Global Cyber Authorities Warn of Escalating Threat from Scattered Spider Group

In a joint cybersecurity advisory, authorities from the United States, Canada, the United Kingdom, and Australia have issued an urgent warning regarding the evolving tactics of the cybercriminal group known as Scattered Spider. This advisory comes from a coalition that includes the FBI, CISA, RCMP, NCSC-UK, ASD’s ACSC, CCCS, and the Australian Federal Police, reflecting the transnational scale and severity of the threat.

Scattered Spider—also tracked as UNC3944, Oktapus, Storm-0875, and Muddled Libra—has gained infamy for its brazen intrusions into commercial sectors, critical infrastructure, and IT service providers. The group’s attacks are marked by sophisticated social engineering, data theft, and ransomware extortion campaigns.

The advisory reveals that Scattered Spider threat actors now blend spearphishing, SIM-swapping, and MFA fatigue techniques to infiltrate systems and steal sensitive credentials. “They’ve posed as company IT and helpdesk staff to convince employees to share one-time passwords (OTPs), install remote access tools, or reset credentials,” the advisory warns.

Notably, the group has adopted the DragonForce ransomware as part of its updated arsenal. According to the advisory, “Scattered Spider threat actors may exfiltrate data from targeted organization’s systems for extortion and then encrypt data on the system for ransom.”

Scattered Spider’s operations blur the line between malicious intrusion and ordinary IT activity by using legitimate remote monitoring and management (RMM) tools such as AnyDesk, TeamViewer, Ngrok, and Teleport.sh. These tools, while commonly used for IT support, are repurposed for stealthy network access and persistence. The group’s preference for “living off the land” techniques allows it to evade detection by blending into normal network traffic.

They have also used a range of malware, including AveMaria (WarZone RAT), Raccoon Stealer, VIDAR Stealer, and a newly reported RattyRAT, a Java-based remote access trojan that supports stealth operations and internal reconnaissance.

Scattered Spider actors begin with extensive reconnaissance—collecting usernames, social media data, and roles via open-source intelligence (OSINT)—and escalate to complex impersonation campaigns. “They conduct spearphishing calls to convince IT help desks to reset passwords and/or transfer MFA tokens,” states the advisory.

Once inside, they escalate privileges, create fake accounts, install RMM software, and even join remediation calls to monitor incident response efforts. Exfiltrated data is staged using ETL tools and sent to locations such as MEGA[.]NZ and Amazon S3. In recent cases, large-scale data extraction was performed through compromised Snowflake environments.

The advisory outlines several critical recommendations to mitigate Scattered Spider’s activity:

• Enforce phishing-resistant MFA such as FIDO2/WebAuthn or PKI-based solutions.
• Implement application allowlisting to block unauthorized software execution.
• Audit and control RMM tools, particularly portable versions often missed by antivirus tools.
• Maintain offline, regularly tested backups stored separately from production systems.
• Harden password policies in accordance with NIST standards, avoid reuse, and implement lockouts.

Related Posts:

• US Enterprises Targeted: Silent Push Unmasks Scattered Spider’s Phishing Web
• Scattered Spider Evolving: New Tactics and Spectre RAT
• Scattered Spider Targets the Cloud: A Growing Threat to the Insurance and Financial Sectors
• BlackCat Ransomware and Beyond: Deciphering Scattered Spider’s Latest TTPs