← threatfilter.dev / all groups / Scattered Spider
Scattered Spider
Also known as: Roasted 0ktapus · Octo Tempest · Storm-0875 · UNC3944
Overview
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365.
Capabilities
- Custom malware/implant development — ATT&CK: 3 attributed custom malware families
TTPs — 64 techniques across 14 tactics
Reconnaissance
-
T1589Gather Victim Identity Information -
T1598Phishing for Information -
T1598.003Spearphishing Link -
T1598.004Spearphishing Voice
Resource Development
-
T1583.001Domains -
T1585.001Social Media Accounts -
T1588.001Malware -
T1588.002Tool
Execution
-
T1059.001PowerShell -
T1059.004Unix Shell -
T1204User Execution
Persistence
-
T1098Account Manipulation -
T1098.003Additional Cloud Roles -
T1133External Remote Services -
T1136Create Account -
T1543.002Systemd Service
Privilege Escalation
Stealth
-
T1006Direct Volume Access -
T1070.008Clear Mailbox Data -
T1078Valid Accounts -
T1078.004Cloud Accounts -
T1564.008Email Hiding Rules -
T1684.001Impersonation
Defense Impairment
-
T1484.002Trust Modification -
T1553.002Code Signing -
T1556.006Multi-Factor Authentication -
T1556.009Conditional Access Policies -
T1578.002Create Cloud Instance -
T1685Disable or Modify Tools
Credential Access
-
T1003.003NTDS -
T1539Steal Web Session Cookie -
T1552.001Credentials In Files -
T1552.004Private Keys -
T1555.005Password Managers -
T1621Multi-Factor Authentication Request Generation
Discovery
-
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1069Permission Groups Discovery -
T1069.002Domain Groups -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087Account Discovery -
T1087.002Domain Account -
T1217Browser Information Discovery -
T1538Cloud Service Dashboard -
T1580Cloud Infrastructure Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.004SSH -
T1021.007Cloud Services
Collection
-
T1074Data Staged -
T1114Email Collection -
T1114.003Email Forwarding Rule -
T1213.003Code Repositories -
T1213.005Messaging Applications -
T1530Data from Cloud Storage
Command and Control
-
T1090Proxy -
T1105Ingress Tool Transfer -
T1219.002Remote Desktop Software -
T1572Protocol Tunneling
Exfiltration
-
T1041Exfiltration Over C2 Channel -
T1567.002Exfiltration to Cloud Storage
Impact
-
T1486Data Encrypted for Impact -
T1490Inhibit System Recovery -
T1657Financial Theft
Tools & malware (9)
WarzoneRAT · Rclone · LaZagne · Tor · Mimikatz · Raccoon Stealer · ngrok · BlackCat · ConnectWise
Reporting (3)
- From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944 — Mandiant Incident Response
- Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines — Mandiant Incident Response
- Cybersecurity Advisory: Scattered Spider (AA23-320A) — CISA