The US Cybersecurity and Infrastructure Security Agency (CISA) has released an updated advisory on the Scattered Spider ransomware group, warning of newly observed tactics and even more sophisticated attacks. The group is now targeting third-party IT vendors by impersonating company employees—stepping beyond its original playbook.
According to the July update, this is the third advisory on Scattered Spider since November 2023, and it reflects the group’s pivot to broader, stealthier social engineering strategies. Their recent victims include major retail brands, tech companies, and even airlines.
From fake IT staff to fake employees
Scattered Spider, also known as UNC3944, Octo Tempest, and Storm-0875, is notorious for social engineering. Previously, its members posed as IT help desk workers to extract credentials. Now, they’re pretending to be actual employees to manipulate outside IT service providers.
The gang’s new targets include Snowflake cloud accounts, Slack, Microsoft Teams, and Exchange. They use this access to gather intel and execute highly customized spear-phishing attacks.
CISA notes that Scattered Spider threat actors also infiltrate internal meetings using fake employee profiles and social media accounts. This lets them observe security responses in real time—and adapt.
Evolving tactics and new malware
The latest advisory details a variety of methods used to bypass multi-factor authentication (MFA), including:
- Push bombing (MFA fatigue): Overwhelming users with authentication prompts until they accept.
- SIM swapping: Hijacking a victim’s phone number to intercept OTP codes.
- Remote access tools: Tricking users into installing remote desktop software for full system control.
Scattered Spider has also deployed new ransomware variants like DragonForce, combining data theft with encryption for double extortion attacks. Once inside, the group executes thousands of data queries and exfiltrates sensitive data within minutes.
High-profile attacks and massive costs
The group has been behind several headline-making breaches. In 2025, they reportedly hit major UK retailers including Marks & Spencer, Harrods, and Co-op—often by breaching their third-party IT provider, Tata Consultancy Services.
They also worked with the now-defunct ALPHV/BlackCat group in attacks on MGM Resorts and Caesars Palace in 2023.
Recent victims like Clorox and Hawaiian Airlines have suffered losses estimated at $400 million each. The gang is believed to focus on high-value English-speaking targets and is now expanding into Asia.
Arrests won’t stop the group
Authorities have arrested several young members of the group this year—including four in the UK and one in Spain, all between 17 and 22. Still, Mandiant warns that the group remains active and dangerous, now shifting its focus to US transportation infrastructure.
Conclusion
The Scattered Spider ransomware gang is constantly evolving—adopting new tactics, refining social engineering, and deploying fresh malware. Despite arrests, the group continues to pose a serious threat to global organizations. CISA urges businesses to enforce phishing-resistant MFA, monitor third-party access, and store data backups offline.
0 responses to “Scattered Spider ransomware gang evolves with new attack tactics”