Scattered Spider Evolving: New Tactics and Spectre RAT

The threat landscape is in a constant state of flux, with cybercriminal groups continually adapting their techniques to evade detection and maximize their impact. A recent report by Silent Push delves into the evolving tactics of the Scattered Spider hacker collective, providing valuable insights into their activities in 2025.

Scattered Spider, known for its sophisticated social engineering attacks, has been active since at least 2022. The group has targeted a wide range of organizations, and Silent Push’s research confirms that they remain a persistent threat in 2025.

The report highlights that Scattered Spider continues to target major brands across various sectors. Some of the services and brands targeted by Scattered Spider in 2025 include:

• Services: Klaviyo, HubSpot, and Pure Storage
• Brands: Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone

Silent Push analysts have been tracking Scattered Spider’s infrastructure, tactics, techniques, and procedures (TTPs). The report emphasizes that changes observed in early 2025 suggest that Scattered Spider is updating its approach.

One notable development is the group’s shift in phishing kits. Silent Push researchers are tracking five unique Scattered Spider phishing kits, some of which have been in use since at least 2023 and have undergone several updates. However, the report indicates that “right now, it appears their legacy phishing kits are being deprecated,” signaling a move towards new methods.

Another significant finding is the identification of a new version of the Spectre RAT, a remote access Trojan used by Scattered Spider to gain persistent access to compromised systems.

The report also sheds light on Scattered Spider’s tactics regarding domain usage. In 2024, the group acquired a domain (twitter-okta[.]com) that was previously owned by Twitter/X. The purpose of this acquisition remains unclear, but it highlights the group’s interest in leveraging domains for their operations.

Scattered Spider is known for creating domains that impersonate a wide range of brands. This tactic involves directly targeting major organizations as well as impersonating software vendors used by those organizations.

The Silent Push report provides valuable insights into the evolving threat posed by Scattered Spider. It emphasizes the group’s persistence, their adaptation of TTPs, and their continued focus on high-profile targets. Understanding these trends is crucial for organizations seeking to defend themselves against this sophisticated threat actor.

Related Posts:

• US Enterprises Targeted: Silent Push Unmasks Scattered Spider’s Phishing Web
• Scattered Spider Targets the Cloud: A Growing Threat to the Insurance and Financial Sectors
• BlackCat Ransomware and Beyond: Deciphering Scattered Spider’s Latest TTPs
• Ransomware Threat Escalates as Scattered Spider and RansomHub Combine Forces
• New Phishing Campaigns from Scattered Spider Target Finance and Insurance Industries