The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and international partners issued an updated advisory on July 29, 2025, highlighting the evolving tactics, techniques, and procedures (TPPs) of the cybercriminal group Scattered Spider. First identified in 2023, this group is notorious for targeting large enterprises and their contracted IT help desks, often leveraging advanced social engineering techniques to infiltrate systems and exfiltrate sensitive data.
According to the advisory, Scattered Spider actors continue to impersonate company employees or IT/helpdesk staff, deploying sophisticated social engineering methods such as phishing, push bombing, and subscriber identity module (SIM) swap attacks to gain credentials, install remote access tools, and bypass multi-factor authentication (MFA). While some TPPs remain constant, the group is marked by their agility and frequently change their TPPs to evade detection.
Recent Scattered Spider activity underscores the group’s continued focus on data theft for extortion, including most recently, deploying DragonForce ransomware to target VMware ESXi servers. One of their latest TPPs further involves exploiting organizational access to Snowflake environments, where they rapidly execute thousands of queries to exfiltrate large volumes of data in a short amount of time, often exfiltrating such data to multiple platforms such as MEGA[.]NZ and Amazon S3.
To obscure their presence, the cybercriminal group is also creating new identities within compromised environments, often supported by fake social media profiles. They monitor internal communications such as Slack and Microsoft Teams and rely on proxy networks and rotating machine names to avoid detection.
As threat activity is likely to persist, organizations—particularly those in critical infrastructure and commercial facilities sectors—are strongly urged to take immediate steps to strengthen their defenses. Key recommendations include:
- Implement phishing-resistant MFA, such as FIDO/WebAuthn or Public Key Infrastructure (PKI)-based authentication.
- Maintain offline, encrypted backups of data that are stored separately from the source systems and tested at least annually.
- Apply application controls to manage and control software execution.
- Enhance monitoring against unauthorized account misuse, including where sign-in attempts have been flagged for suspicious behavior.
- Audit and restrict remote access tools to minimize exposure.
- Segment networks to limit lateral movement.
- Patch known vulnerabilities promptly to reduce exploitable entry points.
As Scattered Spider continues to evolve, organizations must remain vigilant and proactive. The advisory serves as a critical reminder that robust cybersecurity hygiene and layered defenses are essential to mitigating the risk posed by this sophisticated threat group.
[View source.]
