The Criminal Threat Using Advanced Tactics and Techniques | #ransomware | #cybercrime

Redazione RHC : 16 July 2025 07:26

By Cyber Defense Center Maticmind (Andrea Mariucci, Riccardo Michetti, Federico Savastano, Ada Spinelli)

The Scattered Spider threat actor, UNC9344, made its appearance in 2022 with two targeted attacks on Caesars and MGM casinos. Belonging to the informal group “The Com,” UNC3944 is known for its sophisticated social engineering tactics and its ability to navigate cloud environments.

SCATTERED SPIDER uses a variety of techniques to gain access to victims’ systems, including stealing administrative credentials through phishing attacks via email, SMS, SIM swapping, and impersonating IT/helpdesk staff, as well as legitimate software such as AnyDesk and ScreenConnect to maintain persistence.

The group is also known for using ransomware such as BlackCat/ALPHV and Bring Your Own Vulnerable Driver (BYOVD) techniques to evade security software. BlackCat, a Russian-speaking ransomware group, has partnered with Scattered Spider, giving them access to its ransomware.

Despite some arrests between 2024 and 2025, the SCATTERED SPIDER attacks have shown remarkable resilience, also thanks to its ability to build alliances with cybercriminal groups belonging to the Russian galaxy, a factor that contributes to making the group one of the most significant threats in the current landscape.

• Main Name: SCATTERED SPIDER
• Aliases: – UNC3944, Scatter Swine, Star Fraud, Octo Tempest, and Muddled Libra, Oktapus, Storm-0971, DEV-0971
• Classification: Decentralized Cybercriminal Collective
• First Detected: 2022
• Current Status: Active as of June 2025, with recent activity targeting the industry airplane
• Composition: Primarily native English speakers. Some members arrested by the FBI and UK police were residents under the age of twenty-five.
• Known members: Tyler Buchanan, 22, Scotland; Ahmed Elbadawy, 23, US; Joel Evans, US; Evans Osiebo, 20, US; Noah Urban, 20, US; Remington Ogletree, 19, US.
• Affiliations: Has partnered with Russian ransomware groups such as BlackCat/ALPHV, Dragonforce, and Qilin, deploying their respective ransomware. Scattered Spider is associated with “The Com”, a decentralized cybercriminal community, lapsus.

Motivations and Objectives

• Primary Objective: Financial
  Scattered Spider is primarily motivated by financial objectives, conducting activities such as data extortion, cryptocurrency theft, and ransomware attacks.
• Geopolitical Motivation: None
  The The group’s focus on English-speaking victims appears to stem from linguistic advantages in social engineering and impersonation tactics. While collaborations with Russian cybercriminals such as BlackCat/ALPHV exist, these appear opportunistic rather than ideologically driven.
• Strategic Value: Targeting high-profile sectors such as telecommunications, technology, transportation, retail, and critical infrastructure, Scattered Spider has established itself as an advanced threat actor. Its expertise makes it attractive to hostile entities interested in exploiting its capabilities.

Diamond Model

MITRE TTP

Phase	Name, ID	Tool
Reconnaissance	Gather Victim Identity Information (T1589), Phishing for Information (T1598)
Resource development	Acquire Infrastructure: Domains (T1583.001), Establish Accounts: Social Media Accounts (T1585.001)
Initial Access	T1621 MFA Request Generation T1566 Phishing T1566.004 Spearphishing Voice T1195 Supply Chain Compromise T1111 Multi-Factor Authentication Interception T1451 SIM Card Swap T1656 Impersonation	0ktapus phishing kit
Execution	T1204 User Execution
Persistence	T1219 Remote Access Software T1098.005      Account Manipulation: Device Registration	Teleport, Windows scheduled tasks Teamviewer, ScreenConnect, AnyDesk, Splashtop, Zoho Assist, FleetDeck, RustDesk
Privilege escalation	T1098.003 Account Manipulation: Additional Cloud Roles T1484.002 Domain or Tenant Policy Modification: Trust Modification
Defense evasion	T1562.001	POORTRY
Credential access	T1003	Mimikatz, ADExplorer
Discovery
Lateral movement	T1534 Internal Spearphishing, T1563.002 RDP Hijacking, T1021.002 SMB/Windows Admin Shares	RDP, SMB
Collection	T1213.005      Data from Information Repositories: Messaging Applications T1213.002      Data from Information Repositories: Sharepoint T1114 Email Collection
Command & Control	T1219.002      Remote Desktop Software	Warzone RAT (Ave Maria), Ngrok
Exfiltration	T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol T1572 Protocol Tunneling	Raccoon Stealer, VIDAR, ULTRAKNOT
Impact	T1486 Data Encrypted for Impact	BlackCat, Ransomhub, Qilin (Agenda)

Ransomware Malware/Tools

Scattered Spider employs several malware families with information theft (InfoStealer) and remote access (RAT) capabilities, as well as ransomware such as BlackCat,

Malware	Type
BlackCat (ALPHV)	Ransomware (RaaS)
WarzoneRAT (Ave Maria)	Remote Access Trojan
Raccoon Stealer	Infostealer
Vidar Stealer	Infostealer
STONESTOP	Loader
POORTRY	Malicious driver
EIGHTBAIT	Phishing kit

Exploited Open Source tools & Living-off-the-Land (LotL)

Scattered Spider frequently exploits Open Source or legitimate software as remote management tools present in the victim’s environment, or installed after login, as part ofLiving-off-the-Land (LotL)-style attacks.

Tools Used	Function
Impacket	Lateral movement scripts
LaZagne	Credential harvesting
Mimikatz	Password dumping
Ngrok	Tunneling for C2 communication
Fleetdeck.io	Remote access / cloud deployment
Level.io	Remote IT management
Pulseway	RMM (remote monitoring & mgmt)
ScreenConnect	Remote support tool
Splashtop	Remote desktop tool
Tactical RMM	Remote system management
Tailscale	VPN tunneling
TeamViewer	Remote desktop software

Focus: EDR evasion abusing BYOVD – STONESTOP and POORTRY

The STONESTOP loader has been used by the SCATTERED SPIDER group since at least August 2022. This is a Windows utility that operates in user mode and serves as a loader and installer for POORTRY. POORTRY is a Windows kernel-mode driver used to terminate processes related to security systems, such as EDR (Endpoint Detection and Response) and antivirus.

These tools are used in conjunction with SCATTERED SPIDER, but have also been observed in attacks launched by other actors, which suggests the malicious toolkit is circulating through underground cybercrime channels.

The drivers were signed with Microsoft certificates through the Microsoft Windows Hardware Developer Program. The abuse of these certificates led the company to close the accounts involved in the signing and revoke the certificates themselves. According to Mandiant research, this was a “Malicious Driver Signing as a Service” operation, indicating that the certificates may have been obtained through illegal services that provide digital signatures for malicious software.

Major Attack Timeline

Attack on MGM Resorts and Caesars Palace (2023)

• Date: September 2023
• Target: MGM Resorts and Caesars Palace, two of the major hotels and casinos in Las Vegas
• Attack Method: Use of social engineering techniques, impersonation of IT personnel to bypass MFA. Deployment of the ALPHV/BlackCat ransomware via PowerShell commands. The attacker managed to penetrate the victims’ cloud and on-premise infrastructure, infiltrating Okta, Azure, Citrix, and Sharepoint services.
• Impact: Disruption of services. Exfiltration of personal customer data. Losses estimated at around $100 million.
• Malware/Toolset: BlackCat/ALPHV, social engineering

UK Retailers Campaign (2025)

• Date: Q1 2025
• Objective: UK Retail Companies
• Attack Method: Ransomware, with initial access via social engineering, credential compromise and potential abuse of IT helpdesk processes. The use of Dragonforce ransomware highlights potential involvement by the group, with Scattered Spider involved.
• Impact: Disruption of critical business functions, exfiltration of customer data, estimated financial costs between £270 million and £440 million
• Malware/Toolset: Social engineering, credential compromise, abuse of IT helpdesk processes, Dragonforce ransomware

Insurance Campaign (2025)

• Date: Q1 2025
• Target: US insurance companies
• Attack method: Initial access via social engineering, Phishing, SIM-Swapping, MFA Fatigue/MFA Bombing
• Impact: Disconnection of affected systems, disruption of services
• Malware/Toolset: Unknown

Airlines Campaign (2025)

In a note published on X on 06/28/2025, the FBI communicated the shift of Scattered Spider’s attention to the airline industry. The US agency also warned industry operators against the social engineering techniques typically used by the actor and aimed at bypassing authentication systems. In the following weeks, cyberattacks hit three Western airlines with TTPs similar to those of Scattered Spider. At the moment, however, there are no official attributions to the actor.

Threat or vector	Key countermeasure	Expected impact
BYOVD	Constant driver updates and patching, creation of custom rules for the detection of known malicious drivers, implementation of the “vulnerable driver blocklist” made available by Microsoft.	The actor will not be able to disable EDR via the compromised driver
C2 communication	Firewalling and deep packet inspection	Interruption of communications with C2
Social Engineering, MFA Bypass	Staff training, awareness culture, and cyber hygiene. Strengthening resilience to MFA bypass techniques through staff awareness and education regarding the impersonation technique employed by the actor.	Reducing the threat actor’s ability to exploit the access route represented by social engineering. Increased staff awareness and ability to promptly report any critical issues or suspicious activity.
InfoStealer, Ransomware	EDR, Network Segmentation, Vulnerability Patching, Access Control Policies, Data Encryption, DLP, Deception Honeypot Deployment

IoC

Domains that follow the following pattern:

• victimname-sso[.]com
• victimname-servicedesk[.]com
• victimname-okta[.]com

Sources

• Microsoft, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules#vulnerable-driver-blocklist-xml
• Google, https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware, https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications, https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations, https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware, https://cloud.google.com/blog/topics/threat-intelligence/hunting-attestation-signed-malware
• Group-ib, https://www.group-ib.com/blog/0ktapus/
• Mphasis, https://www.mphasis.com/content/dam/mphasis-com/global/en/home/services/cybersecurity/scattered-spider-conducts-sim-swapping-attacks-12.pdf
• SOCRadar, https://socradar.io/dark-web-profile-scattered-spider/
• Morphisec, https://www.morphisec.com/blog/mgm-resorts-alphv-spider-ransomware-attack/
• Threatdown, https://www.threatdown.com/blog/ransomware-group-steps-up-issues-statement-over-mgm-resorts-compromise/
• Bitsight, https://www.bitsight.com/blog/who-is-scattered-spider-ransomware-group
• Crowdstrike, https://www.crowdstrike.com/en-us/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/, https://www.crowdstrike.com/en-us/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/, https://www.crowdstrike.com/en-us/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies, https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks
• Security Journal UK, https://securityjournaluk.com/m-and-s-cyber-attack/
• Paloalto, https://unit42.paloaltonetworks.com/muddled-libra/
• Cyber Monitoring Center, https://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/
• aha.org, https://www.aha.org/system/files/media/file/2024/10/hc3%20tlp%20clear%20threat%20actor%20profile%20scattered%20spider-10-24-2024.pdf
• Forescout, https://www.forescout.com/blog/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack/
• Trellix, https://www.trellix.com/blogs/research/scattered-spider-the-modus-operandi/
• Checkpoint, https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/
• Dark reading, https://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime
• SOSintel, https://sosintel.co.uk/understanding-scattered-spider-tactics-targets-and-defence-strategies/
• Cyberint, https://cyberint.com/blog/dark-web/meet-scattered-spider-the-group-currently-scattering-uk-retail-organizations/
• SANS, https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
• CBS, https://www.cbsnews.com/news/scattered-spider-blackcat-hackers-ransomware-team-up-60-minutes/
  CISA https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
• Cyberint, https://cyberint.com/blog/dark-web/meet-scattered-spider-the-group-currently-scattering-uk-retail-organizations/
• Forbes, https://www.forbes.com/sites/suzannerowankelleher/2023/09/14/2-casino-ransomware-attacks-caesars-mgm/
• Cybersecurity Dive, https://www.cybersecuritydive.com/news/mgm-resorts-caesars-attacks-hospitality/693689/
• Reuters, https://www.reuters.com/technology/cybersecurity/us-charges-five-scattered-spider-hacking-scheme-2024-11-20/
• Halcyon, https://www.halcyon.ai/blog/understanding-byovd-attacks-and-mitigation-strategies
• Picus Security, https://www.picussecurity.com/resource/blog/qilin-ransomware
• BBC, https://www.bbc.com/news/articles/ckgnndrgxv3o
• Bleeping, https://www.bleepingcomputer.com/news/security/mgm-resorts-ransomware-attack-led-to-100-million-loss-data-theft/,https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-windows-drivers-used-in-ransomware-attacks, https://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks, https://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks
• Mjolnir, https://mjolnirsecurity.com/an-actionable-threat-analysis-of-scattered-spider-and-dragon-force/