Google’s Threat Intelligence Group (GTIG) has observed a decline in activity from UNC3944—also known as Scattered Spider—a financially motivated threat actor known for its persistent use of social engineering and bold interactions with victims. The drop in activity follows 2024 law enforcement actions targeting individuals allegedly linked to the group. Recent reports indicate that threat actors using tactics consistent with Scattered Spider targeted a U.K. retail organization with DragonForce ransomware.
“Recent public reporting has suggested that threat actors used tactics consistent with Scattered Spider to target a UK retail organization and deploy DragonForce ransomware,” Mandiant researchers wrote in a blog post this week. “Subsequent reporting by BBC News indicates that actors associated with DragonForce claimed responsibility for attempted attacks at multiple UK retailers. Notably, the operators of DragonForce ransomware recently claimed control of RansomHub, a ransomware-as-a-service (RaaS) that seemingly ceased operations in March of this year.”
It is common for threat actors to temporarily pause or scale back operations following arrests, often to reduce law enforcement scrutiny, rebuild capabilities, or adopt new tools to evade detection. However, UNC3944’s connections to a broader network of cybercriminals may enable the group to recover more rapidly from such disruptions.
In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to ransomware and data theft extortion in early 2023, they impacted organizations in a broader range of industries. Since then, we have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024. Notably, UNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased attention from news media.
UNC3944 was a RansomHub affiliate in 2024, after the ALPHV (aka Blackcat) RaaS shut down. While GTIG has not independently confirmed the involvement of UNC3944 or the DragonForce RaaS, over the past few years, retail organizations have been increasingly posting on tracked data leak sites (DLS) used by extortion actors to pressure victims and/or leak stolen victim data. Retail organizations accounted for 11 percent of DLS victims in 2025 thus far, up from about 8.5 percent in 2024 and six percent in 2022 and 2023.
“It is plausible that threat actors, including UNC3944, view retail organizations as attractive targets, given that they typically possess large quantities of personally identifiable information (PII) and financial data,” Mandiant observed. “Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions.”
UNC3944 frequently exploits help desks by impersonating users through social engineering, making it critical to strengthen identity verification procedures. Help desk staff should be trained to confirm a user’s identity before making account changes, especially for privileged accounts. Verification methods should include in-person or on-camera checks, ID verification, and challenge-response questions.
The Mandiant report outlines prioritized recommendations for defending against tactics commonly used by UNC3944, organized under five key pillars: Identity, Endpoints, Applications and Resources, Network Infrastructure, and Monitoring/Detections. While fully implementing these recommendations may impact IT operations to some extent, Mandiant’s extensive experience in helping organizations defend against, contain, and eliminate UNC3944 shows that the most effective approach begins with a clear focus on specific foundational areas.
Organizations should start by ensuring they achieve complete visibility across their infrastructure, identity systems, and critical management services. It is essential to maintain strict segregation of identities throughout the environment and to strengthen authentication requirements. Additionally, enforcing robust identity controls for password resets and MFA registration is critical.
Equally important is educating employees on the dangers of modern social engineering attacks, which are a core component of UNC3944’s tactics. These foundational actions provide the basis for building a comprehensive and resilient defense posture aligned with the broader recommendations in this guide.
Organizations should strengthen their authentication security by disabling or enhancing self-service password resets during suspected compromises and requiring strong authentication before allowing any changes to authentication methods. Trusted locations, out-of-band verification, and alerts for security changes should be used to prevent misuse. Publicly available personal data should not be used for verification, as attackers often have access to it.
To counter social engineering and bypass tactics, organizations should eliminate the use of SMS, phone calls, and email for authentication. Instead, they should implement phishing-resistant MFA methods such as authenticator apps with number matching or geo-verification, and move toward passwordless authentication wherever possible. Privileged accounts should rely on FIDO2 security keys, and administrative users must not be allowed to register or use legacy MFA methods.
Authentication should be multi-contextual, validating user identity, device, and location. Organizations must also revoke access tokens and keys when needed, review changes to authentication settings, and regularly audit MFA devices and newly enrolled endpoints. To prevent lateral movement, they should restrict local accounts from remote access, disable remote access to administrative shares, and apply firewall rules to block common attack protocols like SMB, RDP, and PowerShell.
Organizations should ensure that authentication processes include both strong identity verification and device validation. This involves enforcing posture checks for devices connecting remotely, such as verifying the presence of required host-based certificates, ensuring endpoints run approved operating systems with up-to-date versions, and confirming that Endpoint Detection and Response (EDR) agents are installed and active on all managed devices.
To prevent unauthorized access through rogue or compromised endpoints, the Mandiant report on the UNC3944 threat called upon organizations to monitor for suspicious activity, including newly created bastion hosts or virtual machines, and restrict the ability to join devices to Microsoft Entra or on-premises Active Directory. Authentication logs should be reviewed for devices with default hostnames, which may indicate unauthorized systems.
To mitigate the risk of lateral movement, organizations should limit the use of local accounts for remote access, restrict or disable administrative shares, and enforce firewall rules that block inbound protocols such as SMB, RDP, WinRM, PowerShell, and WMI.
Additionally, for domain-based privileged and service accounts, Group Policy Objects (GPOs) should be configured to deny various types of remote and local logons. These include denying logon locally, through Remote Desktop Services, via the network, as a batch job, or as a service. These measures collectively help harden the environment against credential misuse and lateral movement by threat actors.
The Mandiant report noted that hackers may attempt to disable or alter VPN agents to reduce network visibility for security teams. To mitigate this risk, organizations should disable end-user access to VPN configuration settings, ensure configuration changes are logged appropriately, and consider enforcing an ‘Always-On’ VPN configuration for managed devices to maintain continuous protection.
To protect PAM systems from unauthorized access, organizations should isolate them through strict network and identity access controls. PAM systems should be hosted on dedicated, segmented servers isolated from the broader enterprise infrastructure. Access to these systems should be limited using strong authentication methods (such as MFA), role-based access controls (RBAC), and a reduced number of privileged accounts. Additionally, organizations should enforce just-in-time (JIT) access for credential use.
To defend virtualization infrastructure from threats, organizations should restrict and isolate access to systems such as ESXi hosts and vCenter Servers. Backups should be secure, isolated, and immutable. Authentication for administrative access should not be tied to centralized identity providers, and local root/administrative credentials should be rotated regularly and use randomized passwords. Strong MFA should be employed, shell access (e.g., SSH) should be disabled or restricted, lockdown mode should be enabled on ESXi hosts, and monitoring should be enhanced to detect suspicious authentication activity.
To secure backup infrastructure, organizations should use unique, non-IdP-integrated credentials protected by MFA. Backup servers should be isolated from production networks and placed within dedicated, secure environments. Access to administrative interfaces must be tightly controlled using access restrictions. Regular validation of backup protection, including red team exercises, should also be conducted to ensure integrity.
To prevent attackers from misusing endpoint security tools such as EDR and patch management systems, organizations should segment administrative access and limit the number of users who can modify Group Policy Objects (GPOs). If using Microsoft Intune, access changes should require multi-admin approval. Monitoring for unauthorized access, script and application deployments, allow-listed elements, and unauthorized software installations—especially RATs or reconnaissance tools—is also essential.
To prevent attackers from exploiting cloud infrastructure, organizations should continuously monitor for unauthorized changes such as the creation of new resources, exposure of services, or modifications to firewall and NSG rules. Additionally, organizations should watch for the creation of programmatic keys and credentials, which could indicate attempts to establish persistent access.
The report added that to reduce the risk of unauthorized access and identify exposed applications and ingress points, organizations should conduct external unauthenticated vulnerability scans to detect publicly exposed domains, IP addresses, and IP ranges. Strong, phishing-resistant multi-factor authentication (MFA) should be enforced for all publicly accessible applications and services. Access to sensitive data and applications should be restricted to trusted IP ranges only. Additionally, organizations should block IP addresses associated with TOR exit nodes and virtual private servers (VPS) to prevent anonymous or malicious access.
‘Trusted Service Infrastructure’ (TSI) refers to the management interfaces of critical platforms and services, such as asset and patch management tools, network devices, virtualization platforms, backup systems, security tools, and privileged access management (PAM) systems. To protect these systems, organizations should restrict access to TSI from hardened internal network segments or Privileged Access Workstations (PAWs). Monitoring should also be implemented to detect and alert on abnormal or suspicious traffic patterns targeting TSI.
To limit the potential for command-and-control activity and large-scale data exfiltration, organizations should restrict outbound communications from all servers, especially those associated with TSI, Active Directory domain controllers, and critical applications or data. Outbound traffic to known malicious domains, IP addresses, and those linked to remote access tools (RATs) should be actively blocked.
Following initial compromise, UNC3944 is known to search for internal documentation on user provisioning, MFA registration, network diagrams, and shared credentials. They also deploy tools such as ADRecon, ADExplorer, and SharpHound for network mapping. Organizations should restrict access to documentation portals, remove shared credentials from accessible files, configure EDR agents to alert on known reconnaissance tools, and enable detection rules in identity monitoring solutions.
The Mandiant report on UNC3944 mentioned that to secure the MFA registration process, organizations should review logs for events indicating the addition of new devices or methods, including shared devices across multiple accounts. These events should be validated against expected behavior or onboarding records, and users should be contacted to confirm legitimacy if unexpected registrations occur.
To protect platforms like Microsoft Teams from social engineering and unauthorized access, organizations should enforce policies that restrict communication with trusted external domains. If blocking is not feasible, they should baseline trusted domains and alert on new or unknown domains. Employee training is essential to ensure users report suspicious messages and calls. Defender and Google SecOps queries can be used to detect impersonation attempts from external accounts using terms like ‘help’ or ‘support’ in usernames.
Organizations should monitor for high-risk authentication behaviors, such as logins from infrequent locations, use of proxy or VPN services, changes to authentication methods, or anomalies indicating social engineering. These should trigger further investigation or step-up authentication.
Mandiant warned that UNC3944 may alter MFA requirements to bypass authentication. Organizations using Microsoft Entra ID should monitor for changes to Trusted Named Locations and Conditional Access Policies, especially exclusions applied to specific users or devices. Security teams must also monitor for suspicious token usage and ensure mechanisms exist to prompt reauthentication in response to unusual activity.
Entra ID users should monitor for unauthorized changes to federated domains, including domain registration and federation method modifications. These actions require administrative privileges, so securing admin accounts and access points is critical. Reviewing domain federation settings regularly helps detect potential abuse.
UNC3944 frequently uses social engineering tactics such as phishing messages, fake IT support calls, impersonation via collaboration tools, and MFA fatigue attacks. Organizations should educate employees to recognize these tactics, avoid interacting with suspicious messages or calls, and report incidents immediately. Awareness training should also include how to handle doxxing threats or aggressive language from attackers.
