Scattered Spider Exploits Evilginx and Social Engineering to Launch Attacks on Tech Firms

A new wave of cyberattacks attributed to the notorious hacking collective “Scattered Spider” (also known as UNC3944 and Octo Tempest) is targeting technology firms, managed service providers (MSPs), and IT contractors through a combination of advanced phishing frameworks and sophisticated social engineering.

Recent incidents in May 2025, including breaches at major UK retailers such as Marks & Spencer, Co-op, and Harrods, as well as parallel attacks on US retailers, have been linked to this threat actor, underscoring a coordinated and evolving campaign.

Technical Modus Operandi

Scattered Spider’s attack methodology centers on leveraging phishing frameworks like Evilginx, which enables adversaries to bypass multi-factor authentication (MFA) by capturing credentials and session cookies in real time.

The group’s infrastructure is characterized by the use of typosquatted domains and subdomain-based impersonation, with 81% of observed domains mimicking technology vendors and platforms such as Okta, VPNs, helpdesk portals, and single sign-on (SSO) systems.

According to ReliaQuest Report, these domains are tailored to deceive high-value targets, including system administrators and C-suite executives, into divulging sensitive credentials.

In parallel, Scattered Spider employs social engineering techniques such as vishing voice phishing where attackers impersonate executives or IT support staff to manipulate helpdesk employees into resetting passwords or registering new MFA devices.

Intelligence indicates that attackers conduct in-depth research using platforms like LinkedIn and ZoomInfo to build convincing profiles of their targets, enabling highly credible impersonation.

Targeting the Digital Supply Chain

A distinguishing feature of Scattered Spider’s operations is its strategic focus on MSPs and IT contractors.

By compromising a single vendor with access to multiple client environments, the group amplifies its reach through a “one-to-many” attack vector.

For example, investigators have linked recent breaches to compromised accounts at Tata Consultancy Services (TCS), a global IT contractor with deep ties to both UK and US retailers.

This approach allows Scattered Spider to infiltrate client networks at scale, often deploying ransomware and leveraging double extortion tactics encrypting data and threatening its release to maximize ransom payments.

Analysis of over 600 domains associated with Scattered Spider between Q1 2022 and Q1 2025 reveals a preference for subdomain-based impersonation over older hyphenated domain formats, reflecting an ongoing adaptation to evade automated detection systems.

The group’s infrastructure is highly dynamic, with frequent changes in hosting providers and registrars, including Cloudflare, DigitalOcean, and NameSilo.

Scattered Spider’s effectiveness is further enhanced by partnerships with ransomware operators such as ALPHV, RansomHub, and DragonForce, as well as collaboration with Russian-aligned cybercriminals.

These alliances combine technical proficiency with cultural and linguistic fluency, enabling attackers to convincingly impersonate employees and leadership in Western organizations.

Recruitment efforts on underground forums prioritize native-level English speakers with minimal accents, who can operate during Western business hours and follow detailed social engineering scripts.

Given the group’s focus on exploiting human trust and supply chain relationships, organizations are advised to implement robust social engineering defenses, including regular employee training, stringent helpdesk verification protocols, and proactive monitoring of domain registrations for typosquatting and impersonation.

Scattered Spider’s campaign demonstrates a persistent and adaptive threat to technology-driven sectors, with a clear emphasis on credential theft, ransomware deployment, and supply chain compromise.

As the group continues to refine its tactics potentially incorporating deepfake AI voice technology for even more convincing impersonation defenders must remain vigilant, leveraging actionable intelligence and resilient security measures to counter this evolving adversary.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates