0ktapus

0ktapus, also known as Scatter Swine, is a threat actor that first emerged in August 2022 and has been linked to smishing attacks against over 100 organizations, including Twilio and Cloudflare. The group's primary objective was to gain access to company mailing lists or customer-facing systems, with the aim of facilitating supply-chain attacks. The campaign was particularly successful, and its full scale may not be fully understood for some time. The initial strategy involved targeting telecommunications companies to gain access to potential targets' phone numbers. The defining attack style of 0ktapus, termed Muddled Libra, came into focus in late 2022 with the release of the 0ktapus phishing kit. This kit provided a prebuilt hosting framework and bundled templates, making it an attractive tool for various cybercriminals. Palo Alto Networks Unit 42 theorized that the creators of the 0ktapus phishing kit might not possess the same advanced capabilities as Muddled Libra. While there are overlaps in tradecraft, no definitive connection between 0ktapus and UNC3944 has been established. The 0ktapus phishing kit has seen widespread adoption among other threat actors, even though using the kit alone does not necessarily classify a threat actor as what Unit 42 refers to as Muddled Libra. The e-crime group's attacks typically begin with the use of smishing and the 0ktapus phishing kit to establish initial access, eventually leading to data theft and long-term persistence. Various aliases have been used to track this cluster of activity, including Roasted 0ktapus, Scattered Spider, and UNC3944.