SCATTERED SPIDER Hackers Target IT Support Teams to Bypass Multi-Factor Authentication

A sophisticated threat actor known as SCATTERED SPIDER has emerged at the forefront of a new wave of cyberattacks targeting major organizations across sectors such as hospitality, finance, telecommunications, and retail in the US and UK.

Unlike traditional ransomware groups that typically exploit software vulnerabilities, SCATTERED SPIDER is notable for its focus on manipulating human targets particularly IT support personnel to gain initial access and circumvent even robust multi-factor authentication (MFA) barriers.

Human-Centric Intrusions

Operating since at least 2022, SCATTERED SPIDER has become infamous for its highly targeted social engineering campaigns.

Using tactics such as voice phishing (vishing), SIM swapping, and impersonation, the group convincingly poses as employees or executives to deceive helpdesk staff into resetting MFA or providing account access.

According to the Report, their proficiency in fluent, unaccented English and understanding of Western business culture enable them to conduct real-time manipulations with alarming authenticity and success.

Beyond mere access, SCATTERED SPIDER has reportedly partnered with DragonForce, an increasingly popular ransomware-as-a-service (RaaS) platform.

This collaboration allows the group to focus its efforts on initial compromise and lateral movement, leaving the deployment of ransomware and data leak extortion to DragonForce’s automated toolkits.

DragonForce offers affiliates a comprehensive suite of tools: customizable encryption payloads, data exfiltration modules, dark web leak portals, and dashboards for ransomware deployment and payment tracking.

This division of labor exemplifies the professionalization and scalable nature of the modern ransomware economy.

The group’s attack sequence is methodical and fast. After meticulous reconnaissance often using open-source intelligence (OSINT) to map employee structures and identify privileged accounts SCATTERED SPIDER employs live social engineering to trick IT helpdesks.

They frequently request password or MFA resets, successfully bypassing technical controls designed to thwart automated attacks.

Once inside, they escalate privileges via legitimate administrative tools such as PowerShell and PsExec, targeting identity infrastructure like Active Directory or Okta to ensure unrestricted network access.

Partnership with DragonForce RaaS

Before deploying ransomware, the attackers exfiltrate sensitive data: personally identifiable information, business-critical documents, and operational details.

The aim is to maximize leverage during extortion by combining data theft with the threat of business disruption.

The DragonForce ransomware is then unleashed, rapidly encrypting systems and threatening public exposure of stolen data unless ransom demands are met.

Notable incidents attributed to SCATTERED SPIDER include the disruptive 2023 breach at MGM Resorts, where a simple but effective vishing attack on IT support led to widespread outages, and attacks on telecommunications and financial services that compromised identity management and customer data.

Security professionals highlight that SCATTERED SPIDER’s operational style blurs the boundaries between financially motivated cybercrime and advanced persistent threat (APT) tradecraft.

The group’s speed, technical agility, and psychological acumen significantly outpace conventional detection and response mechanisms.

Organizations relying solely on traditional security controls or generic MFA are particularly at risk, as the weakest link often remains the human element specifically, helpdesk and support workflows.

Experts recommend immediate hardening of IT support processes: enforcing high-assurance identity verification for all sensitive requests, training staff to recognize sophisticated social engineering, and using phishing-resistant MFA like hardware tokens.

Continuous monitoring for anomalous access patterns, privilege escalations, and lateral movement especially within identity systems is critical.

Additionally, organizations should map and secure their most sensitive data, implement robust incident response playbooks, and conduct regular crisis simulations that include human-centric attack scenarios.

SCATTERED SPIDER’s campaign is a stark reminder that modern cyber defense must prioritize both technical and social resilience.

As ransomware operations continue to evolve toward real-time, human-driven attacks, organizations must bridge the gap between technology, process, and staff awareness to effectively mitigate these persistent threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates