Scattered Spider
Aliases: Roasted 0ktapus, Octo Tempest, Storm-0875
Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022. The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors. During campaigns, Scattered Spider has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.
Open interactive actor investigation
ATT&CK techniques
T1598
Phishing for InformationT1553.002
Code SigningT1556.009
Conditional Access PoliciesT1580
Cloud Infrastructure DiscoveryT1003.003
NTDST1087.002
Domain AccountT1484.002
Trust ModificationT1564.008
Email Hiding RulesT1539
Steal Web Session CookieT1552.004
Private KeysT1538
Cloud Service DashboardT1486
Data Encrypted for ImpactT1133
External Remote ServicesT1204
User ExecutionT1556.006
Multi-Factor AuthenticationT1083
File and Directory DiscoveryT1219
Remote Access SoftwareT1657
Financial TheftT1213.003
Code RepositoriesT1098.003
Additional Cloud RolesT1621
Multi-Factor Authentication Request GenerationT1213.005
Messaging ApplicationsT1068
Exploitation for Privilege EscalationT1530
Data from Cloud StorageT1217
Browser Information DiscoveryT1006
Direct Volume AccessT1136
Create AccountT1018
Remote System DiscoveryT1567.002
Exfiltration to Cloud StorageT1598.004
Spearphishing VoiceT1074
Data StagedT1021.007
Cloud ServicesT1578.002
Create Cloud InstanceT1552.001
Credentials In FilesT1114
Email CollectionT1656
Impersonation
Phishing for InformationT1553.002
Code SigningT1556.009
Conditional Access PoliciesT1580
Cloud Infrastructure DiscoveryT1003.003
NTDST1087.002
Domain AccountT1484.002
Trust ModificationT1564.008
Email Hiding RulesT1539
Steal Web Session CookieT1552.004
Private KeysT1538
Cloud Service DashboardT1486
Data Encrypted for ImpactT1133
External Remote ServicesT1204
User ExecutionT1556.006
Multi-Factor AuthenticationT1083
File and Directory DiscoveryT1219
Remote Access SoftwareT1657
Financial TheftT1213.003
Code RepositoriesT1098.003
Additional Cloud RolesT1621
Multi-Factor Authentication Request GenerationT1213.005
Messaging ApplicationsT1068
Exploitation for Privilege EscalationT1530
Data from Cloud StorageT1217
Browser Information DiscoveryT1006
Direct Volume AccessT1136
Create AccountT1018
Remote System DiscoveryT1567.002
Exfiltration to Cloud StorageT1598.004
Spearphishing VoiceT1074
Data StagedT1021.007
Cloud ServicesT1578.002
Create Cloud InstanceT1552.001
Credentials In FilesT1114
Email CollectionT1656
Impersonation