Scattered Spider
G10155 reportsAnalyst assessment — key judgments
- Signature techniques: T1589.001 (Credentials), T1588.006 (Vulnerabilities), T1559 (Inter-Process Communication).
- Primary targeting: US, GB, KR.
- Resurgent after a quiet period: 3 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 2 new technique(s), 19 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 77% of 13 observed techniques (3 gap(s)).
- Assessment confidence: medium (62).
Activity & trend
Movement — last 30 days
Vulnerabilities in this actor's reporting · 1
- CVE-2026-22769KEV1 rpt
Overview
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023) Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)
ATT&CK technique matrix
- T1589.001 · Credentialsconf 704
- T1588.006 · Vulnerabilitiesconf 602
- T1559 · Inter-Process Communicationconf 652
- T1556.006 · Multi-Factor Authenticationconf 652
- T1053.005 · Scheduled Taskconf 601
- T1590.005 · IP Addressesconf 601
- T1552.003 · Shell Historyconf 601
- T1078.003 · Local Accountsconf 601
- T1588.007 · Artificial Intelligenceconf 601
- T1584.008 · Network Devicesconf 601
- T1684 · Social Engineeringconf 601
- T1589.002 · Email Addressesconf 601
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|