What is Scattered Spider?
Scattered Spider (also known as Scatter Swine, Octo Tempest, Roasted 0ktapus, Starfraud, Muddled Libra and UNC3944) is a cybercrime group known for highly effective social-engineering-led intrusions. Their operations are motivated by financial gain rather than geopolitical intent, distinguishing them from state-sponsored espionage groups.
Active for several years, Scattered Spider has been responsible for disruptive attacks on major global brands including MGM Resorts, Caesars Entertainment and UK retail groups. More recently, the group was implicated in an attack on Qantas that exposed millions of customer records.
Their techniques continue to evolve, often blending traditional human-centred deception with the use of commercial remote-access tools and credential-stealing malware.
Why Scattered Spider matters
Scattered Spider’s success stems largely from its ability to compromise identities rather than infrastructure. The group has demonstrated a consistent ability to convince targets to reveal credentials or approve access, making them difficult to stop using purely technical controls.
They have also been observed collaborating with ransomware operators — most recently DragonForce — to double down on data exfiltration and extortion outcomes.
This actor poses particular risk to:
- Organisations with complex outsourced support chains
- Businesses using remote access at scale
- Environments with inconsistent MFA enforcement
- Large enterprises likely to pay high-value ransoms
Their history of targeting airlines, retail groups and entertainment providers highlights their interest in large databases and operationally impactful systems.
Motivation and Targeting
Unlike state-aligned groups with strategic intelligence objectives, Scattered Spider pursues financially driven outcomes. Their focus on high-value corporate targets suggests a preference for sectors with:
- Large customer data sets
- High operational downtime impact
- Strong financial incentives to pay ransom
Industries affected to date include:
- Travel and aviation
- Retail
- Hospitality & gaming
- Critical services relying on outsourced IT
Recent attacks on retail and entertainment organisations led to significant financial loss — in some cases exceeding USD $100 million — due to operational shutdowns and data theft.
How Scattered Spider gains access
Social engineering is at the core of Scattered Spider’s tradecraft. The group regularly impersonates IT help desks, service providers, or trusted personnel to extract credentials and MFA approvals.
Common initial access techniques include:
- Phishing — convincing email lures used to harvest credentials
- Vishing / phone social engineering — impersonation of support roles to gain remote access
- SIM swapping — to bypass MFA controls linked to mobile devices
- Credential purchasing — acquiring stolen credentials on the dark web
Their ability to bypass MFA through SIM swapping and strong impersonation skills means identity controls alone should not be considered a sufficient defensive measure.
Tools & Techniques (TTPs)
Once initial access is secured, Scattered Spider uses a range of tools to deepen access and blend into normal activity.
Key tools and behaviours observed include:
Remote Monitoring & Management (RMM) tools
The group frequently leverages legitimate RMM platforms for persistence and lateral movement. Tools monitored during this hunt include AnyDesk, TeamViewer, ScreenConnect, Tailscale and others.
Because these tools are commonly used by IT teams, malicious activity can be difficult to distinguish from normal operations.
Credential & information theft
- Mimikatz — to extract credentials and escalate privileges
- Raccoon Stealer — to harvest system information, credentials, cookies and session data
- VIDAR Stealer — to gather host and browser data, and stage further payloads
Remote access malware
- Ave Maria / Warzone RAT
- Ratty RAT
These tools provide attackers with remote control, data exfiltration pathways and the ability to deploy additional malware.
Ransomware partnerships
Historically, Scattered Spider has worked with BlackCat/ALPHV. More recent activity shows cooperation with DragonForce ransomware, likely following BlackCat’s operational disruption in 2023.
Recent Activity
Notable incidents attributed to Scattered Spider include:
- MGM Resorts (2023) — major operational disruption; terabytes of data reportedly stolen
- Caesars Entertainment (2023) — ransomware deployed; ransom reportedly paid
- Marks & Spencer, Harrods, Dior (2025) — attacks conducted alongside DragonForce ransomware groups
- Qantas (2025) — campaign leveraged social engineering against an offshore call centre; customer data exposed
This year, Australian authorities including the ACSC, AFP and ASD have issued updated guidance reflecting the threat’s continued evolution.
Highlights from Orro’s Threat Hunt
As part of Orro’s standard threat hunting program, updated Scattered Spider TTPs and IOCs were assessed across a 90-day dataset — expanded in response to recent APAC activity.
Key observations include:
- No malicious RMM activity detected
- No IOCs associated with credential-harvesting malware observed
- No ransomware-linked activity identified
Based on the data examined, the hypothesis that Scattered Spider was active across the customer environment was unproven.
Relevant IOCs have since been added to Orro monitoring systems to provide early detection of future activity.
Defensive Guidance
To reduce exposure to Scattered Spider intrusion activity, organisations should prioritise:
- Strong identity verification for administrative access
- Hardened MFA — including phishing-resistant methods
- Monitoring of RMM usage & installation paths
- Regular credential hygiene & privileged account audits
- Endpoint monitoring for credential-extraction tooling (e.g. Mimikatz)
- Segmentation limiting lateral movement
- Regular staff awareness training focused on impersonation and vishing
Given this group’s focus on people rather than systems, social-engineering readiness is critical.
Orro’s Perspective
Scattered Spider underscores the need for organisations to balance technical controls with strong human-centred security practices. When threat actors can regularly convince users to grant access or reveal information, strong detection, identity protection and user education are as important as firewalls and endpoint tools.
Ensuring operational visibility — across identity platforms, remote-access tooling and cloud services — is essential to detect misuse early and limit impact.
Closing
Scattered Spider continues to demonstrate that deception-driven cybercrime is highly effective. By combining strong identity hygiene, proactive monitoring and a well-prepared workforce, organisations can materially reduce the likelihood and impact of compromise.
If you’d like help assessing your organisation’s threat exposure or improving detection and response capability, Orro’s cyber experts can help. Get in touch to learn more.
