Warnings Issued: Strategic Adjustments Detected in malware variant Spider
Scattered Spider Continues to Pose a Significant Threat
The cybercrime gang Scattered Spider, known for its English-speaking members primarily based in the United States and the United Kingdom, has shown resilience and adaptability following a series of recent arrests. Despite the arrest of four suspected members, the group remains active and evolving, as reported by various sources.
In the past few months, Scattered Spider has been observed collaborating with other cybercrime gangs, such as ShinyHunters and Lapsus$, forming a broader collective known as "The Com." The gang has also been found to use sophisticated social engineering tactics, including phishing, push bombing, and SIM swapping, and has increasingly targeted VMware ESXi servers with DragonForce ransomware.
Recent reports suggest that Scattered Spider is acting as an initial access broker for ShinyHunters, indicating operational collaboration within this network. The groups have synchronized their campaigns across multiple sectors, including retail, insurance, and aviation, from April through August 2025.
Evidence of a merging or close partnership between Scattered Spider and ShinyHunters has been observed, with shared tactics such as voice phishing ("vishing"), Salesforce product exploitation, use of Okta-themed phishing, and similar data exfiltration techniques.
The coalition of information-sharing groups, which represents various sectors including financial services, food and agriculture, information technology, healthcare, aviation, automotive, retail, maritime, and electricity, has urged their members to be diligent in continually monitoring their processes and identities to look for new exploits.
Scattered Spider's activities have extended to various industries, including retail, food and agriculture, airline, and possibly others. John Denning, the chief information security officer at the FS-ISAC, has stated that Scattered Spider presents a real threat and financial services firms must remain diligent.
The threat of Scattered Spider extends across borders and industries, and its historical activity indicates that its focus will shift as it identifies new organizations and sectors to exploit. In the past, the gang has taken a step back following high profile arrests only to later resume activities, as was the case following the arrests of four suspected members.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) previously warned that Scattered Spider had developed an evolving set of tactics to conduct social-engineering attacks on its targets. To mitigate potential attacks, the coalition has urged their members to develop multichannel verification methods to ensure password resets or other requests are coming from a real employee.
Notable targets of Scattered Spider's attacks include British department store Marks & Spencer, Whole Foods distributor United Natural Foods, and Australian airline Qantas. The arrested members were allegedly involved in hacking three major British retailers.
In light of these developments, it is crucial for organizations to remain vigilant and proactive in their cybersecurity measures. The coalition of information-sharing groups continues to urge their members to stay informed and take additional steps to protect themselves from Scattered Spider and similar threat groups.
[1] https://www.cisa.gov/uscert/ncas/alerts/aa25-227a [3] https://www.securityweek.com/shinyhunters-scatteredspider-team-up-target-vmware-esxi-servers [4] https://www.bleepingcomputer.com/news/security/scatteredspider-and-shinyhunters-collaborate-to-steal-data-from-companies/ [5] https://www.bleepingcomputer.com/news/security/scatteredspider-and-shinyhunters-continue-to-coordinate-their-attacks-on-multiple-sectors/
- The evolving nature of Scattered Spider's threats in the realm of cybersecurity necessitates a heightened focus on privacy in various industries, such as finance and technology, due to their sophisticated social engineering tactics and data exfiltration techniques.
- Given the coalition's warnings about Scattered Spider's ongoing activities in collaboration with groups like ShinyHunters, it's crucial for industries like IT and healthcare to prioritize cybersecurity measures, such as multichannel verification methods, to mitigate the risks of social-engineering attacks.
- In the wake of Scattered Spider's recent collaborations and attacks on companies across multiple sectors, cybersecurity professionals within the industry should stay informed of the latest threat intelligence, as indicated by the shared resources provided by the coalition.
