Scattered Spider is a decentralized group of threat actors that poses a persistent challenge to large enterprise environments. Active since 2022, the group is composed of loosely affiliated individuals who coordinate in real time, often relying on social engineering and living off the land (LOTL) techniques to evade detection and maintain access. Their access has enabled data theft, extortion, and deployments of ransomware variants through affiliations with ransomware-as-a-service (RaaS) groups.

Scattered Spider gained widespread attention in 2023 following high-profile intrusions against MGM Resorts, Caesars Entertainment, and other major enterprises. These cases highlighted the group’s ability to bypass traditional defenses through direct engagement with users and abuse of legitimate tools. At this time, Scattered Spider was linked to the deployment of BlackCat (also known as ALPHV) ransomware, likely operating in an affiliate capacity prior to a law enforcement operation takedown in late 2023.

In 2024, law enforcement activity targeting Scattered Spider led to multiple arrests, including U.S.-based member Noah Urban. In April 2025, Urban pleaded guilty to charges related to SIM-swapping and credential theft that enabled access to corporate systems and cryptocurrency exchanges. Operating under aliases such as “Sosa,” “Elijah,” and “King Bob,” Urban admitted to working with the group from 2022 through early 2023. He was ordered to pay over $13 million in restitution to more than 30 victims.

While these arrests may have contributed to a temporary lull in Scattered Spider's activity, the group returned in early 2025 with renewed operations and evolving partnerships. Initially focused on UK-based retail organizations, Scattered Spider has since shifted toward targeting retail and e-commerce entities in the United States. Their resurgence has coincided with an affiliation with DragonForce, a RaaS group that rebranded in March 2025 as a cartel-style operation.

Key Highlights

Ransomware Affiliations: Scattered Spider has been observed deploying multiple ransomware variants, likely through affiliate partnerships. In 2024, the group was frequently associated with RansomHub and Qilin ransomware. Throughout 2025, the group shifted and started deploying DragonForce.

MOXFIVE has supported incidents involving Scattered Spider and each of these affiliated ransomware groups. Additional context is available in the linked MOXFIVE Threat Actor Spotlights:

• RansomHub - A highly active RaaS group known for its low-fee commission model and aggressive extortion tactics. The RansomHub leak site has been offline since April 2025, disrupting operations during a period of high activity.
• Qilin - Also known as Agenda, Qilin is a RaaS group active since 2022 that offers highly customizable payloads tailored for both Windows and Linux environments.
  
• DragonForce - Initially a traditional RaaS, DragonForce transitioned in 2025 to a cartel-style model that allows affiliates to launch fully branded attacks using shared infrastructure.

Targeting Trends in 2025: Scattered Spider’s 2025 activity has centered on high-revenue, consumer-facing organizations where operational disruptions are likely to lead to ransom payments. Initial targets included UK-based retailers, followed by a shift toward similar entities in the U.S., particularly e-commerce businesses.

Tactics, Techniques, and Procedures (TTPs): Scattered Spider’s operations in 2025 continue to demonstrate a combination of sophisticated social engineering and advanced post-exploitation capability. The group consistently bypasses technical controls through direct user engagement and the abuse of legitimate access pathways. Known for living off the land techniques, Scattered Spider often maintains prolonged access within enterprise environments without triggering conventional detection mechanisms.

Living off the Land Techniques: Scattered Spider demonstrates extensive use of LOTL tactics to evade detection and maintain persistent access. These techniques rely on legitimate administrative tools and cloud-native features already present in the environment, reducing reliance on external malware. The group has been observed using remote tunneling utilities to maintain access, overprivileged cloud applications to escalate privileges and deploy infrastructure, and virtualization platforms to extract sensitive data. Common tools include PowerShell, Windows Management Instrumentation (WMI), Scheduled Tasks, and RVTools, all used to conduct reconnaissance, move laterally, and stage data for exfiltration.

‍IT Help Desk Impersonation: One of Scattered Spider’s more recent methods for gaining initial access involves impersonating internal IT help desk personnel to build trust with employees. Victims are contacted through voice calls or messaging platforms such as Microsoft Teams and offered assistance with fabricated technical issues. Using names like “Support Team” or “Help Desk,” the threat actors often create urgency, sometimes by signing victims up for spam email lists to provoke follow-up. Once trust is established, users are directed to install legitimate remote access tools such as Quick Assist or AnyDesk. This technique was first observed in late 2024 during incidents involving Black Basta and has since been adopted by Scattered Spider.

‍Other tactics include:

• MFA Fatigue and SIM Swapping - The group overwhelms users with push-notification spam to exploit approval fatigue. In past cases, they have even been known to conduct SIM swapping to intercept SMS-based MFA codes.
• SSO Phishing and Credential Harvesting - Scattered Spider sends phishing links via SMS that spoof enterprise SSO portals (e.g., Okta, Microsoft 365) to capture login credentials.
• Abuse of Remote Access Tools - After initial access, the group leverages tools like AnyDesk to maintain access and move laterally without raising alarms.
• Cloud and Identity Provider Abuse - The group exploits cloud platforms and identity providers to escalate privileges, add or modify Azure enterprise applications, and in some cases forge SAML tokens to bypass authentication in federated environments.
  
• Reconnaissance and Privilege Escalation - Once inside, Scattered Spider performs network mapping and credential harvesting using native utilities and built-in administrative tooling. The group has also targeted privileged access management tools, password managers, and cloud-based credential and key vault services to extract secrets and escalate access.

Exfiltration and Exploitation: Scattered Spider has demonstrated a consistent focus on data exfiltration and post-access exploitation during their 2025 operations. Prior to ransomware deployment, the group has aggregated and staged sensitive data for exfiltration, often leveraging enterprise tools and cloud infrastructure to support these efforts.

• Cloud Storage Exfiltration - Exfiltrated data is transferred to threat actor-controlled cloud platforms, such as MEGA, allowing actors to retrieve stolen data externally and potentially monitor remediation progress.
• Enterprise Data Staging - Scattered Spider has been observed aggregating sensitive data from cloud environments, databases, and file shares into centralized staging areas to facilitate large-scale exfiltration.
  
• Abuse of Cloud Services - Scattered Spider has been observed using services such as AWS Systems Manager Inventory to collect asset data and conduct discovery.
• Monitoring of Incident Response - In some cases, Scattered Spider has accessed internal communication platforms such as Microsoft Teams and Slack to monitor incident response discussions in real time without triggering immediate alerts.

If you would like to know more about Scattered Spider or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.