By Cyber Defense Center Maticmind (Andrea Mariucci, Riccardo Michetti, Federico Savastano, Ada Spinelli)
The Scattered Spider threat actor, UNC9344, made its appearance in 2022 with two targeted attacks on Caesars and MGM casinos. Belonging to the informal group “The Com,” UNC3944 is known for its sophisticated social engineering tactics and its ability to navigate cloud environments.
SCATTERED SPIDER uses a variety of techniques to gain access to victims’ systems, including stealing administrative credentials through phishing attacks via email, SMS, SIM swapping, and impersonating IT/helpdesk staff, as well as legitimate software such as AnyDesk and ScreenConnect to maintain persistence.
The group is also known for using ransomware such as BlackCat/ALPHV and Bring Your Own Vulnerable Driver (BYOVD) techniques to evade security software. BlackCat, a Russian-speaking ransomware group, has partnered with Scattered Spider, giving them access to its ransomware.
Despite some arrests between 2024 and 2025, the SCATTERED SPIDER attacks have shown remarkable resilience, also thanks to its ability to build alliances with cybercriminal groups belonging to the Russian galaxy, a factor that contributes to making the group one of the most significant threats in the current landscape.
Threat Actors Profile
Main Name: SCATTERED SPIDER
Aliases: – UNC3944, Scatter Swine, Star Fraud, Octo Tempest, and Muddled Libra, Oktapus, Storm-0971, DEV-0971
Current Status: Active as of June 2025, with recent activity targeting the industry airplane
Composition: Primarily native English speakers. Some members arrested by the FBI and UK police were residents under the age of twenty-five.
Known members: Tyler Buchanan, 22, Scotland; Ahmed Elbadawy, 23, US; Joel Evans, US; Evans Osiebo, 20, US; Noah Urban, 20, US; Remington Ogletree, 19, US.
Affiliations: Has partnered with Russian ransomware groups such as BlackCat/ALPHV, Dragonforce, and Qilin, deploying their respective ransomware. Scattered Spider is associated with “The Com”, a decentralized cybercriminal community, lapsus.
Motivations and Objectives
Primary Objective: Financial Scattered Spider is primarily motivated by financial objectives, conducting activities such as data extortion, cryptocurrency theft, and ransomware attacks.
Geopolitical Motivation: None The The group’s focus on English-speaking victims appears to stem from linguistic advantages in social engineering and impersonation tactics. While collaborations with Russian cybercriminals such as BlackCat/ALPHV exist, these appear opportunistic rather than ideologically driven.
Strategic Value: Targeting high-profile sectors such as telecommunications, technology, transportation, retail, and critical infrastructure, Scattered Spider has established itself as an advanced threat actor. Its expertise makes it attractive to hostile entities interested in exploiting its capabilities.
Diamond Model
MITRE TTP
Phase
Name, ID
Tool
Reconnaissance
Gather Victim Identity Information (T1589), Phishing for Information (T1598)
Resource development
Acquire Infrastructure: Domains (T1583.001), Establish Accounts: Social Media Accounts (T1585.001)
T1213.005 Data from Information Repositories: Messaging Applications T1213.002 Data from Information Repositories: Sharepoint T1114 Email Collection
Command & Control
T1219.002 Remote Desktop Software
Warzone RAT (Ave Maria), Ngrok
Exfiltration
T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol T1572 Protocol Tunneling
Raccoon Stealer, VIDAR, ULTRAKNOT
Impact
T1486 Data Encrypted for Impact
BlackCat, Ransomhub, Qilin (Agenda)
Ransomware Malware/Tools
Scattered Spider employs several malware families with information theft (InfoStealer) and remote access (RAT) capabilities, as well as ransomware such as BlackCat,
Malware
Type
BlackCat (ALPHV)
Ransomware (RaaS)
WarzoneRAT (Ave Maria)
Remote Access Trojan
Raccoon Stealer
Infostealer
Vidar Stealer
Infostealer
STONESTOP
Loader
POORTRY
Malicious driver
EIGHTBAIT
Phishing kit
Exploited Open Source tools & Living-off-the-Land (LotL)
Scattered Spider frequently exploits Open Source or legitimate software as remote management tools present in the victim’s environment, or installed after login, as part ofLiving-off-the-Land (LotL)-style attacks.
Tools Used
Function
Impacket
Lateral movement scripts
LaZagne
Credential harvesting
Mimikatz
Password dumping
Ngrok
Tunneling for C2 communication
Fleetdeck.io
Remote access / cloud deployment
Level.io
Remote IT management
Pulseway
RMM (remote monitoring & mgmt)
ScreenConnect
Remote support tool
Splashtop
Remote desktop tool
Tactical RMM
Remote system management
Tailscale
VPN tunneling
TeamViewer
Remote desktop software
Focus: EDR evasion abusing BYOVD – STONESTOP and POORTRY
The STONESTOP loader has been used by the SCATTERED SPIDER group since at least August 2022. This is a Windows utility that operates in user mode and serves as a loader and installer for POORTRY. POORTRY is a Windows kernel-mode driver used to terminate processes related to security systems, such as EDR (Endpoint Detection and Response) and antivirus.
These tools are used in conjunction with SCATTERED SPIDER, but have also been observed in attacks launched by other actors, which suggests the malicious toolkit is circulating through underground cybercrime channels.
The drivers were signed with Microsoft certificates through the Microsoft Windows Hardware Developer Program. The abuse of these certificates led the company to close the accounts involved in the signing and revoke the certificates themselves. According to Mandiant research, this was a “Malicious Driver Signing as a Service” operation, indicating that the certificates may have been obtained through illegal services that provide digital signatures for malicious software.
Major Attack Timeline
Attack on MGM Resorts and Caesars Palace (2023)
Date: September 2023
Target: MGM Resorts and Caesars Palace, two of the major hotels and casinos in Las Vegas
Attack Method: Use of social engineering techniques, impersonation of IT personnel to bypass MFA. Deployment of the ALPHV/BlackCat ransomware via PowerShell commands. The attacker managed to penetrate the victims’ cloud and on-premise infrastructure, infiltrating Okta, Azure, Citrix, and Sharepoint services.
Impact: Disruption of services. Exfiltration of personal customer data. Losses estimated at around $100 million.
Malware/Toolset: BlackCat/ALPHV, social engineering
UK Retailers Campaign (2025)
Date: Q1 2025
Objective: UK Retail Companies
Attack Method: Ransomware, with initial access via social engineering, credential compromise and potential abuse of IT helpdesk processes. The use of Dragonforce ransomware highlights potential involvement by the group, with Scattered Spider involved.
Impact: Disruption of critical business functions, exfiltration of customer data, estimated financial costs between £270 million and £440 million
Malware/Toolset: Social engineering, credential compromise, abuse of IT helpdesk processes, Dragonforce ransomware
Insurance Campaign (2025)
Date: Q1 2025
Target: US insurance companies
Attack method: Initial access via social engineering, Phishing, SIM-Swapping, MFA Fatigue/MFA Bombing
Impact: Disconnection of affected systems, disruption of services
Malware/Toolset: Unknown
Airlines Campaign (2025)
In a note published on X on 06/28/2025, the FBI communicated the shift of Scattered Spider’s attention to the airline industry. The US agency also warned industry operators against the social engineering techniques typically used by the actor and aimed at bypassing authentication systems. In the following weeks, cyberattacks hit three Western airlines with TTPs similar to those of Scattered Spider. At the moment, however, there are no official attributions to the actor.
Figure 1 – FBI Post
Based on the evidence presented in the report, some recommendations are formulated Countermeasures useful to minimize or contain damage coming from the actor described here or from any emulator groups.
Threat or vector
Key countermeasure
Expected impact
BYOVD
Constant driver updates and patching, creation of custom rules for the detection of known malicious drivers, implementation of the “vulnerable driver blocklist” made available by Microsoft.
The actor will not be able to disable EDR via the compromised driver
C2 communication
Firewalling and deep packet inspection
Interruption of communications with C2
Social Engineering, MFA Bypass
Staff training, awareness culture, and cyber hygiene. Strengthening resilience to MFA bypass techniques through staff awareness and education regarding the impersonation technique employed by the actor.
Reducing the threat actor’s ability to exploit the access route represented by social engineering. Increased staff awareness and ability to promptly report any critical issues or suspicious activity.
InfoStealer, Ransomware
EDR, Network Segmentation, Vulnerability Patching, Access Control Policies, Data Encryption, DLP, Deception Honeypot Deployment
Cyber Monitoring Center, https://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/
Redazione The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.
Redazione