The Adversary

Scattered Spider, also tracked as UNC3944, is a financially motivated adversary group. The group has been particularly active in targeting prominent companies in retail, financial services, insurance, and technology across North America and Europe.

Its operations are characterized by precision and a deep understanding of identity and access management systems, as well as corporate processes.

Having started as an Initial Access Broker (IAB) in mid to late 2022, the group expanded its operations to include data exfiltration, extortion and full-scale ransomware activity. This evolution marked a significant escalation in both impact and sophistication. While Scattered Spider initially served as a gateway for other ransomware groups, it has since matured into a threat actor capable of carrying out end-to-end attacks.

Throughout this evolution, the group has relied heavily on the same weakness to infiltrate corporate networks: human vulnerabilities exploited through sophisticated social engineering techniques. These include phishing, vishing and SIM-swapping methods designed to bypass multi-factor authentication and gain access to high-privilege accounts.

The table below provides a comprehensive overview of the sectors targeted by Scattered Spider from 2022 to 2025, along with their primary malicious activities, affected regions and notable victim organizations.

Q2 2025 marked a notable surge in the adversary's operations, specifically targeting the U.S. insurance sector. Recent observed activity remained consistent with previously seen tactics, techniques and procedures.

- Help desk deception

Leveraging their native English-speaking skills, the group deceived help desk and IT staff into resetting credentials and disabling or bypassing security measures, including MFA.

- Reconnaissance of SaaS platforms in search of valuable data

SaaS platforms often host sensitive data, including financial details and customer records, but operate outside traditional on-premises security perimeters. With valid access, Scattered Spider targeted these environments in search of low-hanging fruit.

- AD reconnaissance

Scattered Spider used a collection of known tools and scripts to discover the victim's environment. Tools such as ADRecon, SharpHound and ADExplorer are well known to AV and EDR vendors, yet they are still used by adversaries.

- Ransomware deployment

Scattered Spider used DragonForce ransomware to encrypt VMware ESXi hosts as a final step of the intrusion.

The Surge of Identity Threats

Scattered Spider, among other adversaries, has leveraged the lack of robust security mechanisms and monitoring around identities to achieve its objectives. These attackers are shifting their methods to stay ahead, while traditional security teams are still focused on securing their organizations at the endpoint level.

The main challenges with identity threats are:

- Bypass of traditional security controls

Identity attacks leverage flaws or weaknesses in authentication flows, including the human layer. As these attacks are usually outside the scope of classic security mechanisms focused on the network and endpoint level, an attacker can bypass these defense layers to interact with company resources.

- Expansion of impact across cloud and hybrid environments

Modern enterprises rely on federated identity providers to manage access to their cloud services and SaaS platforms. A compromised identity gives an attacker broad access to enterprise platforms, making it high value for adversaries and multiplying the potential impact of an attack.

- Stealthy attacks

When obtaining valid credentials, either through phishing or via an IAB, an attacker can simply log in like a normal user and blend in with usual user activity. Many organizations do not effectively log and monitor sign-in events and activity across their identity providers and cloud environments.

Defensive Recommendations

From leveraging compromised identities for initial access to abusing hypervisors to deploy at-scale ransomware, Scattered Spider's techniques can often be caught and disrupted earlier.

Here are our recommendations:

- Enforce phishing-resistant authentication

Use hardware-backed security methods, such as FIDO2 or PKI, or authenticator apps instead of SMS or push-based MFA, which can be vulnerable to SIM swapping and MFA fatigue.

- Adopt Zero Trust identity controls

Deploy risk-based policies, enforce continuous verification and implement least-privilege access to isolate and protect resources.

- Deploy identity threat protection

Set up Identity Threat Detection and Response and XDR tools to monitor for anomalous or malicious login patterns, unusual user activity and suspicious resource usage.

- Prioritize log collection

Having the right data is key to building a robust detection system. Adapt your log collection strategy according to the threat landscape to cover blind spots, such as systems unmanaged by EDR, including hypervisors.

- Implement multi-perspective detection rules

Build detections in your XDR by leveraging complementary data perspectives. For example, use endpoint telemetry and network logs to detect reconnaissance activity in your environment.

- Monitor for leaked credentials sold by IABs

Continuously monitor dark web marketplaces and threat intelligence sources for leaked or stolen credentials associated with your organization.

- Conduct regular security awareness training for IT staff

Regular training for help desk and IT staff keeps them up to date with social engineering techniques, such as vishing, and improves their ability to recognize and respond to suspicious requests.

References:

https://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats

https://therecord.media/scattered-spider-targeting-insurance-sector-following-retail-attacks

‍