- Home
- Alerts & Advisories
- Alerts
- Ongoing Campaign by SCATTERED SPIDER
Ongoing Campaign by SCATTERED SPIDER
4 July 2025
SCATTERED SPIDER is a financially-motivated eCrime adversary, targeting the insurance and retail industries. As of June 2025, the group has expanded its operations to the aviation sector.
Background
There have been reports of SCATTERED SPIDER, a financially-motivated eCrime adversary, targeting the insurance and retail industries. As of June 2025, the group has expanded its operations to the aviation sector. The group commonly targets multiple organisations within the same industry over a short period, though this pattern is not strictly followed.
Tactics, Techniques and Procedures (TTPs)
Social Engineering: SCATTERED SPIDER leverages vishing, posing as employees, to contact IT help desks. In almost all 2025 incidents observed, this tactic was employed to compromise Microsoft Entra ID, single sign-on (SSO), and virtual desktop infrastructure (VDI) accounts by providing correct answers to verification questions when requesting password or Multi-Factor Authentication (MFA) resets.
Account and Software-as-a-Service (SaaS) Exploitation: Following the compromise of Entra ID, SSO, and VDI accounts, the group gains access to integrated SaaS platforms. Their objective is to find data that facilitates lateral movement (e.g., network diagrams, VPN instructions, or stored credentials), supports extortion efforts, or can be monetised.
Living off the Land: The group is also known for utilising legitimate tools present within the system to carry out malicious activities. Some examples include:
Active Directory reconnaissance using tools like ADExplorer, ADRecon.ps1, and the Get-ADUser PowerShell cmdlet.
Obtaining VMware vCenter access to create unmanaged virtual machines and extract the AD database (ntds.dit) from connected domain controller disks.
Installing tunneling/proxy tools, which include Chisel (communicating with trycloudflare[.]com), MobaXterm, ngrok, Pinggy, Rsocx, and Teleport.
Use of PowerShell operations (HardDelete, SoftDelete, MoveToDeletedItems) and mail transport rules (Set-TransportRule) to suppress notifications of account activity. In one instance, emails meant for a compromised user were rerouted to an attacker-controlled googlemail[.]com address.
SCATTERED SPIDER employs S3 Browser to list and access AWS S3 buckets through CloudTrail events (ListBuckets, ListObjects). Subsequently, they exfiltrate this data to attacker-controlled buckets.
How to Protect Your Organisation
Organisations are advised to adopt the following measures to strengthen their cybersecurity posture and boost online defences, safeguarding organisational data.
Make MFA mandatory for all users, especially those with administrative or sensitive data access.
Implement a robust Identity and Access Management (IAM) system to enforce role-based access control and the principle of least privilege.
Enable comprehensive logging and behavioural analytics.
Monitor for anomalous application usage, suspicious search terms, and unusual data access patterns.
Conduct regular audits of user accounts, permissions, and connected applications to identify and eliminate unnecessary or risky access.
Maintain isolated backups and develop response playbooks.
Educate employees on threats such as social engineering regularly through cybersecurity awareness training.
References:
https://thehackernews.com/2025/06/fbi-warns-of-scattered-spiders.html