THREATOPS Actor Dossier
LIVE ← Dashboard

Scattered Spider

G10155 reports
aliases · Scattered Spider · Roasted 0ktapus · Octo Tempest · Storm-0875 · UNC3944
Export dossier:
5
Reports
12
Techniques
8
Tactics
3
Countries
77%
Hunt coverage
5
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1589.001 (Credentials), T1588.006 (Vulnerabilities), T1559 (Inter-Process Communication).
  • Primary targeting: US, GB, KR.
  • Resurgent after a quiet period: 3 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 2 new technique(s), 19 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 77% of 13 observed techniques (3 gap(s)).
  • Assessment confidence: medium (62).

Activity & trend

ResurgentLast 30d: 3 vs 0 prior (+100%)· first reported 2026-03-23 · last 2026-07-13
1
7d
3
30d
3
90d
5
All
0.2
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1589.002T1559.001
Dropped (90d+)
T1588.006T1053.005T1590.005T1552.003T1078.003T1588.007T1584.008T1684
Targeting gained
GBUS
New infrastructure
9f1f11a708d393e0a4109ae189bc64f1f3e312659896a6fcb9bb5ac1ec5297b4a65be3f647589adfafc8a00883a4ea07df2dc1d4ed02f8a23b35c945e60ab99da105ee27ee09ea64ed8eb46d8edc92ee853baab97b1f3b03c1ffa55797e87867f5fb7ce32915b3f8b703eb744fc54c81f4a9c67f38de5b216c33833af710e88f7f64fc98cc4d231df34e57f59eb970353c7d9de2dbd8dbecaa80795c135137d69921fdba41acb30b9d662d48b7b4fc0ac3d4b79fhttps://techcrunch.com/2026/06/23/klue-shttps://www.buzzsprout.com/2033817/episo

Vulnerabilities in this actor's reporting · 1

Overview

Analyst triage
Intelligence summary

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023) Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected