Introduction
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. CrowdStrike Scattered Spider Profile MSTIC Octo Tempest Operations October 2023 The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. MSTIC Octo Tempest Operations October 2023 Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. CISA Scattered Spider Advisory November 2023 CrowdStrike Scattered Spider BYOVD January 2023 Crowdstrike TELCO BPO Campaign December 2022 Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. Mandiant UNC3944 May 2025
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
- C0027 (C0027): C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.(Citation: Crowdstrike TELCO BPO Campaign December 2022)
Tactics, Techniques, and Procedures (TTPs)
- T1598 Phishing for Information
- T1685 Disable or Modify Tools
- T1553.002 Code Signing
- T1556.009 Conditional Access Policies
- T1580 Cloud Infrastructure Discovery
- T1105 Ingress Tool Transfer
- T1114.003 Email Forwarding Rule
- T1598.003 Spearphishing Link
- T1078 Valid Accounts
- T1003.003 NTDS
- T1041 Exfiltration Over C2 Channel
- T1087.002 Domain Account
- T1484.002 Trust Modification
- T1087 Account Discovery
- T1564.008 Email Hiding Rules
- T1585.001 Social Media Accounts
- T1539 Steal Web Session Cookie
- T1588.002 Tool
- T1552.004 Private Keys
- T1589 Gather Victim Identity Information
- T1538 Cloud Service Dashboard
- T1486 Data Encrypted for Impact
- T1059.004 Unix Shell
- T1133 External Remote Services
- T1021.004 SSH
- T1204 User Execution
- T1556.006 Multi-Factor Authentication
- T1684.001 Impersonation
- T1583.001 Domains
- T1016 System Network Configuration Discovery
- T1083 File and Directory Discovery
- T1543.002 Systemd Service
- T1219.002 Remote Desktop Software
- T1657 Financial Theft
- T1213.003 Code Repositories
- T1098.003 Additional Cloud Roles
- T1069 Permission Groups Discovery
- T1621 Multi-Factor Authentication Request Generation
- T1082 System Information Discovery
- T1021.001 Remote Desktop Protocol
- T1098 Account Manipulation
- T1213.005 Messaging Applications
- T1068 Exploitation for Privilege Escalation
- T1090 Proxy
- T1530 Data from Cloud Storage
- T1217 Browser Information Discovery
- T1006 Direct Volume Access
- T1136 Create Account
- T1490 Inhibit System Recovery
- T1018 Remote System Discovery
- T1069.002 Domain Groups
- T1059.001 PowerShell
- T1555.005 Password Managers
- T1567.002 Exfiltration to Cloud Storage
- T1598.004 Spearphishing Voice
- T1074 Data Staged
- T1078.004 Cloud Accounts
- T1070.008 Clear Mailbox Data
- T1021.007 Cloud Services
- T1572 Protocol Tunneling
- T1578.002 Create Cloud Instance
- T1552.001 Credentials In Files
- T1114 Email Collection
- T1588.001 Malware
- T1451 SIM Card Swap
- T1660 Phishing
ATT&CK technique IDs (denormalized)
- T1003.003
- T1006
- T1016
- T1018
- T1021.001
- T1021.004
- T1021.007
- T1041
- T1059.001
- T1059.004
- T1068
- T1069
- T1069.002
- T1070.008
- T1074
- T1078
- T1078.004
- T1082
- T1083
- T1087
- T1087.002
- T1090
- T1098
- T1098.003
- T1105
- T1114
- T1114.003
- T1133
- T1136
- T1204
- T1213.003
- T1213.005
- T1217
- T1219.002
- T1451
- T1484.002
- T1486
- T1490
- T1530
- T1538
- T1539
- T1543.002
- T1552.001
- T1552.004
- T1553.002
- T1555.005
- T1556.006
- T1556.009
- T1564.008
- T1567.002
- T1572
- T1578.002
- T1580
- T1583.001
- T1585.001
- T1588.001
- T1588.002
- T1589
- T1598
- T1598.003
- T1598.004
- T1621
- T1657
- T1660
- T1684.001
- T1685
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Hacking Team UEFI Rootkit
- Linpeas:
MITRE ATT&CK Software
- WarzoneRAT (S0670) — malware
- Rclone (S1040) — tool
- LaZagne (S0349) — tool
- Tor (S0183) — tool
- Mimikatz (S0002) — tool
- Raccoon Stealer (S1148) — malware
- ngrok (S0508) — tool
- BlackCat (S1068) — malware
- ConnectWise (S0591) — tool
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | GitGuardian, Jecretz, MAGNET RAM Capture, MIT Kerberos Ticket Manager, Mimikatz, ProcDump, Snaffler, Trufflehog, Volatility, aws_consoler |
| Defense Evasion | Bedevil, Intel Ethernet driver (BYOVD) |
| Discovery | ADExplorer, ADRecon, AWS Systems Manager Inventory, Advanced Port Scanner, Get-ADUser, ManageEngine LANDESK, PDQ Inventory, PingCastle, RVTools, RustScan, SharpHound, VMware PowerCLI |
| Exfiltration | Cyberduck, Dropbox, FileZilla, MEGA, RClone, S3 Browser |
| LOLBAS | PsExec |
| Networking | Chisel, Cloudflared, NSOCKS, Ngrok, OpenSSH, Pinggy, Plink, Proxifier, Rsocks, Rsocx, Socat, Sshimpanzee, Tailscale, Teleport, TrueSocks, TryCloudflare, Twingate, Windscribe (Wstunnel), Wstunnel |
| OffSec | CIMplant, Impacket, LAPS Toolkit, LINpeas, MicroBurst, Pacu |
| RMM Tools | ASG Remote Desktop, BeAnywhere, Chrome Remote Desktop, DWAgent, Domotz, Fleetdeck, ITarian, Level.io, Level[.]io, ManageEngineRMM, MobaXterm, N-Able, Parsec, Pulseway, RPort, RSAT, RemotePC, RustDesk, ScreenConnect, Sorillus, Splashtop, TacticalRMM, TeamViewer, TightVNC, TrendMicro Basecamp, Xeox, ZeroTier, ZohoAssist |
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [6] CISA Scattered Spider Advisory November 2023 CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. [7] CrowdStrike Scattered Spider BYOVD January 2023 CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023. [8] CrowdStrike Scattered Spider Profile CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023. [9] Mandiant VMware vSphere JUL 2025 Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025. [10] Mandiant UNC3944 May 2025 Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025. [11] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [12] MSTIC Octo Tempest Operations October 2023 Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024. [13] Crowdstrike TELCO BPO Campaign December 2022 Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.