MaksymFilipchuk - stock.adobe.co

News

Scattered Spider tactics continue to evolve, warn cyber cops

CISA, the FBI, NCSC and others have clubbed together to update previous guidance on Scattered Spider's playbook, warning of new social engineering tactics and exploitation of legitimate tools, among other things

Alex Scroxton
By
Published: 30 Jul 2025 17:04

The Scattered Spider hacking collective is still hard at work refining its tactics and deploying new malware variants in the service of its damaging cyber attacks, according to the cyber security agencies of the US, Australia, Canada and the UK.

Scattered Spider surged back to prominence earlier in 2025, at first with a round of cyber attacks on UK retailers Marks & Spencer, Co-op Group and Harrods, prior to pivoting to targets in North America, hitting retailer, insurance firms and organisations operating in aviation. Latterly, the gang. Investigations into the gang continue in multiple jurisdictions and the British authorities have arrested a number of individuals who may be linked to the group.

Now, an updated advisory, issued through through the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the UK’s National Cyber Security Centre (NCSC) and cyber agencies in Australia and Canada, is warning of updated tactics, techniques and procedures (TTPs) observed through June 2025 by the FBI as it responded to multiple attacks on American targets.

“Scattered Spider threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual TTPs,” the advisory reads.

“While some TTPs remain consistent, Scattered Spider threat actors often change TTPs to remain undetected.

“The authoring organisations encourage critical infrastructure organizations and commercial facilities to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Scattered Spider malicious activity.”

RattyRAT and other surprises

Historically, Scattered Spider attacks have started with broad phishing and smishing attempts originating from maliciously-crafted, victim-specific domains.

This continues to be the case, with some minor variants – new domains observed by the FBI of late have included targets name-cms[.]com, targets name-helpdesk[.]com, and oktalogin-targets name[.]com. Scattered Spider has frequently leveraged Okta’s branding in its attacks in the past (one of its other aliases is 0ktapus) and its unrequited love affair with the identity services specialist continues.

The current wave of attacks is also employing more targeted and multilayered spear phishing and vishing into its playbook, often incorporating legitimate b2b websites to gather information to enrich their attempts and make them seem more convincing.

Scattered Spider also now appears to be refining its social engineering nous, and has recently been observed posing as victim employees to convince IT or helpdesk staff to provide credential information, run rests, and transfer multifactor authentication (MFA) to devices they control.

Access established, Scattered Spider has also added a number of new legitimate remote access tunneling tools to its roster of technical expertise. In addition to the likes of Screenconnect and TeamViewer, it is now using AnyDesk to enable remote access to network devices and Teleport.sh and  to enable remote access to local systems.

The advisory further details a new Java-based remote access trojan dubbed RattyRAT, which Scattered Spider is using to establish persistent and stealthy access and perform internal recon activities within its victims’ infrastructure. The gang is also keeping a close lookout for signs that it has been detected, and besides monitoring internal applications such as Microsoft Teams and Slack, is now making its activity seem more convincing by creating new identities upheld by sock puppet social media profiles.

The advisory also notes the gang’s by now well-observed affiliation with DragonForce ransomware for data encryption and extortion, and is increasingly targeting VMware ESXi servers in this. When it exfiltrates data in its ransomware attacks – it now also appears to be seeking its victims’ Snowflake access in order to steal more data quicker – it uses multiple sites including MEGA and US-based datacentres including Amazon’s, and uses TOR, Tox, email, and encrypted applications to communicate with its victims.

The full updated advisory contains a wealth of additional information including MITRE ATT&CK tactics and techniques and mitigation advice.

It also calls on victims to report incidents to the authorities, subject to local legal requirements, and reiterates guidance not to pay ransoms for encrypted data.

Takeaways for security leaders

Nick Tausek, lead security automation architect at Swimlane, an AI security platform provider, said two major points stood out from the updated advisory.

“First, Scattered Spider’s ability to exfiltrate large amounts of data should raise a lot of red flags. Access to an organisation’s Snowflake allows the group to run thousands of queries immediately and simultaneously, often deploying Dragonforce malware to encrypt target organisations’ servers. The potential for vast amounts of stolen data explains why they’ve been successful across multiple industries, from insurance to transportation to retail,” he said.

“However, what might be even more disturbing is the diligence exhibited by the group. Entering incident remediation and response calls undetected in order to identify how security teams are adapting to their attacks is a clever strategy to remain ahead. Listening in on these calls gives them access to information like how they’re being hunted, and what adjustments security teams will make to prevent future attacks.

“Organisations should administer application controls that can prevent remote access authorisation, such as virtual private networks or virtual desktop interfaces. Additionally, organisations should severely limit the use of Remote Desktop Protocol (RDP), and implement recovery plans, such as offline backups of data, in the event that ransomware does breach their security defence,” said Tausek.

Timeline: Scattered Spider activity in 2025

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, a group of criminal hackers appears to be expanding their targeting to the insurance sector.
  • 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
  • 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
  • 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to 6 million customers after a third-party platform used by its call centre was compromised.
  • 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to the same gang that hit UK retailers. Find out more and learn about the next steps for those affected.
  • 8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
  • 9 July: Australian flag carrier begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.
  • 10 July: Police have made four arrests in connection with a trio of cyber attacks on UK retailers Marks & Spencer, Co-op and Harrods.
  • 14 July: French luxury goods retailer LVMH has disclosed multiple cyber attacks in 2025 so far, and their impact is now spreading to the UK as a new incident affecting Louis Vuitton comes to light.
  • 16 July: Microsoft warns users over notable evolutions in Scattered Spider's attack playbook, and beefs up some of the defensive capabilities it offers to customers in response.
  • 16 July: Co-op chief executive Shirine Khoury-Haq has revealed that all the personal data of all 6.5 million of its members was compromised in the April 2025 cyber attack on its systems.
  • 24 July: Cleaning products manufacturer Clorox fell victim to a Scattered Spider social engineering attack two years ago – it blames its IT helpdesk provider, Cognizant.

Read more on Hackers and cybercrime prevention