BURSTJoint international advisory warns of evolving social engineering tactics and new DragonForce ransomware deployment targeting commercial facilities
A collaboration of international cybersecurity agencies issued an urgent updated advisory on July 29, 2025, highlighting the escalating threat posed by the Scattered Spider cybercriminal group, which has intensified attacks against critical infrastructure and commercial facilities sectors with increasingly sophisticated tactics and new ransomware variants.
The joint advisory, released by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK), provides comprehensive tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as June 2025.
Scattered Spider, also known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra, has significantly evolved since the advisory was originally published in November 2023.
The group, which primarily consists of native English speakers believed to operate from the United States, the United Kingdom, and Canada, has become one of the most sophisticated social engineering operations targeting large enterprises.
“Scattered Spider threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual TTPs,” the advisory states. “While some TTPs remain consistent, Scattered Spider threat actors often change TTPs to remain undetected.”
The group’s hallmark remains its sophisticated social engineering capabilities, which have become increasingly refined. Unlike traditional cybercriminals who pose as IT helpdesk staff to target employees, Scattered Spider has now reversed this approach, impersonating employees to convince third-party IT and helpdesk personnel to provide sensitive information, reset passwords, and transfer multi-factor authentication (MFA) tokens to attacker-controlled devices.
| Domains Used by Scattered Spider | Purpose |
|---|---|
| targetsname-sso[.]com | Phishing for SSO credentials |
| targetsname-servicedesk[.]com | Phishing/scamming as IT or helpdesk |
| targetsname-okta[.]com | Credential harvesting targeting Okta SSO |
| targetsname-cms[.]com (new) | Recent phishing/spearphishing campaigns |
| targetsname-helpdesk[.]com (new) | IT/helpdesk impersonation |
| oktalogin-targetcompany[.]com (new) | Phishing for Okta/SSO credentials |
The group employs multiple attack vectors, including “push bombing” (overwhelming users with MFA notifications until they approve access), subscriber identity module (SIM) swap attacks to hijack phone numbers, and elaborate vishing campaigns enriched with personal information gathered from social media, open-source intelligence, and commercial intelligence tools.
| Malware Used by Scattered Spider | Description / Function |
|---|---|
| AveMaria (WarZone) | Remote Access Trojan (RAT); enables remote access to victim systems |
| Raccoon Stealer | Stealer malware; targets credentials, cookies, browser history |
| VIDAR Stealer | Stealer malware; credentials, browser data, cookies |
| RattyRAT (new, as of July 2025) | Java-based RAT; persistent, stealthy internal reconnaissance |
| DragonForce ransomware (new) | Encrypts files/systems (including ESXi); data extortion |
ESXi Infrastructure Under Siege
Most concerning is Scattered Spider’s recent focus on VMware ESXi hypervisors, which serve as critical infrastructure for virtualized environments.
According to the advisory, the group has been observed encrypting VMware ESXi servers using DragonForce ransomware, a tactic that allows them to cripple entire virtual machine infrastructures with minimal effort.
The group’s attacks on ESXi environments follow a calculated pattern: initial access through social engineering, privilege escalation to gain administrative control, deployment of remote monitoring tools, and finally, ransomware execution that encrypts core directories and renders virtual machines inoperable.
Recent investigations reveal that Scattered Spider has expanded its targeting to include Snowflake cloud environments, where it can exfiltrate massive volumes of data quickly by running thousands of queries immediately upon access.
The group has also been observed infiltrating company communications platforms like Slack, Microsoft Teams, and Exchange Online to monitor security response efforts and even participate in incident response calls to understand how security teams hunt them.
To maintain persistence and evade detection, the group creates fictitious identities backed by fake social media profiles, uses proxy networks, and frequently rotates machine names. They have also been observed exfiltrating data to multiple locations, including MEGA.NZ and U.S.-based data centers such as Amazon S3.
The authoring agencies strongly recommend organizations implement phishing-resistant multifactor authentication, maintain offline backups stored separately from source systems, and deploy application controls to manage software execution. Organizations should also enhance monitoring for “risky logins” and unauthorized account misuse.
With Scattered Spider’s attacks causing hundreds of millions in damages and their tactics continuing to evolve, the updated advisory serves as a critical resource for organizations seeking to defend against one of today’s most sophisticated cybercriminal operations.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
The post Global Authorities Shared IoCs and TTPs of Scattered Spider Behind Major ESXi Ransomware Attacks appeared first on Cyber Security News.