A recent update from the FBI, CISA, NCSC-UK, and allied cybersecurity agencies has revealed new techniques used by the threat actor known as Scattered Spider. The advisory, originally published in late 2023 and revised on July 29, 2025, outlines a series of campaigns that continue to exploit enterprises, especially those managing critical infrastructure, through a blend of social engineering, stealthy remote access, and data extortion.
Scattered Spider, also tracked under names like UNC3944, Octo Tempest, and Muddled Libra, is known for aggressive targeting of IT help desks and employees with elevated access privileges. The group’s operations are distinguished not by zero-day exploits, but by well-practiced human manipulation and abuse of legitimate IT tools to blend in.
Shifting Tactics, Persistent Threats
This year’s update highlights a strategic shift toward using DragonForce ransomware in tandem with traditional data theft operations. Once access is secured, often through phone-based impersonation or SIM swap attacks, the group proceeds to exfiltrate sensitive data and, in many cases, encrypt systems to hold the target hostage on both fronts.
In newer incidents, attackers leveraged remote access software like AnyDesk and tunneling tools like Teleport.sh, sidestepping common security detections. Data was funneled out of victim environments using services like MEGA and Amazon S3. In some cases, they even joined internal incident response calls by monitoring emails and chat platforms like Microsoft Teams and Slack.
A Refined Playbook for Access
Initial access still relies heavily on phishing, both traditional and voice-based (vishing). The attackers frequently register domains spoofing helpdesk or SSO portals (e.g., targetsname-sso[.]com
, oktalogin-targetcompany[.]com
) and impersonate internal IT staff to extract login credentials or push employees into installing remote access tools.
Social engineering tactics are evolving. Recent cases show attackers conducting multi-step calls to learn password reset procedures, then looping back with that knowledge to request MFA token transfers or account resets. This has proven especially effective against contracted helpdesk providers who may not be aware of the full threat context.
Credentials are also acquired through dark web marketplaces like Russia Market and through compromises of third-party vendors with downstream access.
Living Off the Land
The group is adept at using “living off the land” techniques, relying on approved or common IT tools rather than malware. This includes RMM platforms like Tactical RMM and TeamViewer, and credential-stealing software such as Mimikatz and WarZone (AveMaria).
In cloud environments, Scattered Spider has been seen activating AWS Systems Manager Inventory to identify targets for lateral movement, then spinning up or taking over EC2 instances to move laterally or stage data.
They’ve also been probing for Snowflake access, running thousands of queries in short bursts, highlighting a new area of focus in their data theft operations.
Signs of Intrusion
Organizations should watch for several key indicators:
- Unusual use of remote access tools (especially AnyDesk, Ngrok, and Teleport.sh)
- Creation of new identities backed by fake social media accounts
- Exfiltration to cloud platforms like MEGA or S3 buckets
- MFA fatigue attempts and SIM swap reports from employees
- New domain registrations spoofing internal IT services
It’s not just the tools that matter, it’s the behavior. Scattered Spider frequently impersonates employees or IT support, gains access through small lapses in protocol, then pivots rapidly to high-value systems.
Recommendations for Defenders
Security teams should review and implement several practices immediately:
- Deploy phishing-resistant MFA using FIDO2/WebAuthn or PKI-based methods. Avoid SMS or app-based MFA alone.
- Harden remote access protocols. Audit all RMM tools in use and block unauthorized installations. Use application allowlisting to prevent portable executables.
- Monitor helpdesk interactions. Establish protocols for verifying identity during password resets or MFA changes—especially across departments.
- Segment internal networks. Limit access between systems to prevent lateral movement and deploy EDR tools to flag unusual behaviors.
- Keep backups offline and tested. Store encrypted, immutable backups in separate locations, and test restoration regularly.
Security teams should also routinely inspect their Microsoft Teams, Exchange, and Slack environments for signs of eavesdropping, particularly if a breach is suspected. In recent cases, attackers have joined remediation calls in real time to stay one step ahead of response efforts.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
