Aggressive Scattered Spider Attacks Continue to Pose Grave Risk to Organizations Globally

Since emerging in 2021, the threat group known as Scattered Spider has rapidly become one of the most disruptive forces in the threat landscape. With a reputation for high-speed, high-impact operations, the group blends advanced social engineering tactics with technical depth across hybrid, on-premises, cloud, and virtualized infrastructure. Halcyon characterizes the group as executing attacks that "disrupt entire organizations from top to bottom, creating ripple effects that threaten financial viability, customer trust, and operational continuity. These attacks unfold swiftly and ruthlessly, transforming ordinary systems in just hours." There is no shortage of examples with high impact from attacks resulting in both financial losses and operational disruption, often followed by long recovery periods. As Halcyon notes, in prior campaigns, Scattered Spider used credential-based attacks to shut down internal networks in under ten minutes. In addition to being implicated in attacks with severe financial impacts, such as a UK retailer breach that caused disruption spanning six weeks and amounted to "at least £1 billion from its market value, with projected profit losses potentially reaching £300 million," their threat potency is of further concern. With ties to ransomware families like DragonForce, Qilin, Akira, and Play, the group continues to pivot across verticals, as Google's Threat Intelligence Group (GTIG) informed the public that the group is targeting the insurance sector and, more recently, the FBI warned of threats to aviation and transportation.

Scattered Spider initiates attacks using highly targeted social engineering methods, including phishing, SMS-based lures, SIM swapping, and impersonation of help desk personnel. Their impersonation efforts are effective in "tricking victims into revealing credentials, approving multi-factor authentication push requests, or registering the attacker’s authentication token," as noted by Halcyon. These campaigns often leverage spoofed domains that resemble trusted brands to lower suspicion. After gaining access, the attackers deploy remote access tools such as AnyDesk, Atera, Fleetdeck, Ngrok, or Remcos to solidify their foothold and maintain persistence. The threat actors take advantage of these tools and activities, blending in with "expected administrative traffic," which can cause them to be overlooked by traditional monitoring solutions.

Once access is secured, Scattered Spider escalates privileges with techniques such as exploiting Active Directory Certificate Services (ADCS), deploying vulnerable drivers to disable services, and retrieving or modifying credentials managed by Microsoft LAPS. They perform credential dumping of LSASS and exfiltrate NTDS.dit, enabling offline password cracking. Internal reconnaissance is conducted using a mix of native Windows utilities (e.g., wmic) and external tools like AdRecon, Rubeus, Nmap, and Angry IP Scanner. The group searches file systems for terms like “password,” “token,” and “passwd” to locate sensitive credentials. Scattered Spider operators also employ forged tokens and MFA fatigue to capture session tokens, granting access without needing traditional credentials.

In AWS environments, the group enumerates EC2 instances and backups to gain visibility into the organization’s cloud infrastructure. Halcyon notes that Scattered Spider will "use those cloud endpoints to pivot back to on-premises systems and expand their foothold." They leverage these compromised cloud assets to move laterally using RDP and SSH. Before exfiltration, they disable security defenses using vulnerable drivers and scripts to turn off antivirus and EDR/EDX tools. Exfiltration is done using encrypted channels to services like Mega.nz. The final attack stages involve deploying ransomware variants and targeting VMware ESXi hypervisors to disrupt both cloud and on-prem environments. Backup and recovery mechanisms are targeted to maximize damage and disruption.

Given the severity and proficiency of Scattered Spider, defensive measures offered by Halcyon include continuous brand monitoring, phishing awareness, and trend analysis for threat-informed defense, along with training staff to resist social engineering. Monitoring with baselining for the presence and use of unauthorized remote access tools is essential, along with alerting on credential dumping activities and abuse of ADCS templates. Detection strategies should also focus on shadow copy deletion, suspicious RDP/SSH activity, unauthorized certificate creation, and large file transfers to cloud-sharing platforms. Maintaining immutable, offline backups and segmenting critical workloads can reduce blast radius. Organizations must also ensure that endpoint protections have tamper-proof settings and cannot be disabled through vulnerable drivers or direct script manipulation.