Actions for Organizations to Take Today to Mitigate Malicious Cyber Activity
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK)—hereafter referred to as the authoring organizations—are releasing this joint Cybersecurity Advisory in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors, subsectors, and other sectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as June 2025.
Visit for more information sp5der
Note: Originally published Nov. 16, 2023, this advisory has been updated through several iterations:
Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.
Per trusted third parties, Scattered Spider threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual TTPs. While some TTPs remain consistent, Scattered Spider threat actors often change TTPs to remain undetected.
The authoring organizations encourage critical infrastructure organizations and commercial facilities to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Scattered Spider malicious activity.
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for tables of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Scattered Spider (also known as, UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra) engages in data extortion and several other criminal activities. Scattered Spider threat actors use multiple social engineering techniques—including push bombing—and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have:
The FBI observed Scattered Spider threat actors, after gaining access to networks, using publicly available, legitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider repurposed and used for their criminal activity.
Note: The use of these legitimate tools alone is not indicative of malicious activity. Users should review the Scattered Spider IOCs and TTPs discussed in this advisory to determine whether they have been compromised.
In addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider.
Scattered Spider threat actors historically evade detection on target networks by using living off the land (LOTL) techniques and allowlisted applications to navigate a targeted organization’s network, as well as frequently modifying their TTPs. For additional information on LOTL techniques, see the joint advisory, Identifying and Mitigating Living Off the Land Techniques.
Scattered Spider threat actors have observably exfiltrated data [TA0010] after gaining access and threatened to release it without deploying ransomware.
Recently, this includes exfiltration to multiple sites including MEGA[.]NZ and U.S.-based data centers such as Amazon S3 [T1567.002].
The FBI has identified that Scattered Spider threat actors may exfiltrate data from targeted organization’s systems for extortion and then encrypt data on the system for ransom [T1486]. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with targeted organizations via TOR, Tox, email, or encrypted applications.
Scattered Spider intrusions historically began with broad phishing [T1566] and smishing [T1660] attempts against a target using organization-specific crafted domains, such as the domains listed in Table 3 [T1583.001].
The targeted organization’s name is often appended with either a -helpdesk or a type of single sign-on (SSO) solution to add credibility. While Scattered Spider threat actors have not been observed using these techniques recently, the group continuously evolves its TTPs and these methods could be reused.
Scattered Spider threat actors currently use a variety of methods to gain initial access to a targeted organization’s network. In some instances, the threat actors purchase employee or contractor credentials on illicit marketplaces such as Russia Market [T1597.002]. In other cases, the threat actors compromise third party services with access to several potential targeted organization’s networks [T1199]. It is common for the threat actors to gather the personally identifiable information (PII) of users with elevated access to their network using online open-source information.
While Scattered Spider initially began their activity relying upon broad phishing campaigns, the threat actors are now employing more targeted and multilayered spearphishing and vishing operations. Scattered Spider searches business-to-business websites to gather information and ultimately determine the individual’s role in a target organization [T1594].
After identifying usernames, passwords, PII [T1589], and conducting SIM swaps, the threat actors then use layered social engineering techniques [T1656] which frequently occur over several calls [T1598.004]. The social engineering attempts are designed to first learn what steps are needed to conduct password resets from helpdesks. Once that information is identified, the threat actors continue to conduct phone calls to employees and help desks to gather password reset specific information of a targeted employee.
Finally, the threat actors conduct spearphising calls to convince IT help desk personnel to reset passwords and/or transfer MFA tokens [T1078.002] [T1199] [T1566.004]. At which point, the threat actors perform account takeovers against the users in SSO environments. These social engineering attempts are enriched by access to personal information derived from social media [T1593.001], open-source information, commercial intelligence tools, and database leaks. Scattered Spider threat actor tactics and techniques also make it more difficult for network defenders to warn targeted organizations or to use threat hunting tools to proactively identify intrusions.
Scattered Spider threat actors then register their own MFA tokens [T1556.006] [T1606] and deploy remote monitoring and management (RMM) tools [T1219] after compromising a user’s account to establish persistence [TA0003]. Historically, the threat actors added a federated identity provider to the targeted organization’s SSO tenant and activated automatic account linking [T1484.002]. While the threat actors may still be using this tactic, it has not been identified as a current TTP.
The threat actors were then able to sign into any account by using a matching SSO account attribute. At this stage, Scattered Spider threat actors already controlled the identity provider and then could choose an arbitrary value for this account attribute. This activity allowed the threat actors to perform privilege escalation [TA0004] and continue logging in even when passwords were changed [T1078]. Threat actors achieve elevated privileges by leveraging internal communication tools to contact employees and social engineering.
Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites [T1213.002], credential storage documentation [T1552.001], VMware vCenter infrastructure [T1018], backups, and instructions for setting up/logging into Virtual Private Networks (VPNs) [TA0007]. The threat actors enumerate the targeted organization’s Active Directory (AD) and then perform discovery and exfiltration of the targeted organization’s code repositories [T1213.003], code-signing certificates [T1552.004], and source code [T1083] [TA0010]. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory [T1538] to discover targets for lateral movement [TA0007] [TA0008], then move to both preexisting [T1021.007] and actor-created [T1578.002] Amazon Elastic Compute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools [T1648] to bring data from multiple data sources into a centralized database [T1074] [T1530].
In many instances, Scattered Spider threat actors search for a targeted organization’s Snowflake access to exfiltrate large volumes of data in a short time, often running thousands of queries immediately [T1567]. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed DragonForce ransomware onto targeted organizations’ networks—thereby encrypting VMware Elastic Sky X integrated (ESXi) servers [T1486].
To determine if their activities have been detected and to maintain persistence within the compromised system, Scattered Spider threat actors often search a targeted organization’s Slack, Microsoft Teams, and Microsoft Exchange Online for emails [T1114] or conversations regarding the threat actors’ intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to a targeted organizations’ defenses.
This is sometimes achieved by creating new identities in the environment [T1136] and is often upheld with fake social media profiles [T1585.001] to backstop newly created identities. Scattered Spider threat actors consistently use proxy networks [T1090] and rotate machine names to further hamper detection and response.
See Table 4 to Table 17 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.
Following speculation in the press about Scattered Spider targeting entities in the UK in May 2025, the NCSC released a blog post with recommended actions for organizations to take.
In addition, the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques.
The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Your organization has no obligation to respond or provide information back to FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.
FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Scattered Spider threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA.
November 16, 2023: Initial version.
November 21, 2023: Updated password recommendation language on page 12.
July 29, 2025: Updated to reflect new co-sealers and TTPs.
This product is provided subject to this Notification and this Privacy & Use policy.
