Understanding the Scattered Spider Cyber Threat

Recently reported cyberattacks affecting prominent high street organisations suggest a coordinated campaign targeting the retail sector.

A threat actor group known as Scattered Spider has been mentioned as the potential instigator of these attacks (the group has also linked itself to DragonForce). The reported incidents highlight the critical need for businesses, employees and consumers to adopt robust security measures to mitigate risks posed by cybercriminal organisations.

Key Takeaways

• Scattered Spider is a decentralised cybercriminal group known for advanced social engineering and SIM swapping tactics, not malware.
• The group has targeted high-profile organisations including Marks & Spencer, MGM, Caesars, and Snowflake customers.
• They exploit Active Directory, use tools like TeamViewer, Mimikatz, and Raccoon Stealer, and often join internal incident response calls.
• Scattered Spider bypasses MFA, leverages stolen credentials, and uses “living off the land” techniques to evade detection.
• Businesses must implement phishing-resistant MFA, advanced monitoring, employee training, and incident response plans to defend against these threats.

Who is Scattered Spider?

Scattered Spider, also known as UNC3944, represents a loose affiliation of cybercriminals distinguished by their sophisticated social engineering tactics rather than malware-based attacks.

The group is comprised predominantly of young individuals operating from the United Kingdom and the United States who have demonstrated remarkable capabilities in infiltrating corporate networks by exploiting human vulnerabilities.

Scattered Spider is also known as UNC3944, Muddled Libra, Starfraud, Scatter Swine, and Octo Tempest (Naming conventions given to hacker groups or individuals). The group doesn’t operate like a traditional organisation, instead it functions as a fluid network of skilled individuals, many of them young and English speaking. Most are active on hacker forums, Telegram channels, and Discord servers. Some members are believed to be as young as 16 and affiliated with a broader underground community known as The Comm.

Unlike many cybercriminal syndicates that depend on automated hacking tools, Scattered Spider specialises in manipulating employees into unwittingly granting access to internal systems. This methodology has proven very effective, enabling the group to deploy ransomware, exfiltrate sensitive data and demand ransom payments.

Their decentralised and dynamic nature makes them difficult to track and stop. Unlike some Russian ransomware gangs that produce detailed training manuals, Scattered Spider relies on fast evolving, socially engineered attacks tailored to each target.

There are notable similarities between Scattered Spider and the LAPSUS$ group, which gained significant media attention in 2022-2023. Security research suggests that certain LAPSUS$ members may now operate within Scattered Spider.

Scattered Spider Group History

Since emerging in 2022, Scattered Spider has grown from small scale credential theft and fraud to full scale extortion and ransomware attacks. Originally focused on social media hijacking and cryptocurrency theft, they’ve since evolved to target large corporations through more sophisticated means.

The group has been tied to Ransomware-as-a-Service (RaaS) operators like BlackCat/ALPHV, Qilin, RansomHub, and most recently, DragonForce, enabling them to expand their capabilities and target list.

Despite several arrests, the group’s decentralised model and ability to rotate members between operations has allowed it to maintain momentum.

Recent High-Profile Retail Attacks

Marks and Spencer Cyberattack

The recent cyberattack on Marks & Spencer provides a critical case study illustrating the dangers posed by sophisticated threat actors like Scattered Spider.

Once initial access to the company’s network was gained, they appear to have exploited weaknesses in Active Directory (using an exploit CVE-2025-21293, which Microsoft had patched in January) to deploy DragonForce ransomware, encrypting virtual machines, payment processing, and logistics applications.

This incident resulted in significant operational disruptions, including:

• Suspension of online orders
• Interference with contactless payment systems
• Delays in recruitment operations

Cybersecurity experts believe the attackers gained access through Active Directory, a Microsoft system used for user authentication across networks. If compromised, it can give broad access to company systems. While attackers may not have directly extracted passwords, infiltrating Active Directory could allow them to disable or manipulate systems at scale.

Investigations suggest the attackers may have employed ransomware to encrypt company data, which is consistent with the group’s tactics in other high profile incidents. The attack underscores the importance of timely software updates and proactive threat mitigation strategies to protect corporate assets.

Marks & Spencer is not the sole victim of recent cyber intrusions. Other major retailers including Co-op and Harrods have also reported cybersecurity breaches, raising concerns about a wider campaign targeting UK based retail organisations.

The interconnected nature of modern business operations means that organisations with shared vulnerabilities, such as supply chain commonalities, face increased risk.

Co-op Cyberattack

It is currently unknown whether the Co-op cyberattack and others in the sector are linked to the M&S attacks, but similar attack vectors have been used throughout and are continuously being probed by threat actors.

Other Notable Attacks

As well as M&S, Scattered Spider’s impact has been felt globally across multiple industries:

Snowflake Customers (2024): The group targeted customers of Snowflake’s cloud computing services, accessing and stealing customer data, and demanding millions of dollars in extortion to not publicly release the data. Affected clients included those of AT&T, Live Nation, and Santander Bank. The breach is considered one of the largest in recent history.

MGM Resorts (September 2023): Disrupted over 30 hotel and casino venues, causing $100 million in losses. The group gained access via a helpdesk impersonation call and deployed ransomware.

Caesars Entertainment (August 2023): Stole data from 65 million loyalty programme members. Gained entry by impersonating an employee and convincing the IT desk to provide credentials. Caesars paid a $15 million ransom.

Clorox (2023): Clorox reported a significant cyberattack attributed to Scattered Spider, leading to operational disruptions and a decrease in net sales by as much as 28%.

Riot Games: Stole source code for League of Legends and Teamfight Tactics, demanding $10 million in ransom.

Mailchimp, Twilio, and DoorDash: Hit with phishing and credential theft attacks in early 2023.

Telecom & BPO companies: Maintained persistent access even after detection, sometimes reversing security patches to regain entry.

These events show a clear pattern: Scattered Spider seeks high value targets where disruption leads to rapid payouts and media attention.

How Scattered Spider Executes Its Attacks

Scattered Spider employs deceptive social engineering techniques rather than relying exclusively on software vulnerabilities.

Their primary methods include:

Phishing campaigns

These involve fraudulent emails impersonating IT administrators or trusted entities to deceive employees into revealing login credentials. These phishing communications are often highly targeted and contextualised to appear legitimate, increasing their effectiveness.

SIM swapping

This technique involves manipulating telecommunications providers to transfer a victim’s phone number to a new SIM card controlled by the attackers. This enables them to intercept one-time passwords and authentication codes sent via SMS, effectively circumventing standard multifactor authentication measures.

Credential theft

The group focuses on acquiring and utilising stolen employee login details to infiltrate corporate networks. It often leverages compromised access from one organisation to target others in its supply chain. The attackers frequently focus on obtaining privileged account credentials with broad system access.

After Gaining Access:

Upon gaining access, the group typically:

• Encrypts critical data and demands ransom payments, often amounting to millions of pounds.
• Exploits Active Directory to gain broad access (as seen in M&S).
• Deploys remote access tools like TeamViewer or Ngrok.
• Escalates privileges with tools like Mimikatz.
• Installs malware including VIDAR, Raccoon Stealer, and BlackCat ransomware.
• Monitors internal chats (e.g. Microsoft Teams) and even joins incident response calls.
• Exfiltrates sensitive data and issues extortion demands.

Their flexible model means each attack may involve different individuals and techniques, making prevention more challenging.

Tactics, Techniques, and Procedures (TTPs)

Scattered Spider employs a range of tactics to gain initial access, escalate privileges, move laterally within networks, and exfiltrate data. Key methods include:

Initial Access:

Utilising social engineering techniques such as SMS phishing (smishing), email phishing, and posing as IT helpdesk personnel to trick employees into divulging credentials or performing actions that grant access to systems.

Execution and Persistence:

Deploying legitimate remote access tools like AnyDesk, LogMeIn, and ConnectWise Control to maintain access. They also register their own Multi-Factor Authentication (MFA) tokens and add federated identity providers to Single Sign-On (SSO) environments to ensure continued access.

Privilege Escalation:

Exploiting vulnerabilities such as CVE-2015-2291 in Intel Ethernet diagnostics drivers and CVE-2021-35464 in ForgeRock Access Management servers to gain elevated privileges.

Lateral Movement and Discovery:

Conducting reconnaissance across various environments, including Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS. They search for SharePoint sites, credential storage documentation, VMware vCenter infrastructure, and backups to facilitate lateral movement.

Exfiltration and Impact:

Using tools like WarZone RAT, Raccoon Stealer, and Vidar Stealer to collect sensitive information. They have also deployed ALPHV/BlackCat ransomware to encrypt data and demand ransom payments.

Tools and Malware

Scattered Spider employs a combination of legitimate and custom tools to execute their attacks.

POORTRY:
A malicious driver used to terminate security software processes and evade detection. It has been signed with a Microsoft Windows Hardware Compatibility Authenticode signature to bypass security measures.

STONESTOP:
A Windows userland utility that functions as both a loader/installer for POORTRY and an orchestrator to instruct the driver on which actions to perform.

RMM Tools:
Legitimate remote monitoring and management tools like Fleetdeck.io, Level.io, Pulseway, Teamviewer and Screenconnect are used for lateral movement and maintaining persistence.

Credential Dumping Tools:
Utilising tools like Mimikatz to extract credentials from compromised systems.

RATs and Info-Stealers:
Deploying malware such as WarZone RAT, Raccoon Stealer, and Vidar Stealer to collect sensitive information like login credentials and cookies.

VPN:
Operating the Tailscale VPN to provide secure peer-to-peer VPN connections, which are leveraged for remote access and network persistence.

The Technical Evolution of Scattered Spider

Scattered Spider demonstrates a level of technical sophistication that distinguishes them from many other cybercriminal groups:

1. Targeted reconnaissance – The group conducts detailed research on potential victims, identifying key personnel and organisational structures to make their social engineering attacks more convincing. This often includes studying organisational charts, monitoring social media profiles and researching company communications.
2. Multifactor authentication (MFA) bypass – They have developed techniques to circumvent even sophisticated authentication mechanisms through “MFA fatigue” (overwhelming users with authentication requests until they accept one) or social engineering tactics where attackers impersonate IT support staff.
3. Living off the land – Once inside a network, they primarily use legitimate administrative tools already present in the environment rather than deploying easily detectable malware. This approach makes their activities significantly harder to distinguish from legitimate system administration.
4. Supply chain exploitation – They frequently target business process outsourcing (BPO) companies and managed service providers to gain access to multiple downstream clients simultaneously. This method allows them to maximise impact while minimising detection.

Cybersecurity Best Practices for Protection Against Scattered Spider Attacks

For Businesses

Enforce phishing resistant multifactor authentication

Implement hardware based authentication methods rather than relying solely on SMS-based verification codes, which are more vulnerable to SIM swapping attacks. FIDO2-compliant security keys provide significantly stronger protection than traditional methods.

Conduct regular cybersecurity awareness training

Educate employees on recognising sophisticated phishing attempts and deceptive social engineering tactics, with specific training on current threat actor methodologies. Regular simulated phishing exercises can help measure and improve organisational resilience.

Implement robust monitoring systems

Deploy advanced security tools such as SIEM and Endpoint Detection, to detect unauthorised access and anomalies in user behaviour, with particular attention to privileged account activity. Establish baseline patterns of normal system usage to more readily identify deviations that might indicate compromise. Monitor and restrict RDP usage and implement strong lockout policies.

Maintain rigorous patch management

Systematically update software and patch vulnerabilities to mitigate risks posed by outdated systems susceptible to exploitation. Establish clear prioritisation frameworks for addressing critical vulnerabilities affecting key business systems. Maintain offline backups and test them regularly.

Implement Network Segmentation

Segment networks to limit lateral movement and contain potential breaches.

Backup and Recovery Planning

Maintain offline backups of data, and ensure all backed up data is encrypted, and immutable. Develop comprehensive recovery plans to ensure business continuity in case of a ransomware attack.

Apply the principle of least privilege

Limit employee permissions to only essential systems required for their role, significantly reducing the potential attack surface. Regularly review and audit access permissions to ensure they remain appropriate. Block unauthorised tools, especially TeamViewer and AnyDesk, at the network level. Treat VMware ESXi servers as critical assets and secure them accordingly.

Monitor and Respond to Abnormal Activities

Implement robust monitoring systems to detect and respond to unusual activities promptly.

Develop and test incident response plans

Create comprehensive incident response plans and procedures for responding to potential breaches, including communication methods not accessible to attackers who may be monitoring internal systems. Conduct regular tabletop exercises to validate response capabilities.

For Individuals

Exercise caution with communications

Scrutinise unsolicited emails, text messages and phone calls, particularly those requesting sensitive information or urgent action. Verify unexpected requests through established channels before taking action.

Utilise strong, unique passwords

Employ password management solutions to create and store distinct credentials for each service or account. This prevents credential reuse that could expose multiple accounts if one is compromised.

Enable robust authentication methods

Where available, use app-based or hardware token authentication rather than SMS verification, as these are significantly more resistant to interception.

Regularly review account activity

Monitor banking, email and social media accounts for signs of unauthorised access or suspicious transactions. Enable account notifications, where available, to receive alerts about unusual activity.

Maintain security awareness

Stay informed about current cybersecurity developments and emerging threats through reputable news and industry sources.

Expanded Tactics and Recent Cyberattacks 

Since the group’s high-profile cyberattacks on retail giants like Marks & Spencer, Scattered Spider has rapidly shifted its focus – now targeting airlines, insurance companies, and other critical sectors across the UK and US. 

Microsoft researchers, who track the group under the alias Octo Tempest, have observed new attack patterns emerging. While the group continues to rely on deceptive social engineering, such as impersonating employees and contacting help desks to reset credentials, they’re increasingly expanding their arsenal with more technically advanced techniques. 

What’s New in Scattered Spider’s Playbook? 

• Abuse of short messaging services: The group is leveraging SMS based vectors beyond traditional phishing to gain trust and access. 
• Adversary-in-the-middle (AiTM) tactics: Scattered Spider is now intercepting login sessions to steal authentication tokens and bypass multi factor authentication (MFA). 
• Targeting VMware ESX hypervisors: In recent campaigns, they’ve focused on breaching virtualisation infrastructure, specifically the popular VMware ESXi, to gain broad, deep access to enterprise environments. 
• Use of DragonForce ransomware: The group’s continued collaboration with Ransomware-as-a-Service (RaaS) operators like DragonForce enables widespread data encryption and extortion.
• Shifting attack flow: Unlike previous campaigns that began with cloud accounts, the group is now prioritising on-premise infrastructure to establish persistence before transitioning to cloud based systems. 

These developments illustrate the group’s ability to rapidly adapt its techniques (TTPs) and pivot between industries. Insurers, airlines, and service driven organisations that are already under pressure from regulatory and operational demands are now firmly in Scattered Spider’s crosshairs. 

Workday cyberattack and growing threat actor collaboration

The Scattered Spider threat is not only growing more advanced, but increasingly collaborative. Security researchers have identified a concerning overlap between the Scattered Spider Group and another prolific cybercrime group, ShinyHunters. ShinyHunters recently hit news headlines for orchestrating Google’s Salesforce breach.

Both groups are now believed to be part of a larger underground community known as The Com.

The latest incident in this trend is the cyberattack targeting Workday, a widely used cloud-based HR and payroll platform trusted by over 11,000 global organisations. According to Workday, attackers exploited a third-party vendor’s customer support system using social engineering tactics. By impersonating IT and HR personnel, the hackers were able to gain access to support tickets containing customer names, email addresses and phone numbers.

This attack mirrors earlier incidents involving Salesforce account targeting, where attackers launched convincing phishing campaigns aimed at users of cloud CRM platforms.

While there’s no evidence that Workday’s internal systems or customer data were directly breached, this type of supply chain compromise significantly increases the risk of secondary phishing attacks and credential harvesting.

Security analysts point to growing evidence of the direct collaboration between Scattered Spider and ShinyHunters, including the use of:

• Ticket-themed phishing domains
• Pages mimicking Salesforce login screens to harvest credentials
• Shared tactics for impersonating enterprise support personnel

The developments around these groups and high profile attacks further reinforces the blurring lines between cybercriminal groups and the expanding attack surface created by third-party providers. Scattered Spider’s ability to pivot from ransomware to sophisticated identity-driven campaigns makes them especially dangerous for large, cloud-reliant organisations.

Organisations must now account for:

• The security of third-party vendors and suppliers
• Targeted impersonation campaigns against staff and customer service functions
• The increased likelihood of blended threat actor operations, combining tactics from multiple cybercrime groups

Jaguar Land Rover cyberattack and manufacturing disruption

The latest reported victim in Scattered Spider’s expanding list of targets is Jaguar Land Rover (JLR), Britain’s largest car manufacturer. On 19 August 2025, production at several key JLR sites was suspended following a serious cyberattack linked to this same group of English speaking hackers.

The attack has caused severe operational disruption, with factory workers instructed to stay at home and vital IT systems taken offline. Although JLR has stated that there is no evidence of customer data theft, the fallout has extended across its supply chain, with suppliers reporting halted deliveries, restricted operations, and lost revenue.

A Telegram channel known as “Scattered Lapsus$ Hunters” has claimed responsibility, posting screenshots that appear to show internal IT instructions and car diagnostics systems. The channel name points to a hybrid collective of three English-speaking hacking groups: Scattered Spider, ShinyHunters, and Lapsus$. This collaboration suggests further consolidation of cybercriminal tactics and increased coordination among threat actors.

The disruption has impacted more than just JLR’s internal systems. Industry sources report that repair garages are experiencing delays in acquiring parts, affecting existing Jaguar and Land Rover owners. The incident follows a period of financial pressure for the carmaker, with declining US exports in line with tarrif changes and a reported 49% drop in quarterly profits.

Cybersecurity researchers have also noted that one of the Telegram personas claiming involvement, named Rey, shares a handle with a member of Hellcat, a lesser known ransomware gang with similar tactics and affiliations. While the structure and hierarchy of these groups remain fluid, this incident underscores the growing convergence of cybercriminal operations targeting high-profile UK businesses.

Organisations in manufacturing and automotive sectors are now firmly within the scope of these evolving threat actors. The reliance on just-in-time supply chains, connected systems, and distributed operations creates numerous vulnerabilities that can be exploited through social engineering, credential theft and infrastructure compromise.

The JLR cyberattack highlights the need for:

• Proactive supply chain risk assessments and resilience planning
• Advanced monitoring and access control for manufacturing environments
• Increased collaboration between cyber, IT and operational technology (OT) teams
• Regular scenario-based exercises to prepare for cross-functional incident response

As Scattered Spider and its affiliates continue to shift sectors, methods and tactics, UK businesses must remain vigilant and adopt a cyber risk strategy that is both comprehensive and adaptive.

Jaguar Land Rover cyberattack becomes most costly cyber incident in UK history

The cyberattack against Jaguar Land Rover (JLR), attributed to members of the Scattered Spider group and its affiliates, has now been assessed as the most economically damaging cyberattack in UK history, with an estimated cost of £1.9 billion.

According to researchers at the Cyber Monitoring Centre (CMC), the attack — which began in late August 2025 — halted production across key JLR sites for five weeks and caused significant disruption across a network of 5,000 impacted businesses. Recovery is expected to continue until January 2026.

The CMC has officially classified the JLR attack as a Category 3 cyber event, reflecting its severity and national economic impact. While JLR has not confirmed the specific nature of the attack, experts believe it may have involved either ransomware or destructive malware targeting internal systems at major UK manufacturing plants including Solihull, Halewood and Wolverhampton.

More than half of the projected losses are expected to fall on JLR directly, with the remainder affecting the broader supply chain and local economies. Suppliers have reported cancelled or delayed orders, while some repair garages warned of delayed service due to unavailable parts. Staff were instructed to stay at home, and dealer platforms experienced intermittent downtime.

The scale of this event serves as a warning to UK enterprises, particularly those with large-scale manufacturing, distribution or supply chain operations. The convergence of social engineering, credential theft and infrastructure compromise used by English-speaking threat actors demonstrates how a single attack can produce far-reaching business and economic impact.

Key considerations for organisations in light of this incident:

• Assess cyber resilience across the full supply chain and operational technology environment
• Implement segmented network architecture to reduce blast radius
• Monitor for lateral movement using identity-aware threat detection
• Prepare and test business continuity and disaster recovery plans across IT and OT environments

Conclusion: Best Practice Advice & Support

The sophisticated activities of Scattered Spider, and now its affiliate criminal organisations, underscores the necessity for enhanced cybersecurity awareness and preparedness across organisations of all sizes. The exploitation of human vulnerabilities through social engineering, rather than the sole reliance on technical vulnerabilities, establishes them as a uniquely dangerous entity in the cybercrime landscape.

Scattered Spider’s evolution from social engineering attacks on the retail industry to technically sophisticated breaches across aviation, insurance, and virtualised infrastructure signals a serious escalation in their capabilities and ambitions. 

Organisations can no longer view these as isolated or industry specific incidents. The group’s ability to exploit both human trust and complex IT environments across cloud and on-prem infrastructure, makes them a multi-vector threat. 

By adopting a defence-in-depth approach that addresses both technical vulnerabilities and human factors, organisations can significantly improve their ability to withstand and recover from cyberattacks. 

If you’re concerned that your business has been affected by cyberattacks like those seen from Scattered Spider, don’t delay in getting in contact with us. You can also call the Cyber Emergency number at any time, particularly if you experience any issues out of hours.