Scattered Spider

Scattered Spider is a financially motivated cybercriminal threat actor active since at least May 2022. It is tracked under numerous aliases including UNC3944, Octo Tempest, Muddled Libra, Scatter Swine, 0ktapus/Oktapus, Roasted 0ktapus, StarFraud, DEV-0971, LUCR-3, and STORM-0875. Public reporting in the provided content also describes it as a loosely affiliated, primarily English-speaking group, with some reports characterizing members as young individuals from Western countries. The group is strongly associated with social-engineering-led intrusions, especially help-desk impersonation, voice phishing, SMS phishing, SIM swapping, MFA fatigue, and abuse of IT support processes to obtain credentials and bypass multi-factor authentication. Reporting cited here links Scattered Spider to the 0ktapus campaign and to attacks involving fake Okta login pages, follow-up calls impersonating support staff, and targeting of technology companies, telecommunications providers, and cryptocurrency-linked organizations. The actor has also been reported to coerce victims using personal information and threats of physical harm. After initial access, Scattered Spider is described as reviewing internal documentation and procedures, escalating privileges quickly, establishing persistence through VPN access and remote monitoring and management tools, and moving laterally using tools such as Impacket over WMI. The content states that the group has searched for credential storage documentation on compromised hosts, retrieved browser histories via infostealer malware such as Raccoon Stealer, enumerated remote systems including VMware vCenter infrastructure, and used self-signed and stolen certificates, including certificates originally issued to NVIDIA and Global Software LLC. It has also been reported to exploit stolen Azure credentials, abuse a ForgeRock OpenAM vulnerability, use Bring Your Own Vulnerable Driver techniques, deploy RattyRAT and the bedevil Linux rootkit, and modify mailbox rules to suppress security notifications. Scattered Spider has conducted data theft, extortion, and ransomware operations. The content states that it initially monetized intrusions by selling access, then by mid-2023 expanded into double-extortion campaigns using BlackCat/ALPHV ransomware, including deployment on Windows, Linux, and later VMware ESXi systems. It has used legitimate and commodity services for exfiltration and staging, including Rclone, MEGA/MEGAsync, Dropbox, AWS S3, Backblaze, Gofile, Storj, transfer.sh, Temp.sh, shz.al, and Paste.ee, as well as residential proxy services such as NSOCKS and TrueSocks. Targets mentioned in the content span telecommunications, technology, cryptocurrency-related entities, hospitality, retail, media, entertainment, financial services, insurance, aviation, and SaaS/cloud environments. The actor is publicly linked in the provided material to the 2022 Twilio compromise, targeting of Cloudflare employees, Reddit-related activity, and the 2023 Caesars Entertainment and MGM Resorts intrusions, with reporting noting that access to MGM reportedly came from a short help-desk call. The content also links Scattered Spider to major UK retail incidents affecting Marks & Spencer and reporting around Harrods and Co-op, as well as warnings about campaigns against the airline industry and possible but unconfirmed links to incidents affecting Louis Vuitton/LVMH and Qantas. The provided content also notes analytical overlap or reported associations with ShinyHunters, LAPSUS$, and The Com, including 2025 reporting referring to a merged or overlapping brand called "Scattered LAPSUS$ Hunters." However, the content also indicates that Scattered Spider may be better understood as an umbrella cluster encompassing several related intrusion sets rather than a single tightly bounded group.