Scattered Spider threat actor profile

Scattered Spider is a financially motivated eCrime collective best known for high-success social engineering against enterprise IT help desks, often enabling account takeover in SSO and hybrid environments and progressing to data theft extortion and (in some cases) ransomware deployment. According to the FBI/CISA-led Joint Cybersecurity Advisory (AA23-320A, updated 29 July 2025), recent activity includes data exfiltration for extortion and the deployment of DragonForce ransomware, including impacts to VMware ESXi environments. (ic3.gov)
Microsoft assesses the same cluster (tracked as Octo Tempest) as one of the more dangerous financial threat actors due to broad social engineering, hybrid-cloud tradecraft, and disruptive outcomes including encryption and destruction. (Microsoft)
Defenders should prioritise identity and help-desk process controls, rapid session revocation, and high-fidelity monitoring for remote access tooling and cloud identity abuse, as Scattered Spider commonly “logs in” rather than exploiting complex zero-days. (ic3.gov)

2. Contextual Background

2.1 Nature of the threat

Scattered Spider’s hallmark is multi-step social engineering (vishing/smishing/help-desk impersonation) to reset passwords, transfer MFA factors, or induce installation of legitimate remote access tooling (RMM/remote desktop). (ic3.gov)
The AA23-320A update (29 July 2025) highlights exfiltration for extortion followed by encryption for ransom, with recent exfiltration destinations including MEGA and Amazon S3. (ic3.gov)

2.2 Threat-actor attribution

Confidence: Confirmed. Scattered Spider is tracked consistently across government and major CTI publishers, including:

• MITRE ATT&CK Group G1015 (Scattered Spider / Octo Tempest / UNC3944 and related aliases). (attack.mitre.org)
• Microsoft (Octo Tempest) detailing tradecraft and monetisation models. (Microsoft)
• Mandiant (Google Cloud) (UNC3944) describing help-desk compromise, SaaS targeting, and virtualisation-plane persistence. (Google Cloud)
• CrowdStrike (Scattered Spider) providing adversary identifiers and campaign context. (crowdstrike.com)
• FBI/CISA-led AA23-320A (updated 29 July 2025) providing TTPs, domain patterns, tooling, and mitigations. (ic3.gov)

2.3 Sector and geographic targeting

Microsoft reports sector “waves”, with activity concentrating on one industry for weeks or months before shifting. In April–July 2025 Microsoft observed impacts to retail, food services, hospitality, and insurance, followed by airlines “in recent weeks”. (Microsoft)
CrowdStrike’s profile notes activity since early 2022 with targeting that has included telecoms/technology and broader enterprise victimology across regions including the US and UK. (crowdstrike.com)
The July 2025 joint advisory emphasises targeting of large organisations and contracted IT help desks, reflecting a repeatable dependency on outsourced or distributed support models. (ic3.gov)

3. Technical Analysis

3.1 Detailed description of tradecraft and MITRE ATT&CK mapping

Scattered Spider’s most consistently reported tactics include:

• Help-desk vishing / spearphishing voice to elicit reset procedures, then execute account takeover via password resets and MFA transfer: T1566.004 (ic3.gov)
• MFA fatigue / push bombing: T1621 (ic3.gov)
• SIM swap / phone number control to intercept OTPs and drive self-service resets: T1451 (ic3.gov)
• Valid account abuse (domain accounts): T1078.002 (ic3.gov)
• Remote access tooling and tunnelling (AnyDesk, TeamViewer, Teleport, ngrok and other dual-use tooling): T1219 and T1090 (ic3.gov)
• Knowledge-repository hunting (SharePoint, internal guides, credential documentation) to accelerate lateral movement and privilege escalation: T1213.002 and T1552.001 (ic3.gov)
• Virtualisation and cloud-plane abuse including actor-created instances and vSphere access for persistence and operations: T1578.002 and T1018 (ic3.gov)
• Data theft extortion and exfiltration to cloud storage or web services: T1567.002 and T1567 (ic3.gov)
• Ransomware impact, including recent reporting of DragonForce deployment: T1486 (ic3.gov)

3.2 Exploitation status

Scattered Spider is primarily social-engineering-driven, with repeated confirmation of activity “in the wild” via law enforcement reporting and multi-vendor incident response. The AA23-320A update (29 July 2025) is explicit that the advisory reflects FBI-observed TTPs “as recently as June 2025” and includes updates on ransomware and exfiltration behaviours. (ic3.gov)
Where public PoCs are relevant, they are typically secondary to identity compromise; Scattered Spider more often abuses legitimate platforms and workflows (SSO portals, help-desk processes, remote tools) than relying on a single public exploit chain. (Microsoft)

4. Impact Assessment

4.1 Severity and scope

Impact is frequently enterprise-wide due to the group’s emphasis on identity, SaaS access, and administrative tooling. Microsoft notes hybrid-environment navigation, large-scale data theft, and encryption, including high-impact targeting of VMware ESXi. (Microsoft)
The joint advisory highlights an extortion lifecycle of exfiltration followed by encryption and negotiation via anonymised channels (TOR/Tox/email/encrypted apps). (ic3.gov)

4.2 Victim profile

Observed victims skew toward large organisations with:

• Outsourced/contracted help desks or complex IT support workflows. (ic3.gov)
• Mature SaaS adoption (Okta/SSO, Microsoft 365/SharePoint, cloud IaaS, data platforms). (Google Cloud)
• Virtualisation estates that offer high-leverage disruption points (vCenter/ESXi). (Microsoft)

5. Indicators of Compromise (IOCs)

5.1 IOC table

Note: Many indicators above are patterns or dual-use services, not “block-and-forget” IOCs. The advisory itself emphasises continuous TTP evolution, so defenders should treat these as pivot points for investigation rather than definitive attribution. (ic3.gov)

5.2 Detection guidance

Sigma (endpoint / Windows):

• AnyDesk execution rule: Sigma rule: AnyDesk remote access tool process creation (GitHub)
• AnyDesk service install: Sigma rule: AnyDesk service installation (detection.fyi)
• ngrok network connections: Sigma rule: Process initiated network connection to ngrok (detection.fyi)

Identity / SaaS detections (MFA fatigue):

• Splunk analytic for Office 365 MFA fatigue: Splunk Security Research: O365 multiple failed MFA requests (Splunk Security Content)
• MITRE detection guidance for MFA push abuse: T1621 (attack.mitre.org)

High-signal hunting recommendations (vendor-agnostic):

• Alert on help-desk initiated password resets and MFA method changes immediately followed by new remote access tooling execution or new device registrations. (ic3.gov)
• Monitor SharePoint / internal wiki access for “how to VPN”, “VDI”, “vCenter”, “password reset”, “break glass”, “admin guide” searches and downloads by newly recovered or unusual identities. (ic3.gov)
• Track creation of new cloud instances and sudden use of administrative SSO entitlements from atypical endpoints, especially where follow-on activity shifts to virtualisation and backups. (ic3.gov)

6. Incident Response Guidance

6.1 Containment, eradication, recovery

• Contain identity first: disable suspected accounts, revoke sessions/tokens, reset credentials, and remove newly added MFA methods. Prioritise SSO admin accounts and help-desk roles. (ic3.gov)
• Freeze help-desk risk: temporarily require out-of-band identity verification for password resets, SIM/number change requests, and MFA factor transfers. (ic3.gov)
• Quarantine remote tooling: block or restrict AnyDesk/TeamViewer/ScreenConnect and tunnelling utilities unless explicitly approved; treat first-seen installs as P1. (ic3.gov)
• Protect virtualisation and backups: restrict vCenter/ESXi admin access, rotate credentials, and validate immutable/offline backups due to observed ESXi targeting and encryption scenarios. (ic3.gov)

6.2 Forensic artefacts to collect and preserve

• Help-desk call logs / ticketing transcripts (including vendor BPO tooling), reset approvals, and identity verification steps. (ic3.gov)
• SSO audit logs (Okta/Entra ID): MFA enrolment changes, factor resets, conditional access changes, new device registrations, and privilege assignments. (Microsoft)
• Endpoint telemetry: installation/execution of remote access tools, tunnelling utilities, credential dumping tools, and suspicious service creation. (ic3.gov)
• Cloud control-plane logs: instance creation, IAM changes, access to SharePoint and code repositories, bulk data pulls. (ic3.gov)

6.3 Lessons learned

Scattered Spider’s success is often rooted in “business process compromise” (help-desk resets, outsourced support, identity workflows). Treat help-desk and identity governance as Tier 0 controls, and rehearse a playbook that assumes rapid privilege acquisition without malware-heavy telemetry. (ic3.gov)

7. Threat Intelligence Contextualisation

7.1 Similar past incidents

• The group’s monetisation has spanned SIM swap and crypto theft to enterprise extortion and ransomware affiliate behaviour, with Microsoft describing the evolution to ALPHV/BlackCat affiliate activity and later ESXi-focused ransomware deployments. (Microsoft)
• Mandiant notes repeated help-desk compromise patterns and subsequent SaaS abuse (Okta permissions abuse, SharePoint reconnaissance) as a scalable enterprise intrusion model. (Google Cloud)

7.2 Full MITRE ATT&CK mapping

8. Mitigation Recommendations

8.1 Hardening priorities

• Enforce phishing-resistant MFA for administrators and help-desk roles; restrict MFA resets and device enrolment to strongly verified workflows. (ic3.gov)
• Implement strict help-desk verification: no MFA factor transfer or password reset based solely on knowledge-based checks; require out-of-band verification and change-window approvals. (ic3.gov)
• Default-deny or tightly control remote access tooling; monitor for first-seen binaries and unusual inbound connections. (ic3.gov)
• Monitor and alert on new cloud instances and high-risk identity changes (role assignment, domain trust modifications, federation changes) particularly after help-desk events. (ic3.gov)

8.2 Patch management advice

For Scattered Spider specifically, patching is necessary but not sufficient: the highest-yield controls are identity governance and help-desk workflow hardening, because the initial foothold is frequently obtained through social engineering rather than software exploitation. (ic3.gov)

9. Historical Context & Related Vulnerabilities

Scattered Spider has been associated with EDR evasion techniques including Bring-Your-Own-Vulnerable-Driver (BYOVD) style tradecraft in public reporting (for example, CrowdStrike’s reporting on “bring your own vulnerable driver” tactics). (crowdstrike.com)
Where defenders are tracking broader ecosystem exposure, treat this as an escalation risk once interactive access is achieved, rather than as the primary entry vector. (Microsoft)

10. Future Outlook

Scattered Spider’s operational model is well-suited to continued success: it scales through repeatable human-process compromise (help desks) and adapts quickly across sectors. Microsoft notes ongoing shifts in tooling and target sectors, including recent waves into airlines and ESXi-focused ransomware operations. (Microsoft)
Expect increased use of identity-native techniques (token replay, SSO abuse, SaaS permissions manipulation) and continued reliance on legitimate remote access and tunnelling services that complicate traditional IOC-based blocking. (Google Cloud)

11. Further Reading

• FBI/CISA Joint Cybersecurity Advisory AA23-320A (updated 29 Jul 2025) (ic3.gov)
• Microsoft: Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction (25 Oct 2023) (Microsoft)
• Microsoft: Protecting customers from Octo Tempest attacks across multiple industries (16 Jul 2025) (Microsoft)
• Mandiant (Google Cloud): UNC3944 targets SaaS applications (13 Jun 2024) (Google Cloud)
• MITRE ATT&CK Group G1015: Scattered Spider (attack.mitre.org)
• CrowdStrike adversary profile: Scattered Spider (crowdstrike.com)
• Team Cymru: Scattered Spider infrastructure and hunting pivots (team-cymru.com)