Scattered Spider (UNC3944) Resurfaces with Ties to DragonForce and RansomHub in Retail Attacks

A new report from Mandiant, a Google Cloud company, sheds light on the renewed activity of UNC3944, a threat actor also publicly known as Scattered Spider. This financially motivated group has resurfaced in 2025 after a lull following law enforcement actions in 2024. Now, it’s linked to DragonForce ransomware and the previously dissolved RansomHub RaaS operation.

“UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims,” the report states.

UNC3944 began with SIM swap fraud targeting telecom companies, but shifted gears in 2023 toward ransomware and data extortion. The group’s targeting now spans sectors including finance, hospitality, BPO, telecommunications, gaming, media, and notably—retail.

“Retail organizations accounted for 11 percent of DLS victims in 2025 thus far, up from about 8.5 percent in 2024,” Mandiant notes, highlighting the sector’s growing vulnerability.

Recent evidence ties UNC3944 to DragonForce ransomware, which claimed responsibility for recent attacks on UK retail organizations. This includes incidents widely reported in UK media, such as the Marks & Spencer breach.

“The operators of DragonForce ransomware recently claimed control of RansomHub, a ransomware-as-a-service (RaaS) that seemingly ceased operations in March of this year,” Mandiant reports.

Retailers store massive volumes of PII and financial data, and a successful ransomware attack can halt payment processing, making them more likely to pay. UNC3944 appears to favor sectors with:

• Large outsourced IT/help desk operations
• High-value transactional infrastructure
• Lax identity verification processes

“These companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions,” Mandiant notes.

UNC3944 is notorious for manipulating internal help desks and IT staff:

• Impersonating employees to reset MFA
• Launching MFA fatigue attacks
• Using Microsoft Teams to impersonate IT staff
• Deploying fake password reset portals and doxxing threats

Mandiant warns that this group’s social engineering prowess is highly refined, and organizations must rethink identity verification protocols.

“UNC3944 campaigns not only target end-users, but also IT and administrative personnel within enterprise environments,” Mandiant reports.

Mandiant urges organizations to enhance security across five pillars:

1. Identity: Require on-camera identity verification for privileged accounts and ban SMS-based MFA.
2. Endpoints: Enforce device compliance checks and monitor for rogue systems.
3. Applications & Cloud: Harden VPNs, PAM systems, virtualization platforms, and isolate backup infrastructure.
4. Network Infrastructure: Use segmentation, restrict egress, and block traffic to TOR and VPS ranges.
5. Monitoring & Detection: Detect use of reconnaissance tools like ADRecon, monitor domain impersonation, and scrutinize new MFA registrations.

Related Posts:

• New Cybercrime Wave: UNC3944 Exploits SaaS Vulnerabilities
• DragonForce Ransomware: A Legacy Crafted from Leaked LOCKBIT Black Code
• DragonForce Ransomware Group Targets Saudi Arabia with Large-Scale Data Breach
• DragonForce Ransomware Cartel Hits UK Retailers with Custom Payloads and Global Extortion Campaign
• Scattered Spider Evolving: New Tactics and Spectre RAT