Threat Actor Profile
High APT
Description

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023) Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)

Confidence Score
90%
Known Aliases
Scattered Spider Roasted 0ktapus Octo Tempest Storm-0875 UNC3944
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (64)
T1074 - Data Staged
Collection
T1114 - Email Collection
Collection
T1114.003 - Email Forwarding Rule
Collection
T1213.003 - Code Repositories
Collection
T1213.005 - Messaging Applications
Collection
T1530 - Data from Cloud Storage
Collection
T1090 - Proxy
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1219.002 - Remote Desktop Software
Command and Control
T1572 - Protocol Tunneling
Command and Control
T1003.003 - NTDS
Credential Access
T1539 - Steal Web Session Cookie
Credential Access
T1552.001 - Credentials In Files
Credential Access
T1552.004 - Private Keys
Credential Access
T1555.005 - Password Managers
Credential Access
T1556.006 - Multi-Factor Authentication
Credential Access
T1556.009 - Conditional Access Policies
Credential Access
T1621 - Multi-Factor Authentication Request Gen…
Credential Access
T1006 - Direct Volume Access
Defense Evasion
T1070.008 - Clear Mailbox Data
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.004 - Cloud Accounts
Defense Evasion
T1484.002 - Trust Modification
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1564.008 - Email Hiding Rules
Defense Evasion
T1578.002 - Create Cloud Instance
Defense Evasion
T1656 - Impersonation
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1069 - Permission Groups Discovery
Discovery
T1069.002 - Domain Groups
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087 - Account Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1217 - Browser Information Discovery
Discovery
T1538 - Cloud Service Dashboard
Discovery
T1580 - Cloud Infrastructure Discovery
Discovery
T1059.001 - PowerShell
Execution
T1059.004 - Unix Shell
Execution
T1204 - User Execution
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1486 - Data Encrypted for Impact
Impact
T1490 - Inhibit System Recovery
Impact
T1657 - Financial Theft
Impact
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.004 - SSH
Lateral Movement
T1021.007 - Cloud Services
Lateral Movement
T1098 - Account Manipulation
Persistence
T1098.003 - Additional Cloud Roles
Persistence
T1133 - External Remote Services
Persistence
T1136 - Create Account
Persistence
T1543.002 - Systemd Service
Persistence
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1589 - Gather Victim Identity Information
Reconnaissance
T1598 - Phishing for Information
Reconnaissance
T1598.003 - Spearphishing Link
Reconnaissance
T1598.004 - Spearphishing Voice
Reconnaissance
T1583.001 - Domains
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1588.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Scattered Spider',
             'Roasted 0ktapus',
             'Octo Tempest',
             'Storm-0875',
             'UNC3944'],
 'created': '2023-07-05T17:54:54.789Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Scattered Spider](https://attack.mitre.org/groups/G1015) is '
                'a native English-speaking cybercriminal group active since at '
                'least 2022. (Citation: CrowdStrike Scattered Spider Profile) '
                '(Citation: MSTIC Octo Tempest Operations October 2023) The '
                'group initially targeted customer relationship management '
                '(CRM) providers, business process outsourcing (BPO) firms, '
                'and telecommunications and technology companies before '
                'expanding in 2023 to gaming, hospitality, retail, managed '
                'service provider (MSP), manufacturing, and financial sectors. '
                '(Citation: MSTIC Octo Tempest Operations October 2023)\n'
                '[Scattered Spider](https://attack.mitre.org/groups/G1015) '
                'relies heavily on social engineering, including impersonating '
                'IT and help-desk staff, to gain initial access, bypass '
                'multi-factor authentication (MFA), and compromise enterprise '
                'networks. The group has adapted its tooling to evade endpoint '
                'detection and response (EDR) defenses and used ransomware for '
                'financial gain. (Citation: CISA Scattered Spider Advisory '
                'November 2023) (Citation: CrowdStrike Scattered Spider BYOVD '
                'January 2023) (Citation: Crowdstrike TELCO BPO Campaign '
                'December 2022)\n'
                '[Scattered Spider](https://attack.mitre.org/groups/G1015) had '
                'expanded into hybrid cloud and identity environments, using '
                'help-desk impersonation and MFA bypass to obtain '
                'administrator access in Okta, AWS, and Office 365. (Citation: '
                'Mandiant UNC3944 May 2025)',
 'external_references': [{'external_id': 'G1015',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1015'},
                         {'description': '(Citation: CrowdStrike Scattered '
                                         'Spider BYOVD January 2023)',
                          'source_name': 'Roasted 0ktapus'},
                         {'description': '(Citation: Mandiant UNC3944 May '
                                         '2025)(Citation: Mandiant VMware '
                                         'vSphere JUL 2025)',
                          'source_name': 'UNC3944'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Octo Tempest'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Storm-0875'},
                         {'description': 'CISA. (2023, November 16). '
                                         'Cybersecurity Advisory: Scattered '
                                         'Spider (AA23-320A). Retrieved March '
                                         '18, 2024.',
                          'source_name': 'CISA Scattered Spider Advisory '
                                         'November 2023',
                          'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a'},
                         {'description': 'CrowdStrike. (2023, January 10). '
                                         'SCATTERED SPIDER Exploits Windows '
                                         'Security Deficiencies with '
                                         'Bring-Your-Own-Vulnerable-Driver '
                                         'Tactic in Attempt to Bypass Endpoint '
                                         'Security. Retrieved July 5, 2023.',
                          'source_name': 'CrowdStrike Scattered Spider BYOVD '
                                         'January 2023',
                          'url': 'https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/'},
                         {'description': 'CrowdStrike. (n.d.). Scattered '
                                         'Spider. Retrieved July 5, 2023.',
                          'source_name': 'CrowdStrike Scattered Spider Profile',
                          'url': 'https://www.crowdstrike.com/adversaries/scattered-spider/'},
                         {'description': 'Mandiant Incident Response. (2025, '
                                         'July 23). From Help Desk to '
                                         'Hypervisor: Defending Your VMware '
                                         'vSphere Estate from UNC3944. '
                                         'Retrieved October 13, 2025.',
                          'source_name': 'Mandiant VMware vSphere JUL 2025',
                          'url': 'https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944'},
                         {'description': 'Mandiant Incident Response. (2025, '
                                         'May 6). Defending Against UNC3944: '
                                         'Cybercrime Hardening Guidance from '
                                         'the Frontlines. Retrieved October '
                                         '13, 2025.',
                          'source_name': 'Mandiant UNC3944 May 2025',
                          'url': 'https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Microsoft. (2023, October 25). Octo '
                                         'Tempest crosses boundaries to '
                                         'facilitate extortion, encryption, '
                                         'and destruction. Retrieved March 18, '
                                         '2024.',
                          'source_name': 'MSTIC Octo Tempest Operations '
                                         'October 2023',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/'},
                         {'description': 'Parisi, T. (2022, December 2). Not a '
                                         'SIMulation: CrowdStrike '
                                         'Investigations Reveal Intrusion '
                                         'Campaign Targeting Telco and BPO '
                                         'Companies. Retrieved June 30, 2023.',
                          'source_name': 'Crowdstrike TELCO BPO Campaign '
                                         'December 2022',
                          'url': 'https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/'}],
 'id': 'intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b',
 'modified': '2025-10-24T02:30:51.936Z',
 'name': 'Scattered Spider',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.0'}
Quick Actions
Related TTPs (64)
Data Staged
Collection
Email Collection
Collection
Email Forwarding Rule
Collection
Code Repositories
Collection
Messaging Applications
Collection
View All 64 TTPs
Back to Threat Actors
Dashboard Home