Blog

Scattered Spider: Inside the operations of a modern threat group


Shana Buhaisa Security Researcher Intern

What is Scattered Spider?

Scattered Spider is one of the most dangerous and active cyber criminal groups operating today. Also known by aliases such as UNC3944, Starfraud and Muddled Libra, this financially motivated group has become infamous for their social engineering campaigns and the ability to bypass modern security defenses. Unlike the usual malicious hacking groups, Scattered Spider does not rely on malware campaigns only. They compromise identity systems by tricking employees, service desk assistants, or contractors, gain access to accounts, bypass multi-factor authentication (MFA), and move laterally through both cloud and on-premises environments.

Their operations are linked to the ransomware-as-a-service (RaaS) ecosystem, particularly through the association with ALPHV/BlackCat group. While ALPHV develops the ransomware strain, Scattered Spider acts as an affiliate, specializing in breaking into organizations and setting the stage for extortion. This partnership makes their attacks both disruptive and highly profitable.

What makes Scattered Spider different is not just their technical skills, but how they use language and culture as weapons. They can speak and write like insiders, participating in internal conversations as if they have worked at the organization for years. That credibility lets them win trust, impersonate employees, and turn colleagues against one another. With high-profile victims across telecom, aviation, retail, and cloud service providers, their movements highlight the growing challenge of defending against identity-focused and social engineering campaigns.

Initial access tactics and techniques

Scattered Spider relies heavily on social engineering as their first weapon of choice:

  • 2FA Fatigue Attacks - Flooding users with nonstop push notifications until frustration takes over and someone finally clicks the approve button.
  • SIM Swapping - Hijacking phone numbers to intercept one-time passcodes (OTPs) and bypass MFA.
  • Help Desk Impersonation - Calling IT staff directly, sometimes even with AI assisted deepfake voices to fool and make them to reset credentials.
  • Credential Harvesting - Setting up fake login portals, phishing websites, and fake/look-alike domains to capture usernames and passwords.
    • This mix of psychological pressure and technical tricks makes Scattered Spider especially dangerous.

Exploitation and Persistence

Once inside, Scattered Spider is always good at making their activity look like everyday business,

  • Remote Tools Abuse - They rely on common build-in platforms like PowerShell and tools like AnyDesk and ScreenConnect to maintain access and avoid detection
  • BYOVD (Bring Your Own Vulnerable Driver) - Using signed but vulnerable kernel drivers to disable EDR/XDR solutions.
  • Cloud and IAM Exploitation - Taking advantage of misconfigured cloud consoles and identity permissions for long-term persistence.
  • Credential Abuse for Lateral Movement - Using stolen credentials to map networks, escalate privileges, and quietly expand their access.
    • By using legitimate credentials and tools, their actions often go unnoticed by traditional monitoring.

Ransomware and extortion

Most of the time, Scattered Spider's attacks end with double extortion, combining both financial pressure and the potential release of stolen information to maximize impact.

  • Steal personal information, customer records, and sensitive business files.
  • Encryption and Ransom involves locking systems and demanding multimillion-dollar payouts.
  • Threaten public shaming, dark web leaks, and potential regulatory consequences if demands are not met.

The goal is clear: maximize financial gain while putting organizations in impossible, high-stakes situations.

Notable incidents

The damage Scatter Spider group caused has been severe:

  • MGM Resorts lost more than $100 million after an attack paralyzed the systems
  • Caesars Entertainment allegedly paid $15 million to keep customer data from leaking
  • In 2025, Qantas suffered a breach that exposed data from six million customers, disrupting flights and services
    • And those are just the cases we know about.

Final Takeaway

Scattered Spider represents the new face of cyber crime: organized, technically proficient, and socially manipulative. Traditional security measures that focus only on prevention simply are not enough anymore.
To defend effectively, organizations should:

  • Adopt identity-first security models
    Use adaptive MFA and strong help desk level verification to make it harder for attackers to impersonate employees
  • Monitor continuously for unusual behavior
    Keep an eye on cloud and hybrid environments for anomalies that could indicate a breach
  • Harden IAM policies and privilege boundaries
    Limit pathways for attackers to escalate access or move laterally
  • Build resilience
    Prepare for the worst with rapid incident response, containment strategies, and recovery planning

    • At BreachSimRange, we help organizations turn these lessons into action. Simulate real-world attacks like those used by Scattered Spider, test your defenses, and train your incident response. By practicing realistic scenarios, your team can stay one step ahead of advanced threats.

    Get the full report

    We have a document here with the notable info on the Scattered Spider group, created for the security group.

    📄 Download Full Report (PDF)