Scattered Spider 2025 Update: The Social Engineering Threat That Won't Go Away

‍Introduction

Just like extreme heat coming back to Texas for summer, Scattered Spider is back in 2025. After a brief hiatus following FBI arrests in 2024, this financially motivated threat group has resurged with renewed sophistication, targeting UK retailers, US aerospace companies and airlines including Hawaiian Airlines and WestJet. Their return signals a dangerous evolution in social engineering tactics that security teams must understand and counter.

What Makes Scattered Spider Different

Scattered Spider  (also known as UNC3944, Scatter Swine, Starfraud, Muddled Libra, Oktapus along other names) distinguishes itself through three core capabilities that set the group apart from typical threat actors:

Native English proficiency combined with US/UK targeting. Scattered Spider members are native English speakers. Unlike many threat groups operating across language barriers, Scattered Spider's English fluency enables exceptionally convincing phishing campaigns and social engineering attacks tailored to American and British corporate cultures.

Specialized vertical targeting. They don't spray-and-pray across industries. Instead, they research specific verticals, understanding organizational structures, common IT practices, and help desk procedures to craft attacks that feel authentic to employees within those sectors.

Cloud infrastructure expertise. This group demonstrates deep knowledge of Google Cloud, Google Workspace, Azure, and AWS environments. They leverage living-off-the-land techniques to blend into legitimate IT operations, avoiding detection through operational security rather than technical evasion. Most group activities can be easily overlooked by SOC teams within the flood of low or informational alerts.  

The Evolution: SIM Swapping to Ransomware

Scattered Spider's attack methodology has evolved significantly since their initial attribution in 2022. They originally gained notoriety through SIM swapping attacks targeting individuals, bypassing GSM-based multi-factor authentication (MFA), and stealing money through direct financial fraud.

The shift came in 2023 when they pivoted to enterprise ransomware deployment, targeting large enterprise networks. Their most high-profile public successes were the Caesars Entertainment and MGM Resorts breaches, which demonstrated their ability to scale from individual financial crimes to enterprise-level extortion.

The group's current modus operandi focuses on initial access brokerage—either deploying ransomware directly or selling access to other ransomware-as-a-service operators. They've historically worked with AlphV/BlackCat ransomware groups and more recently with Ransom Hub, which recent intelligence suggests has been taken over by Dragon Force.

Current Attack Patterns and Tactics

Scattered Spider's attack chains typically follow these patterns:

Initial Access: Human-Centered Social Engineering

• Target large help desks and outsourced IT functions

• Leverage generative AI for personalized phishing campaigns

• Potentially utilize AI-driven voice cloning for phone-based attacks

• Focus on high-value enterprises where larger payouts are expected

Lateral Movement: Cloud-Native Techniques

• Exploit deep knowledge of cloud infrastructure components

• Use legitimate administrative tools and processes

• Operate within normal IT workflows to avoid detection

• Leverage living-off-the-land techniques across AWS, Azure, and Google Cloud

Persistence and Exfiltration

• Maintain access through legitimate cloud service configurations

• Avoid traditional malware signatures that trigger security tools

• Operate with the permissions and methods of legitimate IT technicians

Why They Disappeared (And Why They're Back)

The group's 2024 hiatus resulted from successful FBI operations that arrested several members. One was captured in the United States, another in Mallorca, and a third in the UK (who was a minor, limiting public disclosure). These arrests forced the remaining members to lay low and avoid activities that might draw additional law enforcement attention.

However, the group's return demonstrates several concerning realities:

• Unknown group size: We don't know how many members comprise Scattered Spider, meaning arrested individuals may represent only a fraction of the organization

• Operational security: Members with strong operational security practices avoided identification and arrest

• AI acceleration: The group appears to be leveraging AI tools to accelerate their work, enabling faster regrouping and campaign development

Detection and Response Challenges

Scattered Spider presents unique detection challenges for security operations teams:

Living-off-the-land techniques generate low-priority alerts. Their attacks often trigger only low or medium-priority security alerts that get overlooked amid high-priority incident noise. Security teams focused on critical alerts may miss the subtle indicators of Scattered Spider activity.

Cloud expertise enables detection evasion. Their deep understanding of cloud infrastructure allows them to operate within normal administrative boundaries, making their activities appear legitimate to automated security tools.

Social engineering bypasses technical controls. Traditional security measures like multi-factor authentication can be circumvented through convincing social engineering attacks against help desk personnel and IT staff.

Defensive Strategies and Recommendations

Organizations can implement several defensive measures to reduce their exposure to Scattered Spider attacks:

Strengthen Human Verification Processes

• Implement secondary verification methods beyond standard security questions

• Develop backup systems for verifying individual identity during IT support interactions

• Train help desk staff to recognize social engineering tactics specific to this threat group

• Establish protocols for high-risk account changes that require additional verification

Monitor for Subtle Indicators

• Prioritize investigation of low and medium-priority alerts that might indicate living-off-the-land techniques

• Implement continuous monitoring for MFA changes and device registrations

• Review authentication patterns for unusual geographic or device changes

• Validate unusual administrative actions even when they appear legitimate

Technical Controls and Monitoring

• Deploy comprehensive logging across cloud infrastructure components

• Implement user behavior analytics to detect subtle deviations from normal patterns

• Establish automated alerting for significant changes in user device registrations

• Regularly audit cloud service configurations and permissions

Fighting Scattered Spider with Command Zero

Security teams can leverage Command Zero's platform to identify potential Scattered Spider activity through several investigative approaches:

MFA and Device Registration Monitoring

• ^Hunt for recent MFA registration changes across user accounts

• Investigate new device registrations, particularly when they represent significant deviations from historical patterns

• Automate detection of users without configured MFA who might be targeted for initial access

Living-off-the-Land Detection

• Search for subtle indicators of legitimate tool misuse across cloud environments

• Investigate low-priority alerts that might indicate sophisticated attackers operating within normal parameters

• Correlate authentication events across multiple cloud platforms and identity providers

User Behavior Analysis

• Review historical authentication patterns to identify unusual access attempts

• Investigate specific user activity including login patterns, geographic anomalies, and device changes

• Analyze user risk profiles across integrated identity platforms like Entra ID and Okta

Command Zero’s ability to seamlessly pivot between different data sources and automate much of the investigative process enables security teams to identify sophisticated threats like Scattered Spider without requiring deep expertise in each individual technology component. All analyses above can be run autonomously, effectively augmenting your SOC team and making sure no case gets overlooked.

The Persistent Threat Reality

Scattered Spider represents more than a temporary criminal campaign—they embody the evolution of threat actors who understand that the human element remains the weakest link in organizational security. Their combination of social engineering expertise, cloud infrastructure knowledge, and financial motivation creates a persistent threat that will likely continue evolving.

The group's resurgence after law enforcement action demonstrates the resilience of well-organized threat actors. Organizations must assume that similar groups will continue targeting human elements of security, particularly around identity management and IT support functions.

Security teams should treat Scattered Spider not as a discrete threat to be solved, but as a representative example of the sophisticated social engineering attacks that define modern threat landscapes. Defensive strategies must account for attackers who understand both technical systems and human psychology, operating at the intersection where traditional security controls are weakest.

The most effective defense against Scattered Spider and similar threats requires comprehensive approaches that combine technical controls, human awareness, and investigative capabilities. Organizations that can detect subtle indicators, respond rapidly to low-priority alerts, and maintain strong human verification processes will be best positioned to counter these persistent, adaptive threats.

Book a demo today to see how Command Zero can help your team tackle Scattered Spider and reduce overall risk.