SCATTERED SPIDER Infiltrates Airlines: Ransomware, vCenter Hijacks, and Voice Phishing Unleashed

The eCrime group known as SCATTERED SPIDER has recently extended its focus beyond insurance and retail to target U.S.-based airlines, according to a new report by CrowdStrike Services. The group’s highly adaptive and persistent approach, especially through voice phishing and cloud infrastructure compromise, has positioned them as one of the most formidable cybercriminal collectives in the threat landscape of 2025.

“SCATTERED SPIDER, an eCrime adversary, has recently broadened its target scope to include the aviation sector, in addition to its established focus on the insurance and retail industries,” CrowdStrike observed. Their activity throughout Q2 2025 spanned U.S.-based insurance and retail companies, with notable incursions into airline systems by late June.

This shift underscores the adversary’s ability to rapidly pivot sectors while using familiar tactics, techniques, and procedures (TTPs), such as social engineering and identity compromise.

In nearly all incidents, SCATTERED SPIDER employed voice-based phishing (vishing) to breach Microsoft Entra ID, SSO, and VDI environments. “SCATTERED SPIDER operators routinely accurately respond to help desk verification questions when impersonating legitimate employees,” highlighting their meticulous research into employee identities and internal processes.

Once inside, they move laterally with surgical precision—searching SaaS platforms for sensitive internal data like credentials, network diagrams, and VPN configurations.

A particularly advanced aspect of SCATTERED SPIDER’s TTPs involves targeting VMware vCenter environments. According to the report, they:

• Create unmanaged VMs to manipulate domain controller virtual disks
• Extract Active Directory databases using tools like ADExplorer, ADRecon.ps1, and PowerShell cmdlets
• Deploy tunneling tools such as Chisel, ngrok, and MobaXterm for covert communication
• Exfiltrate data via Amazon S3 using S3 Browser and related AWS CloudTrail actions (ListBuckets, ListObjects)

In one instance, “the adversary created a mail transport rule to redirect emails intended for a compromised user” to a googlemail[.]com address, enabling stealthy control and surveillance over the victim’s email communications.

SCATTERED SPIDER’s primary objective is ransomware deployment on VMware ESXi environments, but even if halted before that stage, the group demands ransom under the threat of public data leaks.

CrowdStrike’s assessment shows that this group:

• Launches simultaneous attacks across sectors
• Uses SIM swapping to bypass SMS-based MFA
• Relies on legitimate remote access tools like AnyDesk and TeamViewer
• Specifically targets privileged access management systems, cloud identity platforms, and backup infrastructure

SCATTERED SPIDER is a shape-shifting adversary that blends technical sophistication with social engineering acumen. Their dynamic targeting of airlines, retailers, and insurers makes them a pervasive threat to any organization with a cloud-based identity infrastructure or virtualized IT environment.

As CrowdStrike concludes, “SCATTERED SPIDER’s primary goal is deploying ransomware to a victim’s VMware ESXi infrastructure,” but their data theft, lateral movement, and phishing prowess make them a multi-pronged threat capable of massive disruption.

Organizations must take heed—especially those in aviation, retail, and insurance—and harden help desk procedures, enhance monitoring of SaaS platforms, and lock down VMware and cloud environments against infiltration.

Related Posts:

• Japan Airlines Hit by Cyberattack: Ticket Sales Halted
• US Enterprises Targeted: Silent Push Unmasks Scattered Spider’s Phishing Web
• Scattered Spider Evolving: New Tactics and Spectre RAT
• BlackCat Ransomware and Beyond: Deciphering Scattered Spider’s Latest TTPs
• Scattered Spider Targets the Cloud: A Growing Threat to the Insurance and Financial Sectors