Since April 2025, threat activity associated with the cybercriminal group Scattered Spider has increased significantly. Combining sophisticated social engineering techniques – including targeted phishing, voice phishing (vishing) and third-party compromise – the group has successfully compromised multiple high-profile organisations in the retail, insurance and transport sectors, with a focus on UK- and US-based entities.
The group's activity is increasing in tempo and expanding in reach across regions and sectors. On 10 July, four members were arrested for computer misuse and money laundering offences connected to the M&S hack in April. Members have been arrested previously, with limited impact on the group’s activities. The group will likely continue to pose a threat.
For cyber teams and stakeholders responsible for digital resilience, familiarisation with group's tactics techniques and procedures (TTPs) and employing mitigation strategies are key.
Does your cyber team know the group's key tactics and techniques? Are all employees aware of the sophisticated social engineering tactics? Are your third-party organisations prepared?
What is Scattered Spider?
Scattered Spider (also tracked under names UNC3944, Octo Tempest and Muddled Libra) is a loose cybercriminal grouping, believed to consist primarily of young UK- and US-based operatives. The financially motivated group first emerged in 2022, conducting its first high-profile compromises in 2023.
Scattered Spider remains a key threat actor within the cybercriminal landscape and has ramped up significant threat activity in recent months. The group’s operatives have consistently demonstrated themselves to be particularly skilled social engineering actors, providing them with initial access that is proficiently utilised to conduct data theft and system encryption. Their tactics include in-depth preparatory phases, targeted phishing and social engineering impersonation, and varied ransomware payloads.
Publicly reported Scattered Spider operations have caused significant operational disruption to victims, with recovery periods ranging from weeks to months, and estimated incident costs reaching up to GBP 300m. The group’s recent operational successes will likely motivate the group’s operatives to maintain threat activity levels in the short to medium term.
Although the Scattered Spider has consistently focused its operations primarily on UK- and US-based entities, changes to its sector-based targeting rationale remain difficult to predict. The group continues to show a preference for focusing on a single sector at a time, with quick pivoting to a different industry once objectives have been satisfied. The targeting of the aviation sector in July is a pivot from a focus on the insurance sector in June, which, in turn, was preceded by a focus on the retail sector in April and May.
Given the group's consistent preference for social engineering tactics, sectors dependent on public-facing call centres – like casino, airline and retail – are more likely to be future targets.
- Legitimate remote-access tools, such as AnyDesk, TeamViewer and ScreenConnect
- Easily accessible tools like Raccoon Stealer, Vidar Stealer and the WarZone RAT to steal data
- DragonForce, ALPHV/BlackCat, Qilin and possibly Avaddon ransomware payloads for extortion purposes
Scattered Spider's typical toolkit:
Increased tempo
Since April 2025, Scattered Spider has been operating at a rapid pace. Compared to other highly active cybercriminal groups, Scattered Spider has conducted a substantial number of high-profile compromises in a relatively brief period. This is particularly noteworthy when considering the group is leveraging sophisticated social engineering and third-party compromise methods as part of its modus operandi.
This sudden spike from Scattered Spider comes after a quieter period following the arrest of five members in November 2024. The recent attacks display the group's sophistication as well as its increased intent.
What organisations should be doing now
Organisations across sectors, particularly in the UK and US, should familiarise themselves with Scattered Spider’s known tactics, techniques and procedures (TTPs), as well as ingest indicators of compromise (IoCs) for endpoint detection of malicious activity. Organisations should consider reviewing existing mitigations and controls against the TTPs outlined in this document to build a layered defence against the group.
Large brands in the retail, aviation, transport, insurance and financial services sectors in the countries mentioned above should consider red teaming a Scattered Spider attack simulation scenario, using the confirmed TTPs in this document mapped to the organisation’s critical assets. This could also be followed by a crisis management exercise leveraging on the outcomes of the Scattered Spider attack simulation.
Conducting general employee training on phishing techniques associated with Scattered Spider would also be valuable. Call centre and IT desk employees should be provided with specialised training on the threat of vishing scams and be advised to follow set procedures for credential resets and multi-factor authentication (MFA) access.
Organisations should consider sharing this information and their knowledge on the topic with third-party organisations that have customer-facing responsibilities to understand their proactive and preparatory activities to mitigate a Scattered Spider attack.
Is your organisation prepared?
Cyber attacks are more frequent and impactful as organisations’ dependence on technology increases. Given the growing sophistication of threat actors and expanding regulatory scrutiny, will you be able to respond comprehensively when the worst-case scenario materialises? Find out how Control Risks can support your organisation.