Scattered Spider Report

In July 2025, activity related to the Scattered Spider cybercrime group remained front and center for defenders despite a slight lull following several arrests in the United Kingdom. Law enforcement agencies in the U.S., U.K., Canada, and Australia updated their joint advisory on July 29, noting that Scattered Spider has added the DragonForce ransomware to its arsenal and continues to refine social-engineering techniques such as phishing, push-bombing, and SIM-swap attacks to steal credentials and deploy remote-access tools. cisa.gov Government partners warned that the group’s operators impersonate IT help-desk staff, tricking employees into password resets and multifactor authentication transfers, and then use legitimate remote-management tools like AnyDesk to maintain persistence. therecord.media

Several private-sector reports published during the month described how Scattered Spider widened its target set from retail and insurance to aviation and cloud-service providers. CrowdStrike observed attacks on VMware vCenter environments in which attackers created unmanaged virtual machines, attached domain controller disks to dump Active-Directory databases, and installed tunnelling tools such as Chisel, MobaXterm, ngrok, Pinggy, Rsocx, and Teleport to communicate with command-and-control servers. crowdstrike.com ExtraHop’s mid-July report highlighted that the group relies heavily on typo-squatted domains impersonating corporate portals; domains such as “7-eleven-hr[.]com,” “citrix-okta[.]com” and “pfchangs-support[.]com” were among those identified. extrahop.com Picus Security added that Scattered Spider repurposes abandoned company domains like “twitter-okta[.]com” and uses dynamic-DNS subdomains (e.g., “klv1[.]it[.]com”) to host its phishing kits. picussecurity.com.

Researchers cautioned that copycat actors already adopt Scattered Spider’s playbook and that defenders should not become complacent. The Hacker News noted that, although Mandiant had not seen new intrusions directly attributable to the group since the arrests, other actors such as UNC6040 mimicked its social-engineering tactics. thehackernews.com Accordingly, security teams are advised to ingest known indicators into their SIEMs, monitor for suspicious domain resolution, and pay close attention to help-desk interactions and MFA reset requests. Monitoring for remote-access tools (AnyDesk, TeamViewer, ScreenConnect, Teleport) and ransomware families (DragonForce, ALPHV/BlackCat, RansomHub) is also crucial. rapid7.com controlrisks.com

July's findings underscore that although Scattered Spider may experience temporary setbacks, it poses a significant risk across various industries. In response, NetWitness’s FirstWatch team has proactively integrated previously identified indicators of compromise from Scattered Spider into its Threat Feed to strengthen defenses.

Domain-based IoCs

IoC (Tool/Malware)