Ymir Vigfusson
August 26, 2025
Scattered Spider is rewriting the cybercrime playbook. This group doesn't depend on malware or brute-force attacks; they exploit trust. Also known as UNC3944 or Muddled Libra, Scattered Spider places a strong emphasis on social engineering and identity manipulation.
Recent high-profile breaches against giants like MGM Resorts and Caesars Entertainment gave a glimpse into how Scattered Spider has been successful in their exploits. Both attacks resulted in significant business disruptions and substantial financial losses. Scattered Spider thrives on personal deception. They impersonate IT staff, exploit SIM-swap vulnerabilities, and bypass MFA protections with relentless persistence.
This article explains exactly how Scattered Spider executes these tactics. You'll see clearly why current defenses fail, and what security teams must change immediately.
Social engineering is the foundation of every Scattered Spider attack. They orchestrate targeted interactions, exploiting human trust instead of just technological flaws. Three key patterns have emerged for how they have behaved so far.
Phishing isn't new, but Scattered Spider elevates it with particular precision. They send customized, convincing emails or SMS messages (smishing) impersonating trusted internal sources. For example, posing as internal IT support, they warn users about urgent "security alerts." Employees believe they're resolving legitimate issues. One click or reply is enough for attackers to steal credentials.
Attackers also regularly use voice phishing (vishing) to exploit help-desk employees directly. These calls are expertly crafted, using internal jargon and authentic-sounding scenarios. Employees unwittingly hand over critical information, thinking they're helping legitimate coworkers.
MFA fatigue is another favored tactic. Attackers repeatedly trigger push notifications for authentication requests. Users, exhausted by constant alerts, eventually approve them without verifying the request's legitimacy.
Credential harvesting focuses on high-value targets, especially IT staff with elevated permissions. Attackers gain personal details through open-source intelligence, enabling highly targeted, believable interactions. Once credentials are compromised, they use SIM swapping to intercept MFA codes directly.
Rather than introducing detectable malware, Scattered Spider cleverly uses legitimate software and cloud-native tools. These tactics, called living-off-the-land (LOTL), make detection challenging and allow attackers persistent access.
Scattered Spider often leverages trusted remote access tools. Applications such as TeamViewer, ScreenConnect, Fleetdeck, and Tailscale become stealthy gateways into victim networks. These tools, widely used by legitimate IT departments, rarely trigger security alarms. Attackers maintain persistent, undetected network access through these trusted platforms.
Attackers exploit cloud-native environments extensively, especially AWS Systems Manager (SSM). SSM provides powerful administrative control. By compromising AWS identities, Scattered Spider executes commands and moves laterally, disguised as legitimate cloud operations. OAuth further grants attackers unauthorized access by creating fraudulent federated identity providers within victim organizations.
Standard security tools, especially endpoint detection and response (EDR) systems, often fail to recognize LOTL tactics. Legitimate tools carrying out valid operations typically do not trigger alarms, and an occasional suspicious command may not be sufficient to raise a warning. As a result, network traffic from trusted sources can go unnoticed, giving attackers significant freedom to move and access systems before detection occurs.
The following table shows how Scattered Spider exploits legitimate tools.
After initial intrusion, attackers live off the land to maintain persistence and evade defensive measures. Scattered Spider's techniques include disabling endpoint defenses and security alerts, ensuring continued control of the network.
Scattered Spider employs BYOVD (Bring Your Own Vulnerable Driver) tactics to disable endpoint security tools. They exploit outdated, vulnerable drivers with kernel-level access. Once attackers introduce these compromised drivers, security agents become ineffective. Endpoint defenses no longer detect or block attackers’ ongoing operations, allowing Scattered Spider unlimited control within affected systems. If the system is fully updated, however, the BYOVD investment by the attacker is significant: the hacker needs to write or purchase an exploit (“0-day”) against an unpatched vulnerability and hope it works.
Attackers ensure persistent access by manipulating MFA systems. After compromising initial accounts, they register their own MFA devices. Victims’ passwords become irrelevant because attackers have legitimate MFA devices paired to their accounts.
Federated identity manipulation enhances the persistence of attackers. Scattered Spider creates fraudulent federated identity providers that are connected to victim systems. This tactic allows attackers to authenticate themselves permanently, without needing stolen credentials. As a result, organizations often find it challenging to detect and halt these deeply embedded attacks.
Scattered Spider doesn’t just evade defenses; they actively monitors the victim security team's behaviors. Attackers infiltrate internal communication channels like Slack or Microsoft Teams using stolen credentials. They quietly observe incident-response discussions, learning defenders' strategies and adapting quickly.
Scattered Spider stands apart from other cybercrime groups due to its blend of youth, speed, social engineering mastery, and technical expertise.
Unlike groups that rely solely on malware or brute-force attacks, Scattered Spider perfectly blends technical proficiency with sophisticated social engineering. They skillfully exploit human error and weaknesses in identity management systems simultaneously. This dual-threat capability makes traditional single-layer defenses inadequate.
Their membership primarily consists of younger, decentralized actors. This structure provides unmatched agility. Without strict hierarchies, attackers adapt swiftly to countermeasures deployed by security teams. Traditional cybersecurity response times are too slow against such adaptive threats.
Scattered Spider further escalates threats through strategic partnerships. Collaboration with ransomware gangs like ALPHV (BlackCat) adds encryption and data exfiltration capabilities to their operations. Such partnerships amplify attackers' potential financial gains and increase victim organizations’ urgency to pay ransoms.
Key Reasons Scattered Spider Evades Traditional Defenses:
A lot of focus in cybersecurity is on securing identity and authentication infrastructure and processes. However, Scattered Spider continues to exploit their tactics, revealing significant blind spots where identity-focused defenses fall short.
Identity-first security primarily protects usernames, passwords, and MFA tokens. However, Scattered Spider repeatedly bypasses these layers through carefully planned deception. By impersonating legitimate employees, attackers easily exploit trust and bypass verification.
Identity-based protections assume attackers cannot pass initial checks. Once inside, attackers appear as legitimate users. Because security tools rarely question authenticated sessions, Scattered Spider freely navigates networks unnoticed.
Multi-factor authentication remains a strong defense in theory. However, sophisticated attackers like Scattered Spider often render it ineffective. By registering their own MFA devices after compromising initial accounts, attackers make legitimate MFA irrelevant. Similarly, they intercept MFA tokens directly via SIM swapping.
This highlights a crucial flaw: MFA alone cannot fully protect organizations. Without additional verification methods, such as checking physical device inputs, attackers will bypass authentication easily.
Once a user is authenticated, their sessions typically undergo little to no further scrutiny. At most, they may be bound to the IP address or machine to which they were initially issued to. Scattered Spider exploits this assumption of trust by hijacking authenticated sessions and moving laterally within the network without triggering any alerts. Organizations generally trust all actions performed by authenticated users, which enables attackers to maintain persistent access to the network indefinitely.
To enhance security, it is important to continuously verify user actions, even after the initial authentication. Current defenses fall short because they trust authentication implicitly and do not challenge sessions once they are validated.
Stopping Scattered Spider requires rethinking conventional cybersecurity practices. While each strategy below reduces specific attack methods, none fully stops every threat alone. Effective defense requires understanding these limitations and combining multiple layers, especially proactive input-level verification to secure against sophisticated attackers.
Phishing-resistant MFA methods (like FIDO/WebAuthn) reduce risk significantly. These methods don't rely solely on tokens delivered via text or push notifications. Instead, they use cryptographic verification tied to physical devices, dramatically reducing vulnerability to social engineering.
Remote Desktop Protocol (RDP) access also requires stringent controls. Organizations must:
These proactive steps deny attackers easy entry points into the network.
Network segmentation can limit attackers' lateral movement between critical and non-critical environments. However, advanced threats like Scattered Spider often bypass segmentation by waiting for legitimate VPN connections or "tailgating" authorized sessions. Segmentation alone is insufficient; continuous monitoring of authenticated sessions and verification of physical user actions are critical to truly limit lateral movement.
Application whitelisting further reduces risk. It explicitly defines authorized software, blocking unauthorized tools from execution. Legitimate remote tools frequently exploited by Scattered Spider, such as TeamViewer and ScreenConnect, become unusable without prior approval. This strategy drastically reduces attackers' operational capabilities.
To defeat advanced groups like Scattered Spider, organizations must verify every action, especially post-authentication. Traditional tools rarely challenge authenticated sessions, creating easy attacker pathways. New approaches must verify human input at the device level before accepting any session commands.
Keystrike enforces physical device validation as a more advanced compensating control. Every keystroke or mouse click undergoes cryptographic verification that confirms that commands and activity originate from the HID (Human Input Device). Attackers impersonating authenticated users fail because their input commands lack physical device validation.
Here are recommended defensive actions against Scattered Spider:
Cybercriminals, such as Scattered Spider, take advantage of weaknesses in trust, identity, and session security. Organizations must recognize that identity-based protections alone cannot adequately defend against sophisticated attackers. These attackers often hijack authenticated sessions without detection.
Organizations need to go beyond relying exclusively on passwords, MFA tokens, and implicit session trust. Implementing physical input verification adds a new, validated security layer. By verifying each keystroke or mouse action, organizations can ensure that only real, physically present users can execute commands. This straightforward change blocks session hijacking before it succeeds.
The future of cybersecurity relies on real-time validation of user sessions, not just the initial authentication. Attackers relentlessly exploit trust, so to counter threats like Scattered Spider, security measures must evolve from trusting identities to continuously verifying user actions.
Try Keystrike in Your Environment for 30 Days
