido Token Blog: Tracking Adversaries notes that temporal, technical, and behavioral analysis linked Scattered Spider to BlackCat following the February 2023 Reddit breach, with BlackCat posting Reddit as a victim in June 2023. While the exact start of this partnership remains unclear, it is likely to have predated the June 2023 public disclosure, possibly initiated earlier in 2023 based on shared TTPs observed in the Canadian Center for Cyber Security Ransomware Alert.
Connection to RansomHub
Following the shutdown of AlphV’s RaaS operations, Scattered Spider became an affiliate of RansomHub in 2024, continuing their ransomware and data extortion activities (Google Cloud Blog: Defending Against UNC3944). RansomHub ceased operations in March 2025, but Scattered Spider’s use of this ransomware variant during 2024 aligns with their pattern of adapting to available RaaS platforms.
Potential Ties to DragonForce
Recent public reporting suggests that Scattered Spider used tactics consistent with their TTPs to target a UK retail organization, deploying DragonForce ransomware. Operators of DragonForce have claimed control of RansomHub and responsibility for attacks on multiple UK retailers in 2025 (Google Cloud Blog: Defending Against UNC3944). However, Google Threat Intelligence Group (GTIG) has not independently confirmed Scattered Spider’s involvement with DragonForce, indicating uncertainty in this connection. This potential tie reflects their ongoing evolution in ransomware partnerships.
No Known Connections to Other Specific Groups
Despite their affiliations with AlphV and RansomHub, there is no publicly available information linking Scattered Spider to other well-known threat actor groups such as Hive or Black Basta. Reports from cybersecurity firms and advisories, including Tidal Cyber: Threats of the Week, Invictus IR: Cloud Heavy, Hybrid Ready, and Computer Weekly: Black Basta, Hive, and Royal Ransomware Gangs, discuss these groups separately, with no indication of collaboration or shared operations. Extensive searches through cybersecurity reports, such as those from DarkOwl and Quorum Cyber, did not yield any evidence of direct affiliations with other ransomware or cybercriminal collectives beyond AlphV and RansomHub (DarkOwl: Threat Actor Spotlight: SCATTERED SPIDER, Quorum Cyber: Scattered Spider Threat Actor Profile). For instance, Hive, known for its operations until its takedown in January 2023, does not appear to have intersected with Scattered Spider’s activities, which gained prominence later in 2023. Similarly, Black Basta, identified in April 2022, operates independently, with no reported links to Scattered Spider based on leaked internal chats from 2023 to 2024.
Involvement in "The Community" or "The Com"
Scattered Spider is part of a broader, loosely knit hacking community referred to as "The Community" or "The Com." This network includes individuals with diverse backgrounds, such as gamers, hackers, and recreational users, and is known for engaging in cybercrime, including SIM swapping, ransomware attacks, and even physical violence (Defend Edge: The Community That Spawned Notorious Threat Actors). "The Com" serves as a platform for sharing tools, techniques, and expertise, but it is not a specific threat actor group with a defined structure or membership (SANS Blog). Reports, such as those from Bleeping Computer, note that some Scattered Spider members are believed to be part of "The Com," which is involved in both cyber and physical incidents (FBI Shares Tactics of Notorious Scattered Spider Hacker Collective). However, no specific named groups within "The Com" are reported to collaborate directly with Scattered Spider beyond their known affiliations with AlphV and RansomHub. The HC3 Threat Actor Profile: Scattered Spider mentions their involvement in this community but does not identify other groups.

Conclusion on Affiliations
Scattered Spider’s primary affiliations are with AlphV (BlackCat/ALPHV), established publicly since June 2023, and RansomHub, adopted in 2024 following AlphV’s shutdown. Potential ties to DragonForce ransomware in 2025 remain unconfirmed by GTIG, reflecting uncertainty in their latest ransomware partnerships. There are no known direct links to other specific threat actor groups such as Hive or Black Basta. Their involvement in "The Community" reflects participation in a broader cybercriminal network but does not constitute a direct connection to other named groups. This underscores the importance of focusing on their collaborations with AlphV and RansomHub, and monitoring potential developments with DragonForce, when assessing their threat profile.

3. Payloads Used by Scattered Spider

Scattered Spider employs a range of payloads to achieve their objectives, including ransomware, information stealers, remote access tools, and custom scripts. Below is a detailed list, updated with the latest ransomware connections:

3.1 Ransomware

BlackCat/ALPHV: Used for file encryption and extortion post-exfiltration, noted in the CISA Advisory.
Qilin: Adopted in Q2 2024, targets Linux systems, particularly VMware ESXi (Bleeping Computer).
RansomHub: Used as an affiliate in 2024 after AlphV’s shutdown, ceased operations in March 2025 (Google Cloud Blog: Defending Against UNC3944).
DragonForce: Potentially used in 2025 retail attacks, particularly against a UK organization, though GTIG has not confirmed Scattered Spider’s involvement (Google Cloud Blog: Defending Against UNC3944).

3.2 Information Stealers

Raccoon Stealer: Retrieves browser histories, cookies, and credentials (MITRE ATT&CK, CISA Advisory).
Vidar Stealer: Steals login credentials, browser history, and cookies (CISA Advisory).
Stealc: Harvests cloud service authentication tokens and sensitive data (EclecticIQ).
RedLine Stealer: Collects credentials and browser data (EclecticIQ).
Lumma Stealer: Subscription-based stealer targeting cryptocurrency wallets and sensitive information (Cyble).

3.3 Remote Access Tools

- AnyDesk: A widely used remote desktop software that allows attackers to access systems remotely, often used for its ease of deployment and legitimate appearance (Cyble Threat Actor Profile, MITRE ATT&CK).
- TeamViewer: A popular remote support and access tool, frequently misused by Scattered Spider for its robust connectivity features (CISA Advisory, MITRE ATT&CK).
- LogMeIn: A remote management and access solution used for administrative tasks, exploited by the group for persistent access (MITRE ATT&CK).
- ConnectWise Control (ScreenConnect): A remote support and access platform, also known as ScreenConnect, used for its comprehensive remote control capabilities (CISA Advisory).
- Splashtop: A remote desktop software providing high-performance access, misused for its ability to blend with legitimate IT activities (CISA Advisory).
- Pulseway: An RMM tool for system monitoring and management, used to maintain control over compromised systems (CISA Advisory).
- Tactical.RMM: An open-source RMM platform, exploited for its flexibility and administrative features (CISA Advisory).
- Tailscale: A VPN-based remote access tool that facilitates secure network connections, used to establish persistent access (CISA Advisory).
- Fleetdeck.io: A remote management tool focused on IT administration, misused for its monitoring capabilities (CISA Advisory).
- Level.io: An RMM platform for IT management, used for its system administration features (CISA Advisory).
- RustDesk: An open-source remote desktop software, noted for its recent adoption by Scattered Spider due to its lightweight and customizable nature (Cyble Threat Actor Profile).

3.4 Credential Dumping Tools

Mimikatz: Extracts passwords from memory (MITRE ATT&CK Group G1015).
LaZagne: Recovers credentials from files (MITRE ATT&CK Group G1015).

3.5 Tunneling and Lateral Movement

Ngrok: Creates secure tunnels for command and control (GuidePoint Security Analysis).
Impacket: Facilitates lateral movement within networks (MITRE ATT&CK Group G1015).
RSOCX, Localtonet: Additional covert tunneling tools used to bypass VPN and MFA (Google Cloud Blog: UNC3944 Targets SaaS Applications).

3.6 Custom Scripts and Reconnaissance Tools

SecretServerSecretStealer: PowerShell script to decrypt Thycotic Secret Server passwords ([GuidePoint Security]([invalid url, do not cite])).
CyberArk Account Info Script: Exports CyberArk PAS account info to CSV ([GuidePoint Security]([invalid url, do not cite])).
Thycotic Secrets Dump Script: Decrypts Thycotic secrets ([GuidePoint Security]([invalid url, do not cite])).
Windows Registry Subkey Script: Deletes registry subkeys for defense evasion ([GuidePoint Security]([invalid url, do not cite])).
ESXi Discovery and SSH Script: Configures SSH on ESXi hosts ([GuidePoint Security]([invalid url, do not cite])).
Encryptor Delivery Script: Transfers and executes encryptors on ESXi hosts ([GuidePoint Security]([invalid url, do not cite])).
ADRecon: Used for Active Directory reconnaissance (Google Mandiant).
ADExplorer, SharpHound: Network reconnaissance tools for gathering network information (Google Mandiant).
aws_consoler: Creates temporary federated credentials during campaigns (MITRE ATT&CK).
LINpeas: Privilege escalation utility (MITRE ATT&CK).
RustScan: Port scanner for identifying open ports (MITRE ATT&CK).

4. Tactics, Techniques, and Procedures (TTPs)

Scattered Spider’s TTPs are diverse, leveraging social engineering, legitimate tools, and advanced techniques, with a focus on cloud and virtualization environments. Below is a detailed breakdown, updated with insights from the Mandiant report (CISA Advisory, MITRE ATT&CK Group G1015, Google Cloud Blog: Defending Against UNC3944):

4.1 Social Engineering

Phishing and Smishing: Broad campaigns using victim-specific domains (e.g., victimname-sso[.]com) (CISA Advisory).
SIM Swapping: Gathering PII to bypass MFA (CISA Advisory).
IT Help Desk Manipulation: Posing as employees to reset passwords/MFA, often using clear English and brazen communications (The Guardian, Google Cloud Blog: Defending Against UNC3944).
Fearmongering Tactics: Threats of doxxing, physical harm, or distributing compromising material to coerce credential access (Google Cloud Blog: UNC3944 Targets SaaS Applications).

4.2 Initial Access

Phishing: Capturing OTPs via credential phishing (CrowdStrike: Scattered Spider Detection).
Exploiting Vulnerabilities: CVE-2015-2291 (Intel Ethernet driver) and CVE-2021-35464 (ForgeRock Open AM) (MITRE ATT&CK Group G1015).
SaaS Permissions Abuse: Leveraging Okta permissions to assign compromised accounts to all applications in an Okta instance (Google Cloud Blog: UNC3944 Targets SaaS Applications).

4.3 Execution

User Execution: Directing victims to run malicious files/links (CISA Advisory).
RMM Software: Deploying AnyDesk, LogMeIn, ConnectWise Control (CISA Advisory).

4.4 Persistence

MFA Token Registration: Registering their own tokens (CISA Advisory).
Federated Identity Providers: Adding to SSO for account linking (CISA Advisory).
Virtual Machine Creation: Creating unmanaged and internet-accessible virtual machines in victim environments (e.g., vSphere, Azure) to maintain persistence (Google Cloud Blog: Defending Against UNC3944, Google Cloud Blog: UNC3944 Targets SaaS Applications).

4.5 Privilege Escalation

Malicious Drivers: Exploiting vulnerabilities for escalation (MITRE ATT&CK Group G1015).
Credential Dumping: Using Mimikatz (MITRE ATT&CK Group G1015).
Okta Permissions Abuse: Self-assigning compromised accounts to elasticsearch access to cloud and SaaS applications (Google Cloud Blog: UNC3944 Targets SaaS Applications).

4.6 Defense Evasion

Living Off the Land: Using allowlisted applications (CISA Advisory).
Registry Modification: Deleting subkeys (GuidePoint Security Analysis).
Disabling Protections: Removing Microsoft Defender and Windows telemetry to hinder forensic investigations (Google Cloud Blog: UNC3944 Targets SaaS Applications).

4.7 Credential Access

SIM Swaps: Gathering PII (CISA Advisory).
Stealer Malware: Deploying Raccoon, VIDAR (CISA Advisory).

4.8 Discovery

SharePoint and AD Enumeration: Discovering credentials, VMware, backups (CISA Advisory).
Code Repositories: Exfiltrating code-signing certificates, source code (CISA Advisory).
Okta Reconnaissance: Using Okta web portal to identify available application tiles (Google Cloud Blog: UNC3944 Targets SaaS Applications).

4.9 Lateral Movement

AWS Systems Manager: Moving across AWS accounts (CISA Advisory).
SSH and Impacket: Facilitating network movement (GuidePoint Security Analysis).
SaaS and Cloud Movement: Accessing vSphere and Azure via SSO applications (Google Cloud Blog: UNC3944 Targets SaaS Applications).

4.10 Collection

Local Systems and Browsers: Collecting data, bookmarks, cookies (CISA Advisory).
Cloud Synchronization: Stealing data from SaaS applications to attacker-owned cloud storage (Google Cloud Blog: UNC3944 Targets SaaS Applications).

4.11 Exfiltration

Data Centers and MEGA[.]NZ: Exfiltrating data (CISA Advisory).
Ngrok: Protocol tunneling (GuidePoint Security Analysis).

4.12 Impact

Ransomware Deployment: Encrypting data with BlackCat, Qilin, RansomHub, and potentially DragonForce, targeting business-critical virtual machines to maximize impact (CISA Advisory, Google Cloud Blog: Defending Against UNC3944).
Encryptor Scripts: Deploying encryptors on ESXi hosts (GuidePoint Security Analysis).
Aggressive Communications: Leaving threatening notes, contacting executives via text/email, and infiltrating victim communication channels (Google Cloud Blog: Why Are You Texting Me?).

5. MITRE ATT&CK Framework Mapping

The following table maps Scattered Spider’s key TTPs and payloads to MITRE ATT&CK techniques, updated with new TTPs from the Mandiant report:

Tactic	Technique	Payload/Tool/Script	Payload/Tool/Script Description
Initial Access	T1566: Phishing	Phishing Kits	Broad phishing/smishing using victim-specific domains.
	T1533: Data from Removable Media	SIM Swapping	Gathering PII for MFA bypass.
	T1078.004: Valid Accounts (SaaS)	Okta Permissions Abuse	Assigning compromised accounts to SaaS applications.
Execution	T1204: User Execution	Malicious Files/Links	Directing victims to run malicious content.
	T1219: Remote Access Software	AnyDesk, LogMeIn, ConnectWise Control (ScreenConnect), TeamViewer, LogMeIn, Splashtop, Pulseway, Tactical.RMM, TailScale, Fleetdeck.io, Level,io, RustDesk	Deploying RMM software for execution.
Persistence	T1556.006: Modify Authentication Process	MFA Token Registration	Registering attacker-controlled MFA tokens.
	T1484.002: Domain Policy Modification	Federated Identity Providers	Adding to SSO for account linking.
	T1078: Valid Accounts	Virtual Machine Creation	Creating unmanaged VMs for persistence.
Privilege Escalation	T1068: Exploitation for Privilege Escalation	Malicious Drivers	Exploiting CVE-2015-2291, CVE-2021-35464.
	T1078.004: Valid Accounts (SaaS)	Okta Permissions Abuse	Expanding access via Okta role assignments.
Defense Evasion	T1112: Modify Registry	Windows Registry Subkey Script	Deleting registry subkeys to evade detection.
	T1562.001: Impair Defenses	Microsoft Defender Removal	Disabling Defender and telemetry.
Credential Access	T1003: OS Credential Dumping	Mimikatz, LaZagne	Extracting passwords from memory/files.
	T1552: Unsecured Credentials	Raccoon, VIDAR	Stealing credentials, cookies, browser data.
Discovery	T1213.002: Data from Information Repositories	SharePoint Enumeration	Searching SharePoint for sensitive data.
	T1018: Remote System Discovery	ESXi Discovery Script	Discovering VMware ESXi hosts.
	T1057: Process Discovery	Okta Web Portal Reconnaissance	Identifying application tiles in Okta.
Lateral Movement	T1021: Remote Services	Impacket, SSH	Moving within networks using legitimate protocols.
	T1538: Cloud Service Dashboard	AWS Systems Manager, vSphere, Azure	Lateral movement across cloud and virtualization platforms.
Collection	T1005: Data from Local System	Raccoon, VIDAR	Collecting data from compromised systems.
	T1213: Data from Information Repositories	Cloud Synchronization Tools	Stealing SaaS data to attacker-owned cloud storage.

Exfiltration	T1048: Exfiltration Over Alternative Protocol	Ngrok	Exfiltrating to U.S. data centers, MEGA[.]NZ.
Impact	T1486: Data Encrypted for Impact	BlackCat, Qilin, RansomHub, DragonForce, Encryptor Script	Encrypting business-critical VMs for extortion.

6. Proactive Tracking with Shodan and Other Tools

Shodan, a search engine for internet-connected devices, is a critical tool for proactively tracking Scattered Spider’s infrastructure. Below are methods to leverage Shodan, based on the Silent Push Blog on Scattered Spider in 2025:

6.1 Search for Exposed Tools

Tools: Ngrok, Fleetdeck.io, Level.io, Pulseway, Screenconnect, Splashtop, Tactical.RMM, Tailscale, Teamviewer, RSOCX, Localtonet (CISA Advisory, Google Cloud Blog: UNC3944 Targets SaaS Applications).
Method: Search Shodan for exposed instances, e.g., ngrok or service:"ngrok". Monitor RDP connections and use Sigma rules (SigmaHQ Ngrok Detection).

6.2 Monitor Preferred ASNs

ASNs: 14061 (DigitalOcean, 37%), 20473 (Choopa, 43%), 399629 (BLNWX, 20%) (Silent Push Blog).
Method: Use Shodan Monitor to track events in these ASNs, e.g., net:14061 (Shodan Monitor).

6.3 Search Domain Patterns

Keywords: “connect,” “corp,” “duo,” “help,” “sso,” “vpn,” etc. TLDs: “com,” “co,” “us,” “net,” “org,” “help” (Silent Push Blog).
Method: Search Shodan for domains, e.g., domain:"help" net:14061. Monitor short-lived domains with Shodan Monitor.

6.4 Track Hosting Providers and Registrars

Providers: Njalla, Virtuo, Cloudflare. Registrars: NiceNIC, Porkbun, Namecheap, Hostinger, Tucows (Silent Push Blog).
Method: Search Shodan for IP ranges, e.g., host:Njalla.

6.5 Monitor Dynamic DNS

Example: klv1.it[.]com (detected February 6, 2025, 5 VirusTotal detections) (VirusTotal URL).
Method: Search Shodan for dynamic DNS providers, e.g., host:it.com.

6.6 Limitations

Contextual Linking: Shodan requires additional intelligence to confirm Scattered Spider’s involvement (Silent Push Community Edition).
Real-Time Needs: Short-lived domains necessitate continuous monitoring (Shodan Streaming API).

7. Recommendations for Mitigation

To defend against Scattered Spider, organizations should implement the following updated recommendations, incorporating specific hardening strategies from the Mandiant report (Google Cloud Blog: Defending Against UNC3944):

Implement Phishing-Resistant MFA: Prevent SIM swapping and MFA bypass by using strong, phishing-resistant MFA for all publicly accessible applications and services (CISA Advisory).
Train IT Help Desks: Educate staff to recognize social engineering attempts, including vishing and impersonation, and verify identities rigorously (CISA Advisory).
Secure Cloud Environments: Restrict access to sensitive systems, monitor cloud resource configurations for unauthorized changes (e.g., new resources, exposed services, modified NSG/firewall rules), and enforce strong authentication for cloud access (Splunk: Scattered Spider, Google Cloud Blog: Defending Against UNC3944).
Harden Virtualization Infrastructure:
- Isolate and restrict access to ESXi hosts and vCenter Server Appliances.
- Ensure backups of virtual machines are isolated, secured, and immutable.
- Unbind authentication for administrative access from centralized IdPs, using local SSO with strong MFA.
- Proactively rotate local root/administrative passwords and enforce randomized passwords for each virtualized host.
- Disable/restrict SSH access to virtualization platforms (Google Cloud Blog: Defending Against UNC3944).
Monitor Infrastructure: Use Shodan to track ASNs (14061, 20473, 399629), domains with keywords (e.g., “help,” “sso”), and exposed tools like Ngrok (Silent Push Blog).
Leverage CTI Feeds: Stay updated on evolving TTPs, particularly their use of new ransomware variants like Qilin and DragonForce (Cyble Threat Actor Profile).
Focus on Ransomware Affiliations: Prioritize defenses against BlackCat/ALPHV, RansomHub, and potentially DragonForce ransomware due to Scattered Spider’s affiliations (CISA Advisory, Google Cloud Blog: Defending Against UNC3944).
Conduct Vulnerability Scanning: Perform external unauthenticated scans to identify publicly exposed domains, IPs, and CIDR ranges, reducing the risk of unauthorized access (Google Cloud Blog: Defending Against UNC3944).
Collaborate: Share intelligence with law enforcement and industry peers to disrupt Scattered Spider’s operations (SANS: Defending Against Scattered Spider).

8. Conclusion

Scattered Spider remains a formidable cyber threat as of May 07, 2025, leveraging sophisticated social engineering, ransomware, and legitimate tools to target high-value organizations. Their TTPs, mapped to the MITRE ATT&CK framework, highlight their adaptability and evasion capabilities, particularly in cloud and virtualization environments. Their primary affiliations with AlphV (BlackCat/ALPHV), established publicly since June 2023, and RansomHub in 2024, along with potential but unconfirmed ties to DragonForce in 2025, underscore their integration within the RaaS ecosystem. Their involvement in "The Community" reflects participation in a broader cybercriminal network, though no other specific threat actor groups are directly linked. Proactive tracking using Shodan, focusing on exposed tools, ASNs, and domain patterns, is essential for anticipating their activities. By integrating CTI, MITRE ATT&CK mappings, and tools like Shodan, and implementing specific hardening strategies for virtualization and cloud infrastructure, organizations can enhance their defenses and mitigate risks posed by Scattered Spider.

References

CISA Advisory on Scattered Spider
MITRE ATT&CK Group G1015 Scattered Spider
Cyble Threat Actor Profile Scattered Spider
Silent Push Blog on Scattered Spider in 2025
Bleeping Computer: Microsoft Links Scattered Spider to Qilin
GuidePoint Security Analysis of Scattered Spider
HC3 Warns of Scattered Spider in Healthcare
Dark Reading: Despite Arrests, Scattered Spider Continues Hacking
Splunk: Scattered Spider
EclecticIQ: Scattered Spider Ransomware Analysis
Sangfor: Scattered Spider Threat Actors
The Guardian: Scattered Spider Operations
Palo Alto Networks: What is Cyber Threat Intelligence
Cynet: What is Cyber Threat Intelligence
Cyber Threat Intelligence - Wikipedia
Scattered Spider - Wikipedia
SANS: Defending Against Scattered Spider
CrowdStrike: Scattered Spider Detection
Shodan Monitor
Shodan Streaming API Documentation
Shodan Developer Dashboard
SigmaHQ Ngrok Detection Rule
Silent Push Community Edition
Silent Push Registration
VirusTotal URL for Dynamic DNS Detection
Axios: Cybercrime Gangs Claim MGM Cyberattack
Bushido Token Blog: Tracking Adversaries
Canadian Center for Cyber Security Ransomware Alert
Tidal Cyber: Threats of the Week
Invictus IR: Cloud Heavy, Hybrid Ready
Computer Weekly: Black Basta, Hive, and Royal Ransomware Gangs
Defend Edge: The Community That Spawned Notorious Threat Actors
DarkOwl: Threat Actor Spotlight: SCATTERED SPIDER
Quorum Cyber: Scattered Spider Threat Actor Profile
HC3 Threat Actor Profile: Scattered Spider
FBI Shares Tactics of Notorious Scattered Spider Hacker Collective
Google Cloud Blog: Defending Against UNC3944
Google Cloud Blog: UNC3944 Targets SaaS Applications
Google Cloud Blog: Why Are You Texting Me?

Disclaimer

This report is based on publicly available information and CTI sources as of May 07, 2025. Organizations should verify findings with their own intelligence and consult cybersecurity experts for tailored defense strategies.

Discover more articles, reports, SPOTREPs, and Executive Summaries in the Blog section of our website.

Comprehensive CTI Report_Lockbit Ransomware Data Dump

Comprehensive CTI Report: Insights from the LockBit Ransomware Group Data Dump

By Eric Taylor | May 7, 2025

Report, Ransomware, Threat Actor Groups

Executive Summary This report analyzes a leaked database dump from the LockBit ransomware group, providing actionable insights into their operations,…

Situational Awareness: Unsecured Pastebin-Style Site