ctipilot.ch

Scattered Spider

actor · actor:scattered-spider single-source

Decentralised, English-fluent cybercrime collective — not a single hierarchical group — responsible for over 100 network intrusions since 2022 using vishing/smishing SSO-lookalike phishing, SIM-swap and help-desk-impersonation initial access, and BlackCat/ALPHV or DragonForce ransomware deployment. Group-IB (2026-07-07) reframes it as a movement of independent 3-5-person subclusters unified by shared TTPs, casting its own '0ktapus' designation and Microsoft's Octo Tempest, Mandiant's UNC3944 and Palo Alto's Muddled Libra as overlapping subcluster labels rather than distinct groups.

Aliases: 0ktapus, Octo Tempest, UNC3944, Muddled Libra

Coverage timeline
6
first 2026-05-19 → last 2026-07-12
Peak priority
high
1 high · 5 notable
Sources cited
21
19 hosts
Sections touched
4
active-threats, weekly-incidents-recap, weekly-looking-ahead
Co-occurring entities
5
see Related entities below
ATT&CK techniques
12
pinned v19.1 · see below
2026-05-196 appearances2026-07-12

ATT&CK techniques

12 techniques observed across 4 entries — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-06-23/two-scattered-spider-members-plead-guilty-over-the-2024-tran · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-12/weekly-w28-threat-actor-developments · ATT&CK page ↗

T1195.002Supply Chain Compromise: Compromise Software Supply Chain×1

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Evidence: 2026-05-19/grafana-labs-coinbasecartel-breach-victim-confirms-source-co · ATT&CK page ↗

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-06-23/two-scattered-spider-members-plead-guilty-over-the-2024-tran · ATT&CK page ↗

T1566.004Phishing: Spearphishing Voice×2

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

Evidence: 2026-07-12/weekly-w28-threat-actor-developments · 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Persistence TA0003

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-06-23/two-scattered-spider-members-plead-guilty-over-the-2024-tran · ATT&CK page ↗

T1098.005Account Manipulation: Device Registration×1

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Privilege Escalation TA0004

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-06-23/two-scattered-spider-members-plead-guilty-over-the-2024-tran · ATT&CK page ↗

T1098.005Account Manipulation: Device Registration×1

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Stealth TA0005

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-06-23/two-scattered-spider-members-plead-guilty-over-the-2024-tran · ATT&CK page ↗

T1684.001Social Engineering: Impersonation×1

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.

Evidence: 2026-07-12/weekly-w28-threat-actor-developments · ATT&CK page ↗

Credential Access TA0006

T1528Steal Application Access Token×1

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

T1552.004Unsecured Credentials: Private Keys×1

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Evidence: 2026-05-19/grafana-labs-coinbasecartel-breach-victim-confirms-source-co · ATT&CK page ↗

T1621Multi-Factor Authentication Request Generation×1

Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.

Evidence: 2026-06-23/two-scattered-spider-members-plead-guilty-over-the-2024-tran · ATT&CK page ↗

Collection TA0009

T1213.002Data from Information Repositories: Sharepoint×1

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Exfiltration TA0010

T1567Exfiltration Over Web Service×1

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Evidence: 2026-05-19/grafana-labs-coinbasecartel-breach-victim-confirms-source-co · ATT&CK page ↗

Story timeline

  1. 2026-07-12Threat-actor developments this week: Group-IB reframes Scattered Spider as a decentralised collective, and China- and Iran-nexus edge/ORB tradecraft advances
    weekly-researchActor developments this week — Group-IB recasts Scattered Spider as a decentralised collective; China/Iran edge, ORB and C2 tradecraft advance
  2. 2026-07-10'Helix' data-extortion cluster pairs manager-impersonation vishing with device-code phishing and automated SharePoint exfiltration
    active-threatsReliaQuest: new 'Helix' extortion cluster (BlackFile/ShinyHunters lineage) vishes staff into device-code sign-ins, then bulk-loots SharePoint
  3. 2026-06-29Looking ahead — 2026-W26
    weekly-looking-ahead
  4. 2026-06-29Attribution and accountability: Jaguar Land Rover and Scattered Spider
    weekly-incidents-recap
  5. 2026-06-23Two Scattered Spider members plead guilty over the 2024 Transport for London intrusion
    active-threats
  6. 2026-05-19Grafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected
    active-threats

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

collaborates with

Where this entity is cited

  • active-threats3
  • weekly-incidents-recap1
  • weekly-looking-ahead1
  • weekly-research1

Source distribution

  • bleepingcomputer.com2 (10%)
  • securityweek.com2 (10%)
  • advisories.ncsc.nl1 (5%)
  • blog.talosintelligence.com1 (5%)
  • ca.news.yahoo.com1 (5%)
  • cisa.gov1 (5%)
  • cloud.google.com1 (5%)
  • edpb.europa.eu1 (5%)
  • other11 (52%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

All cited sources (21)

Entries about Scattered Spider (6)

2026-07-12 · view entry permalink →

NOTABLENATOB2

Threat-actor developments this week: Group-IB reframes Scattered Spider as a decentralised collective, and China- and Iran-nexus edge/ORB tradecraft advances

The week's actor reporting split between a model-changing reframing of a well-known financially-motivated collective and a set of state-nexus tradecraft advances.

Scattered Spider — a model change, not an incident. Group-IB argues the actor "cannot be considered or analyzed as a single organized 'group' with its own hierarchy or organigram [but is] more accurately described as a decentralised cybercrime collective" of independent subclusters, typically 3-5 people, unified by shared tradecraft and community learning rather than command structure, and states "we can consider 0ktapus as a subcluster of Scattered Spider" — explicitly mapping Microsoft's Octo Tempest, Mandiant's UNC3944 and Palo Alto's Muddled Libra as overlapping labels for subclusters of the same movement (Group-IB, 2026-07-07). The documented playbook is squarely relevant to the constituency's help desks: vishing/smishing with Okta/Microsoft/Citrix/Google SSO-lookalike pages staged minutes before a call, SIM-swaps via coercion or carrier-staff social engineering, and help-desk impersonation using OSINT from already-compromised systems, monetised through BlackCat/ALPHV and DragonForce ransomware. The practical consequence Group-IB draws: because resilience comes from decentralisation, individual arrests do not blunt the collective, so defenders should treat each attributed intrusion as one small ad-hoc crew rather than evidence of a persistent central adversary.

State-nexus edge and C2 tradecraft. Talos detailed China-nexus UAT-7810 expanding its operational relay-box (ORB) network with the LONGLEASH/DOGLEASH/JARLEASH suite (Cisco Talos, 2026-07-08); Proofpoint's UNK_MassTraction, a suspected China-aligned actor, exploited Roundcube webmail as an edge device (Proofpoint, 2026-07-09); and Check Point exposed Iran MOIS-linked Cavern Manticore's modular .NET command-and-control framework with layered anti-analysis (Check Point Research, 2026-07-09).

Why grouped here: these are actor-model and capability developments — the lens the weekly owns — rather than new operational incidents. Scattered Spider's decentralisation and the state actors' edge/ORB focus both change how a SOC should scope attribution and where to look (help-desk identity workflows; internet-facing webmail and edge appliances as relay infrastructure).

Scattered Spider cannot be considered or analyzed as a single organized 'group' with its own hierarchy or organigram. Instead, it can be more accurately described as a decentralised cybercrime collective.

we can consider 0ktapus as a subcluster of Scattered Spider

Group-IB

Builds on: 2026-07-08/talos-uat-7810-china-nexus-orb-network-longleash · 2026-07-09/unk-masstraction-roundcube-edge-exploitation · 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis

research12 Jul 23:43Zsingle-sourceOpen finding ↗

2026-07-10 · view entry permalink →

HIGHNATOB2

'Helix' data-extortion cluster pairs manager-impersonation vishing with device-code phishing and automated SharePoint exfiltration

ReliaQuest's Threat Research team published (2026-07-08) a spotlight on Helix, a data-extortion cluster it assesses as a likely continuation of the now-fragmented BlackFile (UNC6671) operation and the broader ShinyHunters ecosystem — an assessment resting on a shared credential-harvesting-domain registrar (also used by the Scattered Spider/"The Com" community) and an exfiltration host four addresses away, on the same autonomous system, from a confirmed BlackFile address two months earlier (ReliaQuest, 2026-07-08). ReliaQuest is explicit that this is likely-ecosystem-continuation, not confirmed attribution — but "organizations already tracking those groups should treat Helix as an extension of the same data extortion campaigns."

The device-code-phishing-defeats-Conditional-Access primitive itself was covered earlier today in the Huntress Railway/LSHIY analysis (see references); Helix's contribution is the full extortion kill chain wrapped around it. Initial contact is voice phishing in which the operator impersonates the target's actual manager by name on a spoofed caller-ID and talks them through entering a device code into Chrome — the session token is captured without any password crossing the phone line, and the device-code flow bypasses Conditional Access (ReliaQuest, 2026-07-08; BleepingComputer, 2026-07-09). Persistence is deliberately minimal and hard to spot: the operator registers a new MFA Authenticator on the account, typically within minutes of sign-in, from the same residential proxy used for access — "the only persistence artifact is a legitimate MFA registration." Sign-in infrastructure is geo-matched to the target's real city to avoid impossible-travel alerts, rotating through 15+ residential IPs against a single mailbox. Collection is automated and identical across incidents — the operator issues contentclass:STS_Site and wildcard SharePoint searches to inventory reachable content, then bulk-downloads, using a python-requests user-agent from an IP reserved for exfiltration and never used for access. Dwell before mass exfil ranged from under an hour to over a week, a deliberate tuning to each environment's value and detectability. In at least one case the operator actively tested containment after the account was disabled, re-attempting MFA registration and a password reset.

Helix likely emerged from the “BlackFile” and “ShinyHunters” ecosystem. Groups fragment and rebrand, but the techniques and infrastructure persist across every iteration.

Device code phishing then sidesteps Conditional Access policies, and automated tools enumerate and mass-download SharePoint libraries before bulk exfiltration triggers an alert.

Disabling device code authentication is the single highest-impact action.

ReliaQuest 2026-07-08

Builds on: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns

threat10 Jul 12:53Zmulti-sourceOpen finding ↗

2026-06-29 · view entry permalink →

NOTABLE

Looking ahead — 2026-W26

A focused, justified list — items already in motion, not predictions.

  • ShinyHunters PeopleSoft notifications are still landing — expect more named European education and public-finance victims. GTIG has notified ~100 organisations (68% higher education) and NAIC is the fresh high-profile case; patch internet-reachable PeopleSoft and hunt /PSEMHUB/ and /PSIGW/HttpListeningConnector. (Google GTIG; daily 06-28)
  • FortiBleed is not a one-and-done credential reset — full AD domain takeover is now confirmed at a NATO-aligned contractor. Finish session termination and credential rotation, then hunt for post-compromise AD persistence (Kerberos abuse, DCSync, DFS-backup exfiltration) rather than assuming the reset closed it. (CISA; daily 06-24)
  • The Klue/Icarus extortion surface is multiplying after the "resolution" — a second group is now extorting ~195 listed organisations. Any firm with a Klue/Salesforce integration should expect renewed extortion contact regardless of Icarus's stated data deletion; complete OAuth-grant revocation and CRM-egress monitoring. (SecurityWeek; daily 06-27)
  • CRA Single Reporting Platform go-live is ~75 days out (11 September); ENISA's dry-run schedule is due now. In-scope manufacturers — including Swiss exporters to the EU — should register and wire the 24/72-hour reporting flow into their PSIRT process before the obligation binds. (ENISA SRP)
  • EDPB Article 33 harmonised breach-notification template consultation closes 5 August. Still open with no in-window change; multi-jurisdiction breach-response owners have a closing window to comment before the EDPB sets a mandatory-adoption timeline. (EDPB)
  • npm v12 will disable install scripts by default — the week's Miasma worm wave is the reminder to audit CI now. Miasma's postinstall-and-SessionStart-hook propagation is exactly the kill chain --ignore-scripts / npm v12 defaults neutralise; inventory pipelines and AI-coding-tool hook configs that rely on build scripts. (Socket; daily 06-27)
  • libssh2 CVE-2026-55200 has a public PoC and an upstream fix commit, but tagged releases lag across the binding ecosystem — track the embedded-dependency fix pipeline. Inventory appliances, tooling and language bindings that ship libssh2 and chase each vendor's release rather than assuming a single library bump closes it. (NCSC-NL; daily 06-28)
  • Scattered Spider TfL sentencing is set for 16 July. First UK court outcome on the campaign; the vishing/social-engineering TTP precedent is directly relevant to European transport and public-sector identity-desk hardening. (UK NCA; daily 06-23)
outlook29 Jun 00:21Zmulti-sourceOpen finding ↗

Earlier coverage (3)