• WRAVEN
  • Posts
  • Scattered Spider: Tactics, Targets, and WRAVEN’s Ongoing Threat Intel Tracking

Scattered Spider: Tactics, Targets, and WRAVEN’s Ongoing Threat Intel Tracking

How is a small hacker crew pulling off multi-million dollar breaches, and how are our WMU students tracking them in real time?

AuthorAuthor

WRAVEN Team & Lochlan McElroy
July 02, 2025

🕷️ Who is Scattered Spider?

Scattered Spider (aka UNC3944, Muddled Libra) is a hacker collective from the U.S. and U.K., active since around May 2022. They’re mostly young adults, sometimes teenagers. Early on, they did SIM‑swaps, MFA‑fatigue attacks, and phishing. Now they’ve moved into big social‑engineering and ransomware schemes.

At WRAVEN, we actively track Scattered Spider and similar threat groups using our Threat Intelligence Dashboard at public.wraven.org. Our team monitors their infrastructure, phishing domains, tactics, and behavior patterns in real time. We break down their attacks across MITRE ATT&CK stages and flag indicators like suspicious subdomains, token-stealing scripts, and lateral movement attempts. Each alert is tagged with contextual info, like industry targeted or method used, so students and researchers can learn how real-world threat actors operate.

What they do

  • Social engineering to bypass MFA

    They call IT or help‑desk staff, impersonate executives or contractors, and ask for MFA device adds or password resets. That trick gets them access, even with MFA on.

  • Phishing with typosquat/Evilginx

    They use tools like Evilginx or fake domains that look legit. These capture credentials and session tokens, bypassing MFA protections.

  • Targeting MSPs & third‑party vendors

    Instead of attacking one company at a time, they go after IT vendors who can access many clients. That’s given them a “one‑to‑many” hack approach.

  • Ransomware and double extortion

    After getting in, they steal data, deploy ransomware (like DragonForce), and threaten to leak data unless paid.

  • Advanced technical moves

    They dig deep: using kernel‑level drivers, dumping credentials, disabling recovery and security tools, encrypting hypervisors — all aligned with MITRE ATT&CK phases.

Recent move: aviation & airlines

In late June 2025, the FBI and firms like Mandiant, Palo Alto Network, and Google flagged a new wave of attacks targeting the aviation sector. They include vishing attacks against airline help desks and incidents at Hawaiian Airlines, WestJet, and now Qantas.

Qantas breach (July 2025)

Qantas confirmed up to 6 million customer records were accessed, but no billing or passport info. The breach happened via a third‑party contact center. Attack tools included impersonation of staff, social engineering MFA bypass, phone calls convincing agents to grant access.

What’s changed in 2025

  1. Domain tricks evolving

    They used to do “hyphen” domains like help‑desk‑company.com. Now they use subdomains like helpdesk.company.com or typos like c0mpanysso.com. About 81% of their domains mimic tech vendors.

  2. New RAT and malware

    A new Spectre RAT variant was spotted, giving them persistent system access.

  3. AI‑driven impersonation incoming

    FBI warns they may soon use AI to imitate target voices or writing style to build trust faster.

  4. They’re branching sectors

    Beyond casinos and retail, they’re going after finance, insurance, airlines, and MSPs.

Why they’re scary

  • Human‑focused tactics, they don’t rely only on tech. They break trust.

  • Supply chain leverage, hitting one vendor impacts many.

  • Rapid strike and shutdown, quick ransomware setups, with recovery systems wiped or disabled .

  • Record of big payouts, MGM hit for $100M in losses and Caesars paid $15M ransom.

How to stay safe

✔️ Protect help desks

Use strong identity checks before password resets or MFA changes: confirm multiple ID points, ask call‑back, etc.

✔️ Harden MFA

Replace push‑only MFA with number matching or hardware keys. Don’t allow legacy fallback methods.

✔️ Monitor domains

Watch for new, short‑lived domains with your brand + helpdesk/SSO keywords. Scan DNS logs constantly.

✔️ Segment networks

Limit access from MSPs, and separate on‑prem from cloud resources.

✔️ Detect suspicious activity

Log MFA device enrollments, device adds, credential dumps, kernel driver installs. Look for anomaly behavior.

✔️ Plan for incidents

Keep offline backups, test recovery, have an IR playbook ready, and practice drills.

Scattered Spider is outgrowing its teenage prank roots. They’re smart, social‑engineered, and fast. But they don’t own human trust, so protect that front line.

Stay sharp, protect your help desk, and keep an eye on those sneaky new domains before they hook your users.

A blog post by the Western Research Advisory for Vulnerabilities, Exploits, and Networks (WRAVEN), a Cybersecurity group at Western Michigan University (WMU).