Scattered Spider Cybercrime Group: New Tactics, Tools, and How to Defend Against Them

The Federal Bureau of Investigation (FBI), in collaboration with CISA and multiple international cyber agencies, has issued an updated advisory on the notorious cybercriminal group Scattered Spider. This latest report, dated July 29, 2025, highlights the group’s evolving tactics, techniques, and procedures (TTPs) and provides fresh insights into their malware arsenal, social engineering methods, and advanced persistence techniques.

Who is Scattered Spider?

Also known as UNC3944, Octo Tempest, and Muddled Libra, Scattered Spider is a financially motivated group that primarily targets large companies and their contracted IT help desks. Their attacks are driven by data theft, extortion, and, increasingly, ransomware deployment. Recently, they have added DragonForce ransomware to their toolkit, intensifying both the operational disruption and financial impact on victims.

Evolving Attack Methods

The group is well-known for social engineering tactics, particularly impersonating IT staff via phone, SMS, and email to obtain credentials, reset passwords, or capture multi-factor authentication (MFA) codes. They employ SIM swap attacks, MFA fatigue (push bombing), and spearphishing voice calls to breach accounts. Once inside, they deploy legitimate remote access tools—such as AnyDesk, TeamViewer, and Ngrok—to evade detection and maintain control.

The updated advisory reveals a shift toward multi-layered spearphishing campaigns, meticulous reconnaissance, and the use of personal data harvested from social media, open-source intelligence, and dark web marketplaces. This intelligence is then used to manipulate helpdesk staff and facilitate account takeovers in Single Sign-On (SSO) environments.

Malware and Tools

Scattered Spider leverages a blend of legitimate software and malicious payloads. New additions include RattyRAT for stealth remote access and the VIDAR and Raccoon Stealer info-stealers for capturing credentials, browser data, and cookies. For large-scale data theft, they often exploit Snowflake access, executing thousands of queries to exfiltrate massive datasets rapidly.

Persistence and Privilege Escalation

Once access is secured, the group frequently registers its own MFA tokens, creates new user identities, and manipulates cloud identity providers to maintain a foothold. They also engage in lateral movement across networks, targeting backups, Active Directory, and cloud infrastructure before staging data for exfiltration to platforms like MEGA and Amazon S3.

Mitigation Recommendations

The FBI and partner agencies strongly urge organizations to implement the following countermeasures:

• Enforce phishing-resistant MFA such as FIDO2/WebAuthn to prevent SIM swap and push bombing attacks.

• Audit and allowlist remote access tools to block unauthorized software execution.

• Segment networks to limit lateral movement and reduce ransomware spread.

• Maintain offline, encrypted backups tested regularly for integrity and restorability.

• Apply timely patches to eliminate known exploited vulnerabilities.

• Enhance monitoring for risky logins, abnormal account activity, and unauthorized use of cloud resources.

How OSRS Can Help Organizations Mitigate Social Engineering Risks. 

OGUN Security Research and Strategic Consulting (OSRS) offers specialized training programs to help organizations reduce the risk of social engineering attacks from advanced adversaries like Scattered Spider. These programs include:

• Targeted Social Engineering Awareness Workshops – Teaching employees and helpdesk staff to recognize and respond to phishing, vishing, smishing, and MFA fatigue attempts.

• Role-Specific Training for IT and Helpdesk Teams – Equipping front-line technical staff with verification protocols to prevent credential theft and unauthorized password resets.

• Simulated Attack Exercises – Running realistic social engineering simulations to test and reinforce employee readiness in high-pressure scenarios.

• Incident Response Readiness Drills – Ensuring staff can quickly escalate suspicious activities and follow established containment procedures.

• Executive Briefings – Informing leadership on emerging social engineering threats and strategic countermeasures for organizational resilience.

Through a combination of awareness, skill-building, and realistic practice, OSRS enables organizations to create a security-conscious workforce that can recognize and resist even the most sophisticated manipulation attempts.

Bottom Line: Scattered Spider is not just another cybercrime group—it is a sophisticated, adaptive adversary blending technical skill with human manipulation. The latest advisory makes it clear: organizations must harden identity controls, lock down remote access, and strengthen user verification processes to avoid becoming the next victim. Partnering with OSRS ensures that your workforce is trained, vigilant, and prepared to counter these evolving threats.

------

About the Author

Dr. Sunday Oludare Ogunlana is a cybersecurity professor and founder of OGUN Security Research and Strategic Consulting, specializing in cyber threat intelligence, AI governance, cloud security, and tailored training programs to help organizations defend against evolving cyber threats.