Who is Scattered Spider?
Scattered Spider (aka UNC3944, 0ktapus, Muddled Libra) is a financially motivated group, alleged comprised of young operators from the US and UK, specializing in social engineering, SIM‑swapping, and file extortion via ALPHV/BlackCat or DragonForce ransomware. They’ve hit major targets like Caesars, MGM, Snowflake customers, Marks & Spencer, Co‑op, Harrods, PNC, and Twilio.
1: Initial Access – Phishing, Smishing, Vishing, SIM‑swap
- SMS phishing (smishing): direct links to credential-harvesting pages.
- Coordinated help-desk calls: impersonation of CFO/IT to request MFA reset or remote-access installs.
- MFA fatigue (“push bombing”) & SIM‑swap attacks for bypassing MFA.
Detection tips:
- Alert on concurrent smishing links + helpdesk reset tickets.
- Look for multiple declined MFA push requests followed by success.
2: Phishing Infrastructure – Evilginx Kits & Typosquats
- At least five unique phishing kits used since 2023, including Evilginx-based frameworks .
- Domain patterns: 81 % mimic tech services (okta, vpn, helpdesk, sso, duo, mfa) using subdomain variations (e.g.,
okta.company.com,vpn.c0mpany[.]com) over typosquatted TLDs. - Hosting infrastructure: frequent changes—but recurring ASNs include Cloudflare (AS13335), Choopa (AS20473), DigitalOcean (AS14061).
- Registrars: NiceNIC, Hosting Concepts B.V., NameSilo, GoDaddy.
Detection tips:
- Automate DNS alerts for new domains with target keywords and patterns.
- Hunt outbound network requests to domains with subdomain patterns + mimicked service names.
- Track registrations through high-risk ASNs/registrars.
3: Exploits, Drivers & RATs
- Abuses CVE‑2015‑2291 (Intel Ethernet diagnostic driver) via malicious kernel driver (“POORTRY” + loader “STONESTOP”).
- New Spectre RAT in 2025 for stealth persistence
Detection tips:
- Block or alert on unusual
iqvw64.sysIOCTL activity. - Detect driver loads under suspicious names.
- Monitor
rundll32spawning Spectre-like payloads.
4: IAM Abuse & Cloud Persistence
- Register unauthorized MFA devices, modify Conditional Access (Azure/Okta).
- Use legitimate tools: AnyDesk, TeamViewer, AWS Session Manager, Teleport.
Detection tips:
- Alert on “Add registered device” or MFA removal in Azure/Okta logs. Verify newly registered devices are legitimate.
- Monitor remote-management software installs from non‑IT personnel
5: Lateral Movement, Credential Theft & Exfil
- Tools: Mimikatz/secretdump, LSASS dumps, PsExec, RDP, SMB C$ shares, scheduled tasks
Detection tips:
- Watch Sysmon ID 10 on
lsass.exeread events. - Alert on non-IT created scheduled tasks and credential dumps.
- Monitor large uploads to personal cloud storage.
6: Final Stage – Ransom & Double‑Extortion
- Deploy ALPHV/BlackCat or DragonForce ransomware
- Known victims include MGM, Caesars, Marks & Spencer, and Co‑op
- Common exfil targets: Dropbox, MegaSync, etc.
Detection tips:
- Alert on outbound flows to consumer cloud domains.
- Flag new binaries like
megasync.exeorbackup.exeunder user folders. - Watch for file-deletion + wallpaper or ransom note files.
IOC Summary Table
| Type | Example IOCs |
|---|---|
| Domains | company-hr.com company-sso.com company-helpdesk.com |
| ASNs | Cloudflare (AS13335), Choopa (AS20473), DigitalOcean (AS14061) |
| Registrars | NiceNIC, Hosting Concepts B.V., NameSilo |
| Abused CVE | CVE‑2015‑2291 |
| Tools | POORTRY, STONESTOP, Spectre RAT |
| RATs | Spectre, AnyDesk, TeamViewer |
| Ransomware | ALPHV/BlackCat, DragonForce |
Final Thoughts
Scattered Spider combines advanced social engineering with identity abuse and kernel-level evasion. Focus defenses on help-desk workflows, IAM logging, DNS monitoring, driver loads, and outbound cloud traffic.
Killian Sherer 