Skip to content

G1015 Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. 3 7 The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. 7 Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. 1 2 8 Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. 5

Item Value
ID G1015
Associated Names Roasted 0ktapus, Octo Tempest, Storm-0875, UNC3944
Version 3.0
Created 05 July 2023
Last Modified 24 October 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Roasted 0ktapus 2
Octo Tempest 6
Storm-0875 6
UNC3944 54

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery Scattered Spider has identified vSphere administrator accounts.4
enterprise T1087.002 Domain Account Scattered Spider has enumerated legitimate domain accounts which are used in the targeted environment.1794
enterprise T1087.003 Email Account During C0027, Scattered Spider accessed Azure AD to identify email addresses.8
enterprise T1087.004 Cloud Account During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.8
enterprise T1098 Account Manipulation Scattered Spider has added accounts to the ESX Admins group to grant them full admin rights in vSphere.4
enterprise T1098.001 Additional Cloud Credentials During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.8
enterprise T1098.003 Additional Cloud Roles Scattered Spider has assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.7
enterprise T1098.005 Device Registration During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims’ VPN.8
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Scattered Spider has registered domains to spoof legitimate corporate login portals.10
enterprise T1217 Browser Information Discovery Scattered Spider retrieves browser histories via infostealer malware such as Raccoon Stealer.1
enterprise T1580 Cloud Infrastructure Discovery Scattered Spider enumerates cloud environments including Amazon Web Services (AWS) S3 buckets to identify server and backup management infrastructure, resource access, databases and storage containers .759
enterprise T1538 Cloud Service Dashboard Scattered Spider abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Scattered Spider has used the PowerShell cmdlet Get-ADUser.9
enterprise T1059.004 Unix Shell Scattered Spider has used the command shell to upload and install the Teleport remote access tool to a compromised vCenter Server Appliance.4
enterprise T1136 Create Account Scattered Spider creates new user identities within the compromised organization.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.002 Systemd Service Scattered Spider has run `SYSTEMD_UNIT_PATH=”/lib/systemd/
system/teleport.service` to establish persistence for the Teleport remote access tool.4
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers Scattered Spider has searched for credentials in password vaults and Privileged Access Management (PAM) solutions including HashiCorp Vault.54
enterprise T1486 Data Encrypted for Impact Scattered Spider has used BlackCat and DragonForce ransomware to encrypt files including on VMWare ESXi servers.179410
enterprise T1530 Data from Cloud Storage Scattered Spider enumerates data stored in cloud resources for collection and exfiltration purposes.1
enterprise T1213 Data from Information Repositories -
enterprise T1213.002 Sharepoint During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.8
enterprise T1213.003 Code Repositories Scattered Spider enumerates data stored within victim code repositories, such as internal GitHub repositories.17
enterprise T1213.005 Messaging Applications Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.1
enterprise T1074 Data Staged Scattered Spider stages data in a centralized database prior to exfiltration.1
enterprise T1006 Direct Volume Access Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the NTDS.dit file.7
enterprise T1484 Domain or Tenant Policy Modification -
enterprise T1484.002 Trust Modification Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.1
enterprise T1114 Email Collection Scattered Spider searched the victim’s Microsoft Exchange for emails about the intrusion and incident response.1
enterprise T1114.003 Email Forwarding Rule Scattered Spider has redirected emails notifying users of suspicious account activity.9
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Scattered Spider has created matching fake social media profiles to support new accounts created in victim environments.1
enterprise T1041 Exfiltration Over C2 Channel Scattered Spider has exfiltrated data from compromised VMware vCenter servers through an established C2 channel using the Teleport remote access tool.4
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Scattered Spider has exfiltrated victim data to the MEGA file sharing site, SnowFlake, and AWS S3 buckets.179
enterprise T1190 Exploit Public-Facing Application During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.8
enterprise T1068 Exploitation for Privilege Escalation Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).2
enterprise T1133 External Remote Services Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.2
enterprise T1083 File and Directory Discovery Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code, user provisioning, MFA device registration, network diagrams, and shared credentials in documents or spreadsheets.17594
enterprise T1657 Financial Theft Scattered Spider has deployed ransomware on compromised hosts and threatened to leak stolen data for financial gain.1119
enterprise T1589 Gather Victim Identity Information Scattered Spider has used information from previous data breaches to identify employee names to be used in social engineering.4
enterprise T1589.001 Credentials During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.8
enterprise T1564 Hide Artifacts -
enterprise T1564.008 Email Hiding Rules Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.7
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Scattered Spider has uninstalled and disabled security tools.5
enterprise T1656 Impersonation Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.17 Scattered Spider has also used Microsoft Teams to pose as internal IT support or help desk personnel.5
enterprise T1070 Indicator Removal -
enterprise T1070.008 Clear Mailbox Data Scattered Spider has manually deleted emails notifying users of suspicious account activity. 9
enterprise T1105 Ingress Tool Transfer Scattered Spider has downloaded the Teleport remote access tool to compromised VMware vCenter Servers.4
enterprise T1490 Inhibit System Recovery Scattered Spider has stopped the Volume Shadow Copy service on compromised hosts.5
enterprise T1556 Modify Authentication Process -
enterprise T1556.006 Multi-Factor Authentication After compromising user accounts, Scattered Spider registers their own MFA tokens.1
enterprise T1556.009 Conditional Access Policies Scattered Spider has added additional trusted locations to Azure AD conditional access policies. 7
enterprise T1578 Modify Cloud Compute Infrastructure -
enterprise T1578.002 Create Cloud Instance Scattered Spider has created Amazon EC2 instances within the victim’s environment.1
enterprise T1621 Multi-Factor Authentication Request Generation Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.210
enterprise T1046 Network Service Discovery During C0027, used RustScan to scan for open ports on targeted ESXi appliances.8
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware Scattered Spider has obtained malware to use at multiple stages of operations including information stealers, remote access tools, and ransomware.510
enterprise T1588.002 Tool Scattered Spider has obtained tools for use throughout the attack lifecycle to include remote access software, protocol tunneling and proxy tools, exploitation frameworks, and reconnaissance tools.59101
enterprise T1003 OS Credential Dumping -
enterprise T1003.003 NTDS Scattered Spider has extracted the NTDS.dit file by creating volume shadow copies of virtual domain controller disks.794
enterprise T1003.006 DCSync During C0027, Scattered Spider performed domain replication.8
enterprise T1069 Permission Groups Discovery Scattered Spider has enumerated the vSphere Admins and ESX Admins groups in targeted environments.4
enterprise T1069.002 Domain Groups
Scattered Spider has enumerated Active Directory security groups including through the use of ADExplorer, ADRecon.ps1, and Get-ADUser.94
enterprise T1069.003 Cloud Groups During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.8
enterprise T1566 Phishing -
enterprise T1566.004 Spearphishing Voice During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.8
enterprise T1598 Phishing for Information Scattered Spider has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.2
enterprise T1598.001 Spearphishing Service During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.8
enterprise T1598.003 Spearphishing Link Scattered Spider has used domains mirroring corporate login portals to socially engineer victims into providing credentials.10
enterprise T1598.004 Spearphishing Voice Scattered Spider has used help desk voice-based phishing and also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.794
enterprise T1572 Protocol Tunneling Scattered Spider has installed protocol-tunneling tools on VMware vCenter and adversary-controlled VMs, including Teleport.sh, Chisel (configured to communicate with trycloudflare[.]com subdomains), MobaXterm, ngrok, Pinggy, and Teleport.91
enterprise T1090 Proxy Scattered Spider has used proxy networks to hamper detection and has installed legitimate proxy tools on VMware vCenter and adversary-controlled VMs.91
enterprise T1219 Remote Access Tools -
enterprise T1219.002 Remote Desktop Software In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including TeamViewer, AnyDesk, LogMeIn, ngrok, and ConnectWise to establish persistence on the compromised network.1115910
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Scattered Spider has used RDP to enable lateral movement.5
enterprise T1021.004 SSH Scattered Spider has used SSH to move laterally in victim environments and to access the vSphere vCenter Server GUI.54
enterprise T1021.007 Cloud Services Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.1
enterprise T1018 Remote System Discovery Scattered Spider can enumerate remote systems, such as VMware vCenter infrastructure.1
enterprise T1539 Steal Web Session Cookie Scattered Spider retrieves browser cookies via Raccoon Stealer.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.2
enterprise T1082 System Information Discovery Scattered Spider has executed scripts to identify the underlying operating system to ensure it uses the correct installation package for malicious payloads.4
enterprise T1016 System Network Configuration Discovery Scattered Spider has used network reconnaissance commands for discovery including ping and nltest.5
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Scattered Spider Spider searches for credential storage documentation on a compromised host.159
enterprise T1552.004 Private Keys Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.1
enterprise T1204 User Execution Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.1
enterprise T1078 Valid Accounts Scattered Spider has used compromised credentials for initial access.54
enterprise T1078.004 Cloud Accounts Scattered Spider has used compromised Microsoft Entra ID accounts to pivot in victim environments.9
enterprise T1102 Web Service During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.8
enterprise T1047 Windows Management Instrumentation During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.8
mobile T1660 Phishing Scattered Spider has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.75
mobile T1451 SIM Card Swap Scattered Spider has used SIM swapping to bypass MFA and to maintain persistence on mobile carrier networks and SIM cards.125910

Software

ID Name References Techniques
S1068 BlackCat Scattered Spider has deployed BlackCat ransomware to victim environments for financial gain.17510 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation Domain Account:Account Discovery Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Internal Defacement:Defacement Disk Content Wipe:Disk Wipe File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification Clear Windows Event Logs:Indicator Removal Inhibit System Recovery Lateral Tool Transfer Local Storage Discovery Modify Registry Network Share Discovery Domain Groups:Permission Groups Discovery Remote System Discovery Service Stop System Information Discovery System Owner/User Discovery Windows Management Instrumentation
S0591 ConnectWise Scattered Spider has used ConnectWise to maintain persistence.510 PowerShell:Command and Scripting Interpreter Screen Capture Video Capture
S0357 Impacket During C0027, Scattered Spider used Impacket for lateral movement.8 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0349 LaZagne Scattered Spider can obtain credential information using LaZagne.7 Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Keychain:Credentials from Password Stores LSA Secrets:OS Credential Dumping /etc/passwd and /etc/shadow:OS Credential Dumping LSASS Memory:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Proc Filesystem:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0002 Mimikatz Scattered Spider has gathered credentials using Mimikatz.17510 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0508 ngrok Scattered Spider has used ngrok to create secure tunnels to remote web servers.1910 Domain Generation Algorithms:Dynamic Resolution Exfiltration Over Web Service Protocol Tunneling Proxy Web Service
S1148 Raccoon Stealer 10 Local Account:Account Discovery Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Credentials from Web Browsers:Credentials from Password Stores Data from Information Repositories Data from Local System Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Encrypted/Encoded File:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Query Registry Screen Capture Software Discovery Steal Web Session Cookie Supply Chain Compromise System Information Discovery System Location Discovery System Owner/User Discovery System Time Discovery
S1040 Rclone 5 Archive via Utility:Archive Collected Data Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery
S0183 Tor Scattered Spider has used Tor to communicate with targeted organizations.1 Asymmetric Cryptography:Encrypted Channel Multi-hop Proxy:Proxy
S0670 WarzoneRAT Scattered Spider has utilized WarzoneRAT to remotely access a compromised system.110 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Component Object Model Hijacking:Event Triggered Execution Exfiltration Over C2 Channel File and Directory Discovery Hide Artifacts Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Spearphishing Attachment:Phishing Process Discovery Process Injection Proxy Remote Desktop Protocol:Remote Services VNC:Remote Services Rootkit System Information Discovery Template Injection Malicious File:User Execution Video Capture

References

  1. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. 

  2. CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023. 

  3. CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023. 

  4. Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025. 

  5. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025. 

  6. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  7. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024. 

  8. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. 

  9. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025. 

  10. Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025. 

  11. Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024. 

  12. Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.