Scattered Spider

Threat Actor Profile Updated 18 hours ago
Download STIX
Preview STIX
Scattered Spider is a prominent threat actor group involved in cybercrime activities with malicious intent. The group employs various tactics to compromise its targets, including phishing for login credentials, searching SharePoint repositories for sensitive information, and exploiting infrastructure such as remote systems. Once they gain access to a victim's network, the Scattered Spider actors strive to maintain persistence, exfiltrating data for extortion purposes. Over the past two years, this group has been suspected of hacking into hundreds of organizations, including high-profile targets like Twilio, LastPass, DoorDash, and Mailchimp. Throughout 2024, several arrests have been made in connection with the Scattered Spider group. In January, U.S. authorities apprehended Noah Michael Urban, a 19-year-old Florida resident suspected of membership in the group. More recently, Spanish police arrested a 22-year-old British national believed to be a key member of Scattered Spider. Additionally, UK law enforcement detained a 17-year-old teenager from Walsall under suspicion of involvement with the group. These individuals are part of a broader cybercriminal community known as "The Com," where hackers boast about their cyber thefts, typically initiated through social engineering tactics. In the second quarter of 2024, Scattered Spider (also known as Octo Tempest, UNC3944, and 0ktapus) expanded its capabilities by adding RansomHub and Qilin ransomware to its arsenal. This addition demonstrates the group's adaptability and increasing threat level. As the group continues to evolve and expand its operations, it remains crucial for organizations to stay vigilant and adopt robust cybersecurity measures to mitigate potential risks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Octo Tempest
4
Octo Tempest, also known as Scattered Spider, is a financially motivated threat actor known for launching extensive campaigns featuring adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities. This native English-speaking collective has evolved to become a signif
UNC3944
4
UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor that has been active since 2021. Initially targeting telecommunication firms and tech companies, the group has expanded its range to include hospitality, retail, media, and financial services sectors. The gr
Muddled Libra
4
Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t
The Com
2
"The Com" is a threat actor or cybercriminal community that has been involved in numerous high-profile cyberattacks, including recent attacks on Las Vegas resorts that severely impacted several prominent hotels and casinos. The community is largely composed of young hackers who are inducted into a l
Scatter Swine
2
Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio
Oktapus
2
Oktapus, a threat actor also known as Scattered Spider, Scatter Swine, and Muddled Libra, has been identified as a significant cybersecurity risk due to its sophisticated phishing campaigns. The group first gained notoriety in 2022 when it launched the Oktapus phishing campaign, targeting employees
Tyler
1
Tyler Buchanan, a 22-year-old from Dundee, Scotland, has been identified as the alleged leader of the Scattered Spider hacking group. This information was revealed by renowned journalist Brian Krebs, who cited sources familiar with the investigation. Known as "tylerb" in Telegram chat channels focus
Star Fraud
1
Star Fraud, a threat actor subgroup within the larger entity known as the Com, has recently been implicated in significant cyber-attacks on two major entertainment corporations, Caesars Entertainment and MGM Resorts International. These attacks were high-profile extortion attempts that underscored t
0ktapus
1
0ktapus, also known as Scatter Swine, is a threat actor that first emerged in August 2022 and has been linked to smishing attacks against over 100 organizations, including Twilio and Cloudflare. The group's primary objective was to gain access to company mailing lists or customer-facing systems, wit
Scattered Swine
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Lateral Move...
Cybercrime
Extortion
Phishing
Esxi
Ransom
RaaS
Malware
Exploit
MGM
Encryption
Scams
Sharepoint
Microsoft
Bitcoin
Credentials
Okta
Fbi
Aws
Reconnaissance
Windows
Exploits
Vpn
t1583.001
t1556.006
t1552.001
Vcenter
T1018
T1648
T1074
T1530
CISA
Rat
Evasive
Locker
Data Leak
Federal
Cybercrimes
Coinbase
Outlook
Police
LOTL
T1606
t1213.002
T1114
Telegram
Mandiant
Azure
Gbhackers
Rmm
Breachforums
Crowdstrike
Cyberscoop
Vulnerability
Techcrunch
Proxy
State Sponso...
Fraud
Uk
Reddit
Encrypt
At
Scam
Mitre
t1567.002
T1486
T1566
Smishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RaccoonUnspecified
2
Raccoon is a highly potent and cost-effective Malware-as-a-Service (MaaS) primarily sold on dark web forums, used extensively by Scattered Spider threat actors to pilfer sensitive data. As per the "eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2.0" report published on August 31, 20
Vidar StealerUnspecified
1
Vidar Stealer is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
KarakurtUnspecified
1
Karakurt is a notorious malware and data extortion group, previously affiliated with ITG23, known for its sophisticated tactics, techniques, and procedures (TTPs). The group's operations involve stealing sensitive data from compromised systems and demanding ransoms ranging from $25,000 to a staggeri
Rhysida RansomwareUnspecified
1
Rhysida ransomware is a type of malicious software that has been causing significant disruptions worldwide. The malware, which infiltrates systems via suspicious downloads, emails, or websites, is designed to exploit and damage computers or devices. Once inside, it can steal personal information, di
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
Raccoon StealerUnspecified
1
Raccoon Stealer is a form of malware that was first identified in 2019. Developed by Russian-speaking coders and initially promoted on Russian-language hacking forums, the malicious software was designed to steal sensitive data from victims, including credit card information, email credentials, and
RedlineUnspecified
1
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been u
VidarUnspecified
1
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
AkiraUnspecified
1
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Alphvis related to
7
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
RansomhubUnspecified
3
RansomHub, a threat actor known for executing actions with malicious intent, has recently been linked to several high-profile cyber-attacks. The group is recognized for its ransomware attacks, which have resulted in significant data breaches at multiple companies. Christie, a prominent organization,
NoberusUnspecified
2
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr
QilinUnspecified
2
Qilin, a notable threat actor in the cybersecurity landscape, has been significantly active over the last two years, compromising more than 150 organizations across 25 countries and various industries. Originally evolving from the Agenda ransomware written in Go, Qilin has since transitioned to Rust
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Black CatUnspecified
1
Black Cat, also known as AlphV, is a prominent threat actor known for its malicious activities in the cybersecurity landscape. The group gained significant attention when it launched an attack on Change Healthcare, a subsidiary of Optum and UnitedHealth Group (UHG), in late February. This ransomware
BianlianUnspecified
1
BianLian is a threat actor that has been increasingly active in cybercrimes. The group is known for its malicious activities, including the execution of actions with harmful intent. In a series of recent events, BianLian has exploited vulnerabilities in JetBrains TeamCity, a continuous integration a
Cozy BearUnspecified
1
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
Alphv Ransomware GroupUnspecified
1
The ALPHV ransomware group, also known as BlackCat, is a threat actor that has been responsible for a series of high-profile cyberattacks on various sectors. The group, which is believed to be connected to Russian organized crime, first gained notoriety when it claimed responsibility for the MGM Res
Blackcat/alphv/noberusUnspecified
1
None
RhysidaUnspecified
1
Rhysida, a threat actor known for executing malicious cyber activities, has been responsible for numerous ransomware attacks. The group has primarily targeted businesses and healthcare organizations, with notable instances including a disruptive attack on Ann & Robert H. Lurie Children's Hospital of
FIN7Unspecified
1
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KtapusUnspecified
1
None
Source Document References
Information about the Scattered Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
8 hours ago
Teenage Scattered Spider Suspect Arrested in Global Cybercrime Sting
Securityaffairs
18 hours ago
UK police arrested a 17-year-old linked to Scattered Spider gang
Securityaffairs
a day ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
6 days ago
Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
DARKReading
6 days ago
Microsoft: Scattered Spider Widens Web With RansomHub & Qilin
InfoSecurity-magazine
8 days ago
Pharmacy Giant Rite Aid Hit By Ransomware
Securityaffairs
8 days ago
Security Affairs Malware Newsletter - Round 2
Trend Micro
11 days ago
An In-Depth Look at Crypto-Crime in 2023 Part 2
Securityaffairs
16 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
23 days ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading
a month ago
CISO Corner: Critical Infrastructure Misinformation; France's Atos Bid
DARKReading
a month ago
Multifactor Authentication Is Not Enough to Protect Cloud Data
BankInfoSecurity
a month ago
Multifactor Authentication Bypass: Attackers Refine Tactics
DARKReading
a month ago
Scattered Spider Boss Cuffed in Spain Boarding a Flight to Italy
Securityaffairs
a month ago
Spanish police arrested an alleged member of the Scattered Spider group
DARKReading
a month ago
RansomHub Brings Scattered Spider Into Its RaaS Fold
InfoSecurity-magazine
a month ago
Scattered Spider Now Affiliated with RansomHub Following BlackCat Exit
Securityaffairs
2 months ago
RansomHub operation is a rebranded version of the Knight RaaS