CISA, FBI, and Allies Release July 2025 Update on Scattered Spider’s Attack Threat Arsenal

Intelligence collected from government agencies, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK)—provides an update based on findings through June 2025. This threat actor remains one of the most prominent and disruptive cybercriminal groups. Since April 2025, intrusions have affected sectors including retail, airlines, insurance, and transportation. This opportunistic threat actor, is best known for its methodical and tailored social engineering campaigns, Scattered Spider often impersonates internal IT staff or helpdesk personnel, leveraging phone calls and SMS messages to manipulate employees into disclosing credentials, transferring MFA devices, or installing remote access tools. Their campaigns routinely involve MFA bombing to fatigue users into accepting login requests, SIM swapping to hijack mobile numbers for OTP interception, and the use of realistic domains—often containing “-helpdesk”—to increase success rates. CISA attributes their success in part to this deep social engineering capability: “Posed as employees to convince IT and/or helpdesk staff to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices.”

Emphasizing the threat actor's proficiency with social engineering and preparation in their approach, the agencies explain, "While Scattered Spider initially began their activity relying upon broad phishing campaigns, the threat actors are now employing more targeted and multilayered spearphishing and vishing operations. Scattered Spider searches business-to-business websites to gather information and ultimately determine the individual’s role in a target organization." In explaining the layered method, the initial series of calls are made to understand the organizational process for resetting credentials and MFA devices, allowing the actors to initiate steps to successfully reset credentials. Social engineering remains the critical aspect defenders should be aware of. Alternative approaches to gaining access include purchasing credentials from underground forums.
Upon achieving initial access, the deployment of remote monitoring and management (RMM) tools is a standout in the group’s activity. These RMM tools—such as AnyDesk, ScreenConnect, TeamViewer, Fleetdeck, and others—afford the actors both control and persistent access. The threat actors also deploy malware-as-a-service (MaaS) offerings like WarZone RAT (AveMaria) and RattyRAT, as well as information-stealing malware including Raccoon Stealer and Vidar Stealer, to exfiltrate credentials, browser data, and additional user information. In the execution, persistence, and privilege escalation stages, earlier campaigns saw Scattered Spider adding federated identity providers to SSO tenants, linking malicious accounts to enable seamless access across environments. Although this tactic has not been observed recently, they continue to abuse valid accounts, create new user identities, and rotate MFA tokens to maintain footholds. Additional activity includes enumeration of Active Directory, searching SharePoint sites for documentation, and identifying credential stores. AWS-specific activity includes utilizing Amazon Web Services (AWS) Systems Manager Inventory, identifying services of interest in the environment, creating and running Elastic Compute Cloud (EC2) instances, and operating extract, transform, and load (ETL) tools.

CISA reports that data exfiltration remains a core objective, with observed activity targeting both cloud repositories and on-premises data. Specific to Snowflake, the agencies report that “Scattered Spider threat actors search for a targeted organization’s Snowflake access to exfiltrate large volumes of data in a short time, often running thousands of queries immediately.” Additional data repositories targeted include Microsoft Exchange mailboxes, Slack, and Microsoft Teams, albeit for a different purpose. The threat actors monitor internal security conversations to understand how defenders are tracking their activity. CISA notes, “To determine if their activities have been detected and to maintain persistence within the compromised system, Scattered Spider threat actors often search a targeted organization’s Slack, Microsoft Teams, and Microsoft Exchange Online for emails or conversations regarding the threat actors’ intrusion and any security response.” In some cases, they have joined incident response calls. Data exfiltration has been followed by the deployment of DragonForce ransomware, with encryption observed against VMware ESXi infrastructure.

Mitigation guidance provided by CISA includes adopting application allowlisting to prevent unauthorized remote access tool execution, reducing the use of portable and memory-loaded executables, and enforcing strict controls on remote desktop access. Phishing-resistant multifactor authentication—such as FIDO/WebAuthn or PKI-based solutions—is strongly recommended to prevent MFA bombing and SIM swap attacks. Network segmentation, strong password hygiene, enforcement of failed login attempt lockouts, and maintaining immutable and tested backups are also advised. Organizations are urged to monitor for “risky login” activity, inspect new user creation events, and scrutinize outbound traffic for signs of data staging or transfer to services like MEGA or Amazon S3. Given the frequency and evolving methods of Scattered Spider, the collective findings from the authoring agencies offer a critical baseline to enhance detection and response readiness.