Identity is the new perimeter. Learn about Scattered Spider—a financially motivated threat actor redefining the cyber security landscape through high-profile social engineering and evolving intrusion techniques.
What is Scattered Spider?
Scattered Spider (also known as Scatter Swine, Octo Tempest, Muddled Libra, and UNC3944) is a cybercrime group known for highly effective social-engineering-led intrusions. Unlike state-sponsored espionage groups with geopolitical motives, their operations are driven entirely by financial gain. Active for several years, Scattered Spider has been responsible for disruptive attacks on major global brands, including MGM Resorts and Caesars Entertainment. Most recently, the group was implicated in campaigns targeting APAC retail groups and aviation providers, where customer records were exposed on a massive scale.
Their techniques are distinct because they focus on compromising the identity of the user rather than the infrastructure of the network. By blending traditional human-centred deception with commercial remote-access tools and credential-stealing malware, they have proven that even the most hardened cyber security defences can be bypassed with a single phone call.
Motivation and Targeting
Scattered Spider pursues high-value corporate targets that offer large customer datasets and high operational downtime impact. This creates a strong financial incentive for victims to pay ransoms to restore services. Historically, the group has worked with ransomware operators like BlackCat/ALPHV, but recent activity shows a strategic shift towards partnerships with the DragonForce ransomware group following international law enforcement pressure on their previous affiliates.
Tradecraft: The Human Loophole
Social engineering is the core of Scattered Spider’s tradecraft. The group regularly impersonates IT help desks, service providers, or trusted personnel to extract credentials and MFA approvals. Their ability to bypass Multi-Factor Authentication (MFA) through SIM swapping and strong impersonation skills means that standard identity controls are no longer a sufficient cyber security defensive measure on their own.
Common initial access techniques include:
- Vishing (Phone Social Engineering): Impersonation of support roles to gain remote access or password resets.
- SIM Swapping: Taking control of a victim’s mobile number to intercept SMS-based MFA codes.
- Phishing: Using convincing lures to harvest credentials via spoofed login pages.
- Credential Purchasing: Acquiring stolen access from Initial Access Brokers (IABs) on the dark web.
The Technical Toolkit: Hiding in Plain Sight
Once initial access is secured, the group uses a range of tools to deepen their presence and blend into normal network activity. By leveraging legitimate Remote Monitoring and Management (RMM) platforms, their activity is often difficult to distinguish from standard IT operations.
| Technical Category | Tools & Behaviours Observed | Operational Purpose |
|---|---|---|
| RMM Tools | AnyDesk, TeamViewer, ScreenConnect, Tailscale | Persistence and lateral movement via legitimate admin channels. |
| Credential Theft | Mimikatz, Raccoon Stealer, VIDAR Stealer | Extracting system info, cookies, and escalating privileges. |
| Remote Access Malware | Ave Maria / Warzone RAT, Ratty RAT | Remote control, data exfiltration, and secondary payload deployment. |
Inside the Hunt: Orro’s Investigative Findings
As part of Orro’s proactive cyber security program, we analysed updated Scattered Spider TTPs across an expanded 90-day dataset. This hunt was triggered by recent surges in activity across APAC call centres and retail infrastructure. Our goal was to identify subtle indicators of unauthorised persistence that traditional endpoint alerts might miss.
Our hunters analysed installation paths for RMM tools, monitored for anomalous PowerShell execution, and cross-referenced login events against known proxy IP ranges. Based on the data examined, the hypothesis that Scattered Spider was active within the environment was unproven. While no malicious activity was found, the hunt allowed Orro to add specific Indicators of Compromise (IOCs) to our 24/7 monitoring systems, ensuring immediate detection of future campaigns.
Defensive Guidance and Strategy
Building resilience against Scattered Spider requires balancing technical controls with human-centred security practices. Orro recommends the following high-priority actions:
- Hardened MFA: Transition away from SMS and push notifications to phishing-resistant methods like FIDO2-compliant hardware keys.
- RMM Governance: Implement strict monitoring of RMM usage, alerting on any installations outside of approved administrative paths.
- Privileged Account Hygiene: Conduct regular audits of administrative access and enforce least-privilege principles.
- Human Readiness: Conduct regular vishing simulations and training for IT help desk staff to recognise impersonation tactics.
Strengthen Your Operational Visibility
Scattered Spider demonstrates that deception-driven cybercrime is highly effective. Ensuring visibility across identity platforms, remote-access tooling, and cloud services is essential to detect misuse early and limit impact. Orro’s cyber security experts can help you assess your threat exposure or perform a proactive hunt to harden your defences.
