Scattered Spider TTPs 2025: The Complete Guide to Tactics, Techniques, and Procedures

Executive Summary

Scattered Spider, one of the most sophisticated cybercriminal groups of 2025, continues to evolve their tactics, techniques, and procedures (TTPs) to bypass modern security defenses. This comprehensive analysis covers the latest intelligence from CISA, FBI, and cybersecurity researchers, including their recent adoption of DragonForce ransomware and advanced social engineering campaigns.

Useful Links:
CISA Scattered Spider Advisory (AA23-320A) – Primary source for latest TTPs MITRE ATT&CK Group Profile: Scattered Spider (G1015) – Official threat group classification

Key Takeaways:

  • Scattered Spider updated their phishing kits at least four times through 2024, with Phishing Kit #5 observed in 2025
  • The group now deploys DragonForce ransomware alongside traditional data extortion tactics
  • Enhanced social engineering techniques target both employees and IT helpdesk personnel
  • New focus on VMware ESXi server encryption and Snowflake database exploitation

What is Scattered Spider?

Scattered Spider (also known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra) is a financially motivated cybercriminal group that emerged in May 2022. The group specializes in targeting large enterprises through sophisticated social engineering attacks, credential theft, and ransomware deployment.

Latest Scattered Spider TTPs: 2025 Intelligence Update

Useful Links:
MITRE ATT&CK Matrix for Enterprise – Framework reference
CISA Cross-Sector Cybersecurity Performance Goals – Mitigation framework

1. Initial Access Techniques

Advanced Social Engineering Campaigns

Scattered Spider has significantly enhanced their social engineering capabilities in 2025:

  • Multi-layered Spearphishing Operations: The group now employs targeted, multi-call social engineering campaigns designed to gather password reset procedures from helpdesks
  • Employee Impersonation: Threat actors pose as employees to convince IT staff to reset passwords and transfer MFA tokens to attacker-controlled devices
  • Fake Identity Creation: Creating new identities in target environments, often supported by fabricated social media profiles

Credential Acquisition Methods

  • Illicit Marketplace Purchases: Acquiring employee credentials from platforms like Russia Market
  • Third-Party Service Compromise: Targeting services with access to multiple potential victim networks
  • SIM Swap Attacks: Convincing cellular carriers to transfer phone number control to attacker-owned SIM cards

2. Phishing and Communication TTPs

Updated Phishing Infrastructure

The group’s phishing capabilities have evolved significantly:

  • Phishing Kit #5: Latest version observed in 2025, hosted on Cloudflare infrastructure
  • Domain Patterns: Common domain structures include:
    • targetsname-sso[.]com
    • targetsname-servicedesk[.]com
    • targetsname-okta[.]com
    • targetsname-cms[.]com
    • targetsname-helpdesk[.]com
    • oktalogin-targetcompany[.]com

Communication Tactics

  • Push Bombing: Overwhelming users with MFA notification prompts (MFA fatigue attacks)
  • Vishing (Voice Phishing): Phone-based social engineering targeting helpdesk personnel
  • IT Staff Impersonation: Convincing employees to install remote access tools under the guise of IT support

3. Post-Compromise Techniques

Persistence and Privilege Escalation

  • MFA Token Registration: Registering their own MFA tokens on compromised accounts
  • Remote Monitoring Tools: Deploying RMM tools including:
    • Fleetdeck.io
    • Level.io
    • Teleport.sh (new addition in 2025)
  • Living off the Land (LOTL): Using legitimate tools and allowlisted applications to avoid detection

Discovery and Lateral Movement

  • SharePoint Site Enumeration: Searching for credential storage documentation and VPN setup instructions
  • VMware vCenter Infrastructure Targeting: Focusing on virtualization infrastructure
  • AWS Systems Manager Inventory: Activating cloud discovery tools for lateral movement
  • Snowflake Database Exploitation: Running thousands of queries to exfiltrate large volumes of data rapidly

4. Malware and Tool Usage

Primary Malware Families

  • AveMaria (WarZone): Remote access trojan for credential harvesting and system control
  • RattyRAT: Network infiltration and data encryption capabilities
  • Spectre RAT: Continued use of this remote access tool throughout 2025

Legitimate Tools Repurposed

  • Mimikatz: Credential extraction from memory
  • Commercial RMM Software: Various remote monitoring and management platforms
  • ETL Tools: Extract, transform, and load tools for data centralization

5. Data Exfiltration and Ransomware Deployment

Exfiltration Methods

  • Multiple Cloud Platforms: MEGA.NZ and Amazon S3 for data storage
  • Centralized Data Collection: Using ETL tools to aggregate data from multiple sources
  • Rapid Snowflake Exploitation: Executing thousands of database queries for bulk data extraction

Ransomware Operations

  • DragonForce Ransomware: New primary ransomware variant deployed in 2025
  • VMware ESXi Targeting: Encrypting virtualization infrastructure for maximum impact
  • Ransomware-as-a-Service (RaaS): Operating within the broader RaaS ecosystem

6. Advanced Evasion Techniques

Detection Avoidance

  • Proxy Networks: Consistent use of proxy infrastructure to mask origin
  • Machine Name Rotation: Regular rotation of system identifiers
  • Incident Response Monitoring: Joining victim organization’s incident response calls and monitoring Slack/Teams channels

Communication Security

  • Multiple Communication Channels: TOR, Tox, encrypted applications, and email
  • Operational Security: Advanced OPSEC practices to maintain persistent access

Industry Impact and Target Sectors

Useful Links:
CrowdStrike Scattered Spider Analysis – Industry research
Trellix Scattered Spider Modus Operandi Report – Technical analysis
AttackIQ Scattered Spider Emulation Report – Recent 2025 analysis

Primary Targets

  • Commercial Facilities: Retail, hospitality, and entertainment sectors
  • Critical Infrastructure: Airlines and transportation companies
  • Technology Companies: IT service providers and cloud platforms
  • Financial Services: Banks and payment processing companies

Notable 2025 Incidents

  • Continued targeting of UK retailers including major chains
  • Focus on VMware ESXi infrastructure across multiple sectors
  • Attacks on U.S. airline and retail organizations

Detection and Attribution Indicators

Network Indicators

  • Suspicious RMM tool installations
  • Unusual MFA token registrations
  • Abnormal SharePoint and Snowflake query patterns
  • Connections to known phishing domains

Behavioral Indicators

  • Multiple failed login attempts followed by successful access
  • IT helpdesk calls requesting password resets or MFA transfers
  • Unusual after-hours administrative activity
  • Anomalous data access patterns

Defensive Strategies and Mitigations

Useful Links:
CISA Phishing-Resistant MFA Implementation Guide – Core defense recommendation
NIST Password Guidelines (SP 800-63B) – Password policy standards
CISA Guide to Securing Remote Access Software – RMM security
CISA Living Off the Land Techniques Advisory – LOTL defense

Primary Defenses

  1. Phishing-Resistant MFA: Implement FIDO/WebAuthn or PKI-based authentication
  2. Application Controls: Allowlist remote access programs and prevent unauthorized installations
  3. Network Segmentation: Limit lateral movement through proper network isolation
  4. Backup Strategy: Maintain offline, immutable backups tested regularly

Advanced Security Measures

  • Enhanced Monitoring: Deploy EDR tools with focus on lateral movement detection
  • Social Engineering Training: Regular employee education on vishing and spearphishing
  • Incident Response Planning: Prepare for sophisticated social engineering campaigns
  • Zero Trust Architecture: Implement comprehensive identity and access management

Specific Countermeasures

  • RMM Tool Auditing: Regular inventory and monitoring of remote access software
  • Communication Security: Email banners for external communications and hyperlink restrictions
  • Password Policies: Implement NIST-compliant password standards with 15+ character requirements
  • Account Monitoring: Enhanced detection of “risky logins” and suspicious sign-in attempts

Regulatory and Industry Response

The cybersecurity community has responded to Scattered Spider’s evolution with updated guidance:

  • CISA Advisory Updates: Regular TTPs updates through FBI investigations (latest July 2025)
  • International Coordination: Joint advisories from US, UK, Canadian, and Australian agencies
  • Industry Alerts: Sector-specific warnings for retail, hospitality, and critical infrastructure

Future Threat Landscape

Predicted Evolution

  • Increased RaaS Adoption: Expanding use of ransomware-as-a-service platforms
  • Cloud Infrastructure Focus: Growing emphasis on cloud platform exploitation
  • AI-Enhanced Social Engineering: Potential integration of AI tools for more convincing impersonation
  • Supply Chain Targeting: Increased focus on third-party service providers

Emerging Concerns

  • Persistent Access Techniques: Development of more sophisticated persistence mechanisms
  • Regulatory Evasion: Tactics designed to complicate law enforcement attribution
  • Cross-Border Operations: Continued international scope of operations

Conclusion

Scattered Spider remains one of the most adaptive and dangerous cybercriminal groups operating in 2025. Their evolution from simple phishing campaigns to sophisticated, multi-layered social engineering operations targeting both employees and IT infrastructure demonstrates the need for comprehensive, layered security defenses.

Organizations must prioritize phishing-resistant authentication, employee training, and robust incident response capabilities to defend against these advanced threats. The group’s adoption of DragonForce ransomware and focus on critical infrastructure like VMware ESXi servers highlights the escalating stakes of modern cybersecurity.

Regular review and updating of security controls, based on the latest threat intelligence, remains essential for maintaining effective defenses against Scattered Spider and similar advanced persistent threat groups.

Useful Links:
FBI Internet Crime Complaint Center (IC3) – Incident reporting
CISA Incident Reporting System – Government reporting channel

This analysis is based on the latest intelligence from CISA, FBI, and trusted cybersecurity researchers as of August 2025. Organizations are advise to implement the recommended mitigations and maintain awareness of evolving threat landscapes.

Posted

Tags:

, , , ,