Scattered Spider Attacks | Infrastructure and TTP Analysis

Background on Recent Scattered Spider Attacks

Throughout 2024 and 2025, Scattered Spider has been a prolific English-speaking cybercriminal threat group,  part of a broader community of cybercriminals dubbed TheCom, which is short for The Community. In May 2024, at the cybercrime-focused Sleuthcon conference, the FBI warned about Scattered Spider and members of TheCom for being responsible for multiple high-profile multi-million dollar breaches.

In 2023, MGM Resorts disclosed via their US Security Exchange Commission (SEC) filing that the overall cost from the ALPHV/BlackCat ransomware attack that was linked to Scattered Spider was $100 million USD. In mid-2025, Marks & Spencer said it will take an estimated £300 million hit following the DragonForce ransomware attack, linked to Scattered Spider. Google’s security experts also assessed that Scattered Spider was responsible for the Co-op and Harrods attacks in mid-2025 as well.

Where did the name “Scattered Spider” come from?

The name Scattered Spider was originally used by CrowdStrike and has been adopted by multiple other organizations such as the US Cybersecurity and Infrastructure Security Agency (CISA) and MITRE. Other cybersecurity companies have given them other names, such as UNC3944 by Google Mandiant, 0ktapus by Group-IB, Octo Tempest by Microsoft, Scatter Swine by Okta, and Muddled Libra by Palo Alto Networks.

What are Scattered Spider’s capabilities?

Scattered Spider are most well-known for being English-speaking affiliates of ransomware-as-a-service (RaaS) platforms developed by Russian-speaking threat actors. This includes ALPHV/BlackCat, Qilin, RansomHub, and DragonForce.

Their typical tactics, techniques, and procedures (TTPs) involve using social engineering tactics for initial access. This includes calling IT help desk technicians, posing as employees, and convincing them to reset a password or install a remote monitoring and management (RMM) tool to grant them access. Single sign-on (SSO)-themed SMS phishing campaigns and SIM swapping campaigns targeting enterprise account credentials have also been linked to Scattered Spider intrusions.

Once they have gained access, Scattered Spider tends to test access to all available SSO-integrated applications and aims to move laterally to virtualised environments such as VMware ESXi hypersvisors or cloud-hosted virtual machines. Once privileged access has been acquired, Scattered Spider tends to exfiltrate sensitive corporate data and deploy ransomware generated from one of the several RaaS platforms they have access to.

Scattered Spider’s Adversary Infrastructure Profile

Scattered Spider style attacks remain a large focus for many of Team Cymru’s customers. To support threat detection programs, Team Cymru has analyzed open source intelligence (OSINT) reporting about Scattered Spider’s preferred choice of infrastructure to use for launching intrusions.

At a high level, Scattered Spider intrusions have typically leveraged the following types of infrastructure:

• Common consumer-level virtual private network (VPN) clients
• Connection tunneling web services
• Free file-sharing and paste site web services 
• Large-scale residential proxy networks
• Infostealer malware exfiltration servers
• RMM tool web services
• SSO-themed domains for SMS phishing

The Challenges with Scattered Spider’s Infrastructure

One of the significant challenges from Scattered Spider is the sheer reuse and shared nature of the infrastructure they use. By utilizing legitimate, high-reputation services, they effectively hide in plain sight, making it untenable for defenders to block their indicators without disrupting normal business operations. 

Unlike known malicious IPs, VPN exit nodes are used by millions of legitimate users. Defenders cannot easily create a block-list of these IPs without risking significant false positives, especially in a world of remote work where employees might use personal VPNs and rotating IPs. 

Data moving to file-sharing services are also often legitimate employees sharing large files with others. Since these sites use standard HTTPS, behavioral analytics are required to distinguish a malicious upload from a legitimate one.

To further blend in, Scattered Spider operators use residential proxy networks. These networks route attacker traffic through home internet connections (IoT devices, smart TVs, or home routers) belonging to individuals. If an organization blocks logins from outside the US, the attackers can simply use a proxy with a US-based residential IP. Plus, to security logs, the login appears to come from a standard domestic internet service provider (ISP), making it look like a typical remote employee.

The shared nature of VPN and proxy infrastructure creates a blended threat environment. When an alert triggers for an Ngrok tunnel, file-sharing service, or a login from an unknown residential IP, it is not immediately clear if it is a developer testing a site, an employee working from a hotel, or a Scattered Spider operative.

In the sections below, we have shared an explanation of the types of infrastructure used by Scattered Spider as well as Scout queries for Team Cymru customers to leverage in investigations and automation.

Common VPN Brands Used by Scattered Spider

Multiple cybersecurity teams (Coinbase, Cloudflare) have reported Scattered Spider operators using various VPN brands for connecting to remote servers and masking the origin IP addresses. Using Scout, it is possible to identify these brands of VPN exit nodes. Mullvad, NordVPN, and ExpressVPN are the most regularly observed.

Scout Query

tag = "mullvad,nordvpn,expressvpn"

Hunting Tip: Defenders can focus on SSO or VPN endpoints and look for successful authentications originating from IPs tagged as these consumer-grade VPN brands.

Connection Tunneling Tools Used by
Scattered Spider

Connection proxy tools have been reportedly used by Scattered Spider operators according to cybersecurity vendor blogs (Google, Palo Alto Networks). This includes Ngrok, Teleport, and Pinggy.

Scout Query

pdns.domain = "*ngrok.io, jumia.teleport.sh, *.pinggy.click"

Hunting Tip: Search for outbound flows from your internal servers to these connection tunneling endpoints. If that IP is also associated with SSH or RDP traffic coming back into your network, you have potentially identified an active adversary-controlled tunnel.

Free File-Sharing Sites Reportedly Used by Scattered Spider

Online web services that enable operators to upload and download large files are regularly used for data exfiltration by Scattered Spider members according to multiple vendors (CrowdStrike, Canadian Government). Data stolen from applications, as well as dumped credentials, have been transmitted using these file-sharing and also text paste sites.

Scout Query

pdns.root = "file.io, paste.ee, gofile.io, storjshare.io, temp.sh, put.io, transfer.sh, shz.al, mega.nz" tag != "amazon"

Hunting Tip: Look for a sudden spike in outbound byte counts (exfiltration) to these services. Pivot on the storage IP. If it has a history of being a destination for multiple disparate organizations (visible via Team Cymru’s global netflow perspective), it could be a shared actor-controlled staging point.

Residential Proxy Services used by Scattered Spider

To evade geo-ip restrictions and avoid “impossible travel” alerts on identity access management (IAM) systems, Scattered Spider members have been known to use residential proxy services, such as Luminati and OxyLabs according to multiple vendors  (Lumen, Palo Alto Networks).

Scout Query

tag = "luminati-proxy,oxylabs-proxy"

Hunting Tip: Similarly to VPN nodes, defenders can focus on SSO or VPN endpoints and look for successful authentications originating from IPs tagged as these residential proxy services.

Infostealer Malware Families used by Scattered Spider

Scattered Spider members are known for leveraging valid stolen credentials to remotely login to target accounts from VPNs and residential proxy services. The credentials and cookies are often stolen previously from unmonitored devices using infostealer malware families according to multiple reports (Microsoft, Palo Alto Networks, US CISA).

Scout Query

tag = "redline,raccoonstealer,lumma,warzone-rat,vidar,rhadamanthys,stealc"

Hunting Tip: Proactively blocking infostealer controller servers is a recommended best practice, alongside retro hunting for signs of data exfiltration that were historically missed by automated detection systems once a new controller is identified.

RMM Tools used by Scattered Spider

Legitimate RMM tools such as AnyDesk and TeamViewer, among others, have been dual-used by Scattered Spider members to evade Anti-Virus (AV) and endpoint detection and response (EDR). Due to the software being legitimate with signed binaries, many endpoint security products will fail to block them when used maliciously due to the potential for these dual-use tools also being used for valid business operations (Palo Alto Networks, Google, US CISA).

Scout Query

tag = "rmm"

Hunting Tip: Internal IPs that are communicating with RMM provider servers that are not on a permitted software list should be flagged as suspicious.

Domain Registration Patterns used by Scattered Spider

Scattered Spider members have been known to gain initial access via SMS phishing campaigns mimicking SSO providers such as Okta, Cisco DUO, and PingID, among others. To mimic these services, similar-looking typosquatting domains are registered following a common naming pattern. This includes using “sso” and other keywords plus the target organisation’s brand name in the domain (Palo Alto Networks, Cloudflare, Coinbase, Google).

Other domain hosting patterns Scattered Spider operators are known for include using Njalla Name Servers, BitLaunch virtual private servers (VPS), and or DigitalOcean VPS that are sub-leased via BitLaunch. The registrars and hosting providers used by Scattered Spider to create these domains, however, do tend to rotate and change a significant amount.

Scout Queries

pdns.domain.regex = "^sso-|-sso.com|-okta.com|^okta-" pdns.nameserver = "*njalla*"

pdns.domain.regex = "^sso-|-sso.com|-okta.com|^okta-" pdns.asn = "399629"

pdns.domain.regex = "^sso-|-sso.com|-okta.com|^okta-" pdns.asn = "14061"

Hunting Tip: Focus on looking for typosquatting domains mentioning keywords related to your organization. This can be an early warning sign that Scattered Spider operators are intending to target your employees with waves of SMS phishing messages.

How Team Cymru can Help

‍Pure Signal™ Scout: Real-Time Investigation & Context

Scout provides the tactical visibility needed during an active investigation to determine if a connection matches Scattered Spider’s infrastructure profile:

• Behavioral Tagging: Instantly look up IPs and domains during an incident to see if they are tagged with identifiers relevant to Scattered Spider infrastructure profile, such as tags for proxies, VPNs, RMM tools, file-sharing services, connection tunneling services, or paste sites.
• Log Enrichment: Integrate Scout via API to enrich your SIEM (such as Splunk, Microsoft Sentinel) or TIP (such as OpenCTI, ThreatQuotient, Cyware). This adds external threat intelligence context to your internal logs, revealing if a login came from a potential adversary-controlled proxy node.
• SOAR Automation: Use tags to trigger automated playbooks. For example, a SOAR rule could automatically block a connection to a host exfiltrating large amounts of data to an IP using an unvetted file-sharing service.

Pure Signal™ Insights Feed: Proactive, Bulk Intelligence

The Insights Feed moves you from reactive investigation to proactive blocking and alerting by delivering high-fidelity infrastructure data at scale.

• Global Fingerprinting: Ingest millions of daily IP and domain classifications derived from Team Cymru’s Pure Signal data ocean. We use advanced fingerprinting to identify Scattered Spider's preferred infrastructure before they are even used in a campaign.
• Tiered Risk Categories: Indicators are pre-classified into three distinct categories for easier prioritization:
  
  • Malicious: Confirmed C2s, offensive security tools (OSTs), malware hosts, operational relay box (ORB) networks, and phishing kit hosts.
  • Suspicious: Infrastructure exhibiting risky behaviours, such as scanning activity, behaving as open resolvers, belonging to a bulletproof host, and running a Tor exit node
  • General: Contextual data (VPNs, Proxies, CDNs, Cloud, IoT, Corporate Routers) which can be used to better understand the nature of the connection, reduce false positives, filter certain platforms, and verify legitimate traffic.

• Seamless Delivery via STIX/TAXII: The feed is delivered in CTI industry-standard STIX 2.1 format through a TAXII server. This allows for "set and forget" integration into your TIP or SIEM, enabling real-time blocking at the perimeter and can also be  used for historical matches against your internal telemetry.

Conclusion

The shared nature of Scattered Spider’s infrastructure means that a single IP address is no longer a reliable indicator of intent. To a standard firewall, a login from a residential IP or a connection to a tunneling service looks like business as usual. Context is the only differentiator. Behavioral analytics moves the goalposts for the adversary by focusing not on what the infrastructure is, but how it is being used and who it truly belongs to. This is where Team Cymru transforms raw network noise into actionable intelligence.

Leveraging Team Cymru’s Pure Signal™ Scout to monitor infrastructure profiles is a powerful deterrent, but it is important to recognize that behavioral analytics is most effective when integrated into a defense-in-depth strategy. Scattered Spider operators are notoriously adaptive and often change their service providers and tooling, but stick to using these categories of infrastructure. As the Pyramid of Pain highlights, the hardest thing for an adversary to do is change their tactics, techniques, and procedures (TTPs) entirely.

While having visibility into VPN and proxy networks and various web services is an advantage for defenders, a truly resilient security program against Scattered Spider style attacks must combine these network insights with other core security pillars. This includes security awareness training, role-based access control (RBAC), system hardening, phishing-resistant multi-factor authentication (MFA), application allow-listing, endpoint behavioral analytics, continuous monitoring, and security automation.

Ultimately, the value of Team Cymru lies in its ability to provide external context that internal logs simply cannot see. By identifying the network activity of a seemingly benign IP, Pure Signal™ gives your team the head start needed to detect and prevent a potential intrusion before it escalates into a full-scale ransomware event.