Search Again
SCATTERED SPIDER
Summary of Actor:SCATTERED SPIDER is a highly sophisticated cyber threat actor known for its targeted cyber espionage campaigns. The group is believed to have ties to state-sponsored entities and utilizes advanced evasion techniques. They have been active primarily in recent years and are known for their persistence and adaptability.
General Features:SCATTERED SPIDER is known for using spear-phishing, social engineering, and custom malware to infiltrate target systems. They have a strong focus on evasion and maintain persistence within networks using various backdoor techniques.
Related Other Groups: APT41,FIN7,Carbanak
Indicators of Attack (IoA):
- Unusual outbound network traffic
- Presence of custom malware
- Unauthorized access attempts
- Use of legitimate but compromised credentials
Recent Activities and Trends:
- Latest Campaigns : SCATTERED SPIDER recently targeted financial institutions with spear-phishing attacks that exploited CVE-2022-30190, also known as the 'Follina' vulnerability. They deployed custom malware to exfiltrate sensitive data.
- Emerging Trends : Recently, SCATTERED SPIDER has been observed using more sophisticated social engineering techniques, including deepfake audio and video. They also appear to be increasing their focus on compromising supply chains to gain access to multiple organizations at once.
DEV-0971
Muddled Libra
Oktapus
Scatter Swine
Storm-0875
+8
Associated Malware/Software
BlackCat
WarzoneRAT
Mimikatz
LaZagne
ngrok
+1
️Related CVEs
ATT&CK IDs:
T1027 - Obfuscated Files or Information
T1049
T1087
T1021
T1115
+141
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1213 | Data from Information Repositories |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1115 | Clipboard Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1074 | Data Staged |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1119 | Automated Collection |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1104 | Multi-Stage Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1219 | Remote Access Tools |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1572 | Protocol Tunneling |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1621 | Multi-Factor Authentication Request Generation |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1212 | Exploitation for Credential Access |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1552 | Unsecured Credentials |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1606 | Forge Web Credentials |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1539 | Steal Web Session Cookie |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1089 | Disabling Security Tools |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1656 | Impersonation |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1578 | Modify Cloud Compute Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1564 | Hide Artifacts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1006 | Direct Volume Access |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1484 | Domain or Tenant Policy Modification |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1217 | Browser Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1580 | Cloud Infrastructure Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1069 | Permission Groups Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1538 | Cloud Service Dashboard |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1046 | Network Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1518 | Software Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1029 | Scheduled Transfer |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1011 | Exfiltration Over Other Network Medium |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1496 | Resource Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1498 | Network Denial of Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1531 | Account Access Removal |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1657 | Financial Theft |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1176 | Software Extensions |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1484 | Domain or Tenant Policy Modification |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1598 | Phishing for Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1591 | Gather Victim Org Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1589 | Gather Victim Identity Information |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1586 | Compromise Accounts |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1608 | Stage Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1584 | Compromise Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1585 | Establish Accounts |
Sub Techniques |
Detections |
Mitigations |
Total Count : 14
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
https://www.loginradius.com/blog/identity/oktapus-phishing-targets-okta-identity-credentials/
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=863b90f7-7e0a-45d4-b815-072442335e05
https://www.crowdstrike.com/adversaries/scattered-spider/
https://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
https://www.trellix.com/blogs/research/scattered-spider-the-modus-operandi/
https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
https://www.mphasis.com/content/dam/mphasis-com/global/en/home/services/cybersecurity/scattered-spider-conducts-sim-swapping-attacks-12.pdf
https://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o
https://www.cybersecurity-insiders.com/scattered-spider-managed-mgm-resort-network-outage-brings-8m-loss-daily/
https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide
Copyright © 2025 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
