Scattered Spider’s 2025 Strategy Centers on Voice Phishing and Help Desk Abuse

Further research on the well-resourced eCrime group Scattered Spider has emerged with insights from CrowdStrike’s intelligence and incident response engagements. The group’s escalation in attacks across the aviation, insurance, and retail sectors has prompted urgency in monitoring the threat actor’s activities. The group’s operations throughout the second quarter of 2025 primarily affected U.S.-based insurance and retail organizations, as well as U.K.-based retail entities. However, attacks observed in late June 2025 against U.S.-based airlines demonstrated continuity in the group’s tactics, techniques, and procedures (TTPs), showing its versatility and consistency. CrowdStrike notes, "Throughout Q2 2025, Scattered Spider's activities have primarily centered on U.S.-based insurance and retail entities, along with U.K.-based retail entities. However, incidents in late June 2025, specifically targeting U.S.-based airlines, demonstrated tactics, techniques, and procedures (TTPs) consistent with the adversary's previous operations." The threat actors leveraged voice-based phishing campaigns prominently in 2025 to compromise Microsoft Entra ID, single sign-on (SSO), and virtual desktop infrastructure (VDI) accounts, displaying notable social engineering skill, including the ability to "accurately respond to help desk verification questions," as described by CrowdStrike. Their intrusion objectives often involve the acquisition of sensitive data such as network architecture details and VPN configurations to facilitate lateral movement and increase their control over victim environments, enhancing their leverage for extortion.

Scattered Spider employs a wide array of techniques that reflect both technical capability and operational flexibility. Tactics, techniques, and procedures (TTPs) outlined from CrowdStrike’s observations reveal their activities frequently include extensive Active Directory reconnaissance using tools like ADExplorer, along with PowerShell scripts and cmdlets such as “ADRecon.ps1” and “Get-ADUser.” The group often dumps the Active Directory database to acquire “ntds.dit” and deploys unmanaged virtual machines within compromised VMware vCenter infrastructures. For persistence and command-and-control, they leverage tunneling and proxy tools including Chisel, MobaXterm, ngrok, Pinggy, Rsocx, and Teleport, with configurations that have included the use of the free Cloudflare domain trycloudflare[.]com. They also abuse remote access software like AnyDesk and TeamViewer for lateral movement. Additionally, Scattered Spider manipulates email systems by creating and setting transport rules to redirect communications to adversary-controlled addresses, with CrowdStrike reporting the use of googlemail[.]com domains for this purpose. Cloud environments are also targeted, with enumeration of AWS S3 buckets using “ListBuckets” and “ListObjects” events, enabling the exfiltration of sensitive data.

The group’s primary goal remains the deployment of ransomware against VMware ESXi infrastructure to maximize extortion potential. CrowdStrike warns that, "Scattered Spider’s primary goal is deploying ransomware to a victim’s VMware ESXi infrastructure. If an incident is contained prior to ransomware deployment, the adversary often threatens to publicly leak stolen data and demands a ransom." Ransomware variants deployed by Scattered Spider have included Akira, DragonForce, Play, and Qilin. The group's targeting is opportunistic yet often concentrated within specific sectors over short timeframes. Notably, they do not adhere strictly to sector boundaries, as observed when attacks on retail organizations coincided with campaigns predominantly impacting insurance entities. As CrowdStrike explains, "This adversary often targets several organizations within the same sector in a short time frame; however, they don’t strictly follow this pattern. For example, CrowdStrike Services responded to one SCATTERED SPIDER incident targeting a retail entity during the same timeframe the adversary was predominantly targeting insurance entities."

Their multi-faceted approach combines initial social engineering, privilege escalation, extensive reconnaissance, and the deployment of both ransomware and data theft to achieve maximum leverage. This reflects a high level of coordination and the ability to pivot tactics based on the victim’s environment. CrowdStrike recommends several defensive strategies to mitigate the risks associated with Scattered Spider’s operations. Organizations are advised to deploy phishing-resistant multi-factor authentication that avoids reliance on SMS, improve password reset procedures, and restrict help desk privileges for MFA enrollment. Enhanced detection and monitoring efforts should focus on authentication anomalies, administrative activities, and unexpected network traffic to sensitive systems. CrowdStrike also advises the segmentation of networks, strict privilege enforcement in cloud environments, and the maintenance of isolated backups. Incident readiness, including the development of response playbooks and regular security training for IT and help desk personnel, is essential. These measures, combined with continuous monitoring and hardening of virtual infrastructure, can reduce the likelihood and impact of attacks by Scattered Spider and similar advanced threat actors.