THREAT ACTOR

Scattered Spider

7.6
THREAT LEVEL
EMERGENCE DATE
May 2022
CATEGORY
Selective Affiliate Model
Infrastructure Service Provider
AFFILIATIONS

RansomHub, ShinyHunters, suspected connections to Lapsus$, Cicada3301

DEscription

Scattered Spider emerged in May 2022 as an evolution of "The Community" network, representing one of the most elite English-speaking threat organizations currently operating. The group combines social engineering capabilities with cloud exploitation expertise, showing off operational adaptability and resilience against law enforcement disruption.

Operating through a decentralized franchise model rather than traditional hierarchical structures, the group keeps up strategic partnerships with ransomware groups including RansomHub, and possible ties to Cicada 3301 . Scattered Spider also deploys multiple ransomware variants including DragonForce, Qilin, and Akira.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Selective Ransomware-as-a-Service, Infrastructure Service Provider

Scattered Spider operates as a decentralized franchise model comprising core leadership estimated at 4 primary strategic operators with 20-30 specialized affiliates and access to over 1,000 members from "The Com" network. The group maintains a favorable 90% revenue share with RansomHub, significantly higher than traditional splits. Geographic attribution indicates US, UK, Canada/Europe. The group has confirmed collaboration with ShinyHunters in the "Scattered LAPSUS$ Hunters" alliance.

Current Status: Actively operational with expanding sector targeting and geographic reach as of August 2025

Threat Level:
7.6

Origins and Methodology

Distinguished by social engineering capabilities enabling consistent bypass of technical controls through human exploitation, the group pioneered BPO supply chain exploitation and lightning-fast encryption capabilities, achieving full environment compromise within hours due to extensive reconnaissance. Their operational security practices include enhanced proxy networks, rotating infrastructure, and MFA bypass techniques that set them apart from traditional operations.

What separates the group from other threat actors is their "tech startup" franchise model with distributed operational security, preventing single points of failure. The organization combines advanced custom malware development with cross-platform expertise and cloud specialization, utilizing 367+ distinct remote monitoring tools including Fleetdeck, Atera, and AnyDesk. Their evolution from commodity tools to custom malware including Spectre RAT shows continuous evolution.

What is the Evolution of Scattered Spider Ransomware?
0.1
Formation

Scattered Spider emerged as an evolution from the broader network "The Community" (The Com) in May 2022. The group formed from over 1,000 English-speaking actors primarily based in the United States, United Kingdom, and Canada, representing a natural progression from the established ecosystem.

0.2
EVOLUTION

Initial operations during 2022-2023 focused on telecommunications and business process outsourcing targeting, establishing the group's reputation for rapid execution and high success rates. Around 2023, the group expanded operations through strategic partnerships with ALPHV/BlackCat and demonstrated enhanced operational security practices. Current operations since 2024 have shown resilience, with continued high-tempo attacks following the November 2024 arrest of 5 core members.

The group's technical evolution includes continuous refinement of tactics, transitioning from commodity tools to custom malware development including Spectre RAT with C++ implementation and fileless capabilities. Enhanced operational security measures include infrastructure rotation, temporary activity reduction post-arrests, and AI integration predictions for voice cloning and social engineering.

0.3
Lineage/Connections

Scattered Spider maintains connections to Lapsus$ hacking group through shared tactics, techniques, and procedures, as well as operational timing and infrastructure sharing patterns. The group has confirmed technical connections through code reuse and operational methodologies. Strong collaboration exists with ShinyHunters through the documented "Scattered LAPSUS$ Hunters" alliance, while suspected connections to other major operations continue under investigation.

Which Unique Techniques Does Scattered Spider Use?

Employing a multi-vector attack methodology focusing on social engineering as the primary attack vector, the group combines advanced technical capabilities for rapid environment compromise. The attack chain typically involves phishing campaigns, vishing operations targeting IT helpdesks, and BPO supply chain exploitation to achieve initial access.

TECHNIQUE

DETAILS

Infection Vectors

Primary infection methods include spearphishing attachments leveraging supply chain partners and executives (T1566.001), spearphishing links through spoofed domains with -partners, -vip, -sso variations (T1566.002), and advanced vishing campaigns impersonating IT helpdesk personnel and executives (T1566.004). The group exploits CVE-2015-2291 (Intel Ethernet driver), CVE-2021-35464 (ForgeRock AM Server), and CVE-2025-6554 (Google Chromium V8).

Target Selection

Geographic targeting focuses on United States (45%), United Kingdom (25%), Canada (10%), and Australia (10%) with concentrated activity across technology, financial services, retail, aviation, and healthcare sectors. The group demonstrates preference for organizations with revenues above $500 million representing optimal payment capabilities.

Operational Complexity

The group demonstrates exceptional technical advancement through custom malware development, cross-platform expertise, and cloud specialization. Advanced capabilities include AiTM proxies, custom session token harvesting, and BYOVD techniques using signed vulnerable drivers to disable EDR solutions.

Key Features & Technical Details

Scattered Spider employs multiple ransomware variants through affiliate partnerships, utilizing intricate encryption methodologies and rapid deployment capabilities.

FEATURE

DETAILS

Encryption Method

Multiple variants including DragonForce (AES-256), Qilin, Akira, and Play ransomware with per-victim asymmetric (RSA/ECC) key wrapping

File Extension

Varies by affiliate (.dragonforce, .qilin, .akira, .play)

Ransom Note

Customized per ransomware variant with regulatory notification threats

Double Extortion

Systematic data exfiltration to MEGA NZ, Amazon S3, and Google Drive prior to encryption

Communication Channels

Dynamic DNS with rapid rotation, Cloudflare-routed traffic, trycloudflare subdomain communications

Deployment Speed

Lightning-fast encryption within hours due to extensive reconnaissance and preparation

Payment Method

Bitcoin (primary), Monero, with mixing services for anonymization

Operational Model

Decentralized franchise model with RansomHub partnership (90% affiliate revenue share)

Activities

Scattered Spider maintains continuous high-tempo operations with accelerating attack volume, demonstrating Q2 2025 activity of 11 major incidents representing significant operational acceleration.

Which Industries Are Most Vulnerable to SafePay?

Primary targeting includes technology and IT services with focus on managed service providers. Financial services including insurance companies and financial institutions, retail and commercial  through coordinated campaigns during peak operational periods. Secondary targeting encompasses aviation and transportation with expansion across multiple international carriers, and healthcare and critical infrastructure based on operational disruption potential.

HAL Most Recent Attacks

No items found.

Modus Operandi

The operation employs a comprehensive attack methodology leveraging advanced social engineering, technical capabilities, and rapid execution to achieve environment compromise and ransomware deployment.

Details

Spearphishing Attachment (T1566.001): Elaborate phishing campaigns targeting supply chain partners and executives with malicious attachments. Spearphishing Link (T1566.002): Social engineering via spoofed domains utilizing -partners, -vip, -country abbreviation-, and other variations including duplicate levels in country abbreviations.

Spearphishing Voice (T1566.004): Phone calls posing as Help Desk targeting supply chain partners, executives, and IT/Security Staff for credential harvesting and MFA registration of threat actor devices.

Details

Remote System Discovery (T1018): Network reconnaissance utilizing Nmap and Angry IP Scanner for comprehensive environment mapping. Domain Account Discovery (T1087.002): ADRecon and Rubeus deployment for Active Directory enumeration and privilege identification. System Information Discovery: Use wmic to identify hosts with endpoint protection and security configurations.

Details

Deployment of 367+ distinct remote monitoring tools including Fleetdeck, Atera, AnyDesk, Ngrok, and Remcos for persistent environment control. Protocol Tunneling (T1572) using Chisel, ngrok, Pinggy with trycloudflare subdomain communications for command and control infrastructure.

Details

Disable or Modify Tools (T1562.001): BYOVD techniques using signed vulnerable drivers to disable EDR solutions and deploy various EDR killers. System Binary Proxy Execution (T1218): Abuse of legitimate system binaries for malicious execution. Obfuscated Files or Information (T1027): XOR/Base64 obfuscation in C2 communications and InTune Base64 jobs to deploy tools and ransomware.

Impersonation: Use stolen EDR credentials from similar vendors to connect over VPN, then uninstall security tools while monitoring for different console connections and enforcing status checks.

Details

LSASS Memory (T1003.001): Mimikatz deployment and Lsass dump for credential extraction from memory. NTDS (T1003.003): Complete Active Directory credential database theft via NTDS.dit extraction and offline cracking for comprehensive environment access.

Unsecured Credentials (T1552): Keyword searches for "password," "token," "passwd" across network shares, SharePoint, and email systems.

Details

Dynamic DNS infrastructure with rapid rotation patterns and Cloudflare-routed traffic to obscure server locations. C2 domains following patterns including {target}-sso[.]com, {target}-helpdesk[.]com, and oktalogin-{targetcompany}[.]com for impersonation.

Details

Remote Desktop Protocol (T1021.001): RDP connections to domain controllers using stolen credentials for privileged access and administrative control. SSH (T1021.004): SSH sessions to web servers enabling cross-platform lateral movement capabilities across diverse infrastructure.

Details

Exfiltration to Cloud Storage (T1567.002): Systematic data transfer to MEGA NZ , Amazon S3, and Google Drive for double extortion capabilities. Data from Local System (T1005): IT documentation (to enable reinfection), financial/regulated data, emails, databases, and SaaS applications.

Exfiltration Over C2 Channel (T1041): Custom ETL mechanisms for data exfiltration through established command and control infrastructure.

Details

Cloud Account (T1136.003): Registration of attacker-controlled MFA devices and OAuth applications for persistent cloud access. Cloud Accounts (T1078.004): Abuse of compromised cloud service accounts and SSO accounts for maintaining long-term access.

Valid Accounts (T1078): Use on-premises to cloud service accounts for seamless environment persistence.

Details

Individual incidents result in $100-400 million economic damage including operational losses and market value impact. Lightning-fast encryption within hours due to extensive reconnaissance and preparation enables complete operational disruption.

Recovery Complexity: Downtime spans hours to weeks depending on encryption scope, backup availability, and cloud tenant access restoration.

Details

Data Encrypted for Impact (T1486): Deployment of DragonForce, Qilin, Akira, and Play ransomware variants with AES-256 encryption and asymmetric key wrapping. Service Stop (T1489): Volume shadow copy deletion (VSS) and VMware ESXi targeting for maximum operational disruption and recovery prevention.

Multiple Ransomware Deployment: Known to deploy multiple ransomware families in the same environment for redundancy.

Details

Ransom demands ranging $15-100 million per incident based on target organization size with regulatory notification threats to increase payment pressure.

Escalation Strategy: If not paid for data exfiltration, the group escalates to encrypting ransomware deployment.

High compliance rates achieved through operational disruption pressure, data exposure threats, and cloud tenant lockouts.

Details

Enhanced anti-forensics activities including log deletion, registry modification, and evidence removal to impede incident response and forensic analysis capabilities. Account Lockout: Locking victims out of their cloud service provider tenants to force payment and prevent recovery efforts.

Indicators of Compromise (IOCs)

IOCs span multiple categories including file hashes, network indicators, and behavioral patterns enabling detection and response capabilities.

INDICATOR

DETAILS

File Hashes

SHA256: 1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b for DragonForce ransomware payload
SHA1: e164bbaf848fa5d46fa42f62402a1c55330ef562 for Spectre RAT C++ implementation
MD5: d54bae930b038950c2947f5397c13f84 for Winupdate.exe Go-based tool

IP Addresses

Dynamic IP ranges with rapid rotation patterns obscuring C2 infrastructure
Cloudflare-routed traffic masking true server locations

Domains/URLs

{target}-sso[.]com (impersonation domain pattern)
{target}-helpdesk[.]com (social engineering domain pattern)
oktalogin-{targetcompany}[.]com (authentication impersonation)
trycloudflare[.]com (protocol tunneling communications)

File Paths

C:\Users\Public\Documents\ (custom tool deployment location)
C:\Windows\system32\ (system directory infiltration)

File Extensions

.dragonforce (DragonForce ransomware extension)
.qilin (Qilin ransomware extension)
.akira (Akira ransomware extension)

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Intel Ethernet Diagnostics Driver

CVE-2015-2291

7.2

Local privilege escalation in iqvw64.sys through crafted IOCTL calls (0x80862013, 0x8086200B) for BYOVD exploitation

ForgeRock AM Server

CVE-2021-35464

9.8

Java deserialization vulnerability enabling remote code execution via crafted /ccversion/* requests targeting jato.pageSession

Additional Attack Vectors: Microsoft LAPS manipulation for privileged access, RDP misconfigurations enabling unauthorized access, SSH exploitation for cross-platform lateral movement, and VMware ESXi targeting for maximum operational disruption. The group leverages BPO credential weaknesses through social engineering attacks, MFA fatigue exploitation targeting legitimate remote access, and OAuth application abuse for persistent cloud access.