Scattered Spider is a financially motivated cybercriminal group targeting large enterprises using sophisticated social engineering and malware including ransomware like ALPHV/BlackCat and DragonForce. AttackIQ provides detailed emulation content and assessment templates to help organizations evaluate and improve their security posture against this persistent threat. #ScatteredSpider #ALPHVBlackCat #DragonForce
Keypoints
- Scattered Spider, active since mid-2022, targets large enterprises in telecommunications, technology, finance, and retail.
- The group uses advanced social engineering tactics, including IT staff impersonation, MFA fatigue, and SIM swap attacks.
- They deploy Remote Management Tools, LOLBins, Mimikatz, Impacket, stealers, RATs, and ransomware like ALPHV/BlackCat and DragonForce.
- Attribution includes the September 2023 MGM Resorts International breach and suspected attacks on Marks & Spencer, Co-Op, and Harrods.
- AttackIQ has developed emulation content and assessment templates for Scattered Spiderβs malware families and tools to aid defense validation.
- Assessment templates cover malware samples, scripts and tools, and techniques used by Scattered Spider to improve detection and response capabilities.
- AttackIQβs platform aligns with CTEM frameworks and supports MSSP partners for continuous security optimization against evolving threats.
MITRE Techniques
- [T1110] Brute Force β MFA fatigue attacks to gain access through multi-factor authentication overwhelm.
- [T1486] Data Encrypted for Impact β Use of ransomware families ALPHV/BlackCat and DragonForce to disrupt networks and cause financial damage.
- [T1218] Signed Binary Proxy Execution β Use of Living Off the Land Binaries (LOLBins) to evade detection and execute malicious code.
- [T1003] Credential Dumping β Utilization of Mimikatz and LaZagne to dump passwords and hashes from compromised hosts (βDump Passwords using LaZagne: This scenario uses the open-source tool LaZagne to dump all possible credentials available on the host.β).
- [T1071] Application Layer Protocol β Remote Access Trojans (RattyRAT, SpectreRAT, Sorrilus RAT) employed for command and control.
- [T1059] Command and Scripting Interpreter β Use of scripts and tools like Impacket wmiexec.py and PowerShell scripts for lateral movement and execution.
- [T1086] PowerShell β The group uses PowerShell scripts and tools such as secretsdump.py and SecretServerSecretStealer for credential access.
Indicators of Compromise
- [Malware Families] Ransomware and stealers associated with Scattered Spider β ALPHV/BlackCat, DragonForce, Lumma Stealer, Atomic Stealer, and Raccoon Stealer.
- [Remote Access Trojans] RAT samples linked to group activity β RattyRAT, SpectreRAT, and Sorrilus RAT.
- [Tools and Scripts] Utilities used for credential dumping and lateral movement β Mimikatz, LaZagne, Impacket wmiexec.py, secretsdump.py.
- [Attack Techniques] Tools for discovery and scanning β ADRecon, RustScan, TruffleHog, and AdvancedIPScanner.
Read more: https://www.attackiq.com/2025/05/29/emulating-scattered-spider/