Cybersecurity researchers at Silent Push have confirmed that the notorious Scattered Spider threat group continues to refine its attack methodologies, actively targeting major SaaS providers through 2025.
Notably, recent campaigns have aimed at Klaviyo, HubSpot, and Pure Storage-three widely adopted platforms in marketing automation and cloud storage-demonstrating the group’s ongoing focus on organizations critical to enterprise operations.
Evolving Threat Tactics and High-Profile Corporate
Scattered Spider, classified as UNC3944 and operating since at least 2022, has built a reputation for deploying advanced social engineering, phishing kits, and custom malware to breach corporate defenses.
The collective is known for its agility: Silent Push has tracked at least five unique phishing kits attributed to the actor, some with frequent code updates, and observed a marked migration away from legacy tooling toward sophisticated new methods.
In early 2025, Scattered Spider began leveraging dynamic DNS services and “publicly rentable” subdomains, as in the case of klv1[.]it[.]com-a domain used to impersonate Klaviyo’s SMS link shortener, complicating detection for security teams relying on basic regex-based brand monitoring.
Recent investigations have also uncovered a new version of the Spectre RAT (Remote Access Trojan) deployed by Scattered Spider.
The RAT, compiled for both 32- and 64-bit platforms, has expanded capabilities including enhanced system reconnaissance, persistent access, and a revamped, modular command set.
Analysis reveals the malware’s use of obfuscated strings, XOR-based encoding, and a unique mutex-based persistence mechanism, coupled with a fallback communication protocol that utilizes a hardcoded decoy C2 server to bootstrap additional dynamic endpoints.
These capabilities illustrate the group’s rapid adoption of modern malware development practices, further complicating incident response and forensic attribution.
Silent Push Analysts
The infrastructure supporting these operations shows a distinct shift: after previously relying on hosting and domain providers like Porkbun, Namecheap, and DigitalOcean, Scattered Spider has adopted privacy-centric registrars such as NiceNIC and niche hosting services including Virtuo, Njalla, and Cloudflare.
The adversary’s preference for ephemeral infrastructure-short-lived domains and immediate SSL certification-remains unchanged, but the addition of dynamic DNS presents new tracking and mitigation challenges.
According to the Report, Silent Push analysts highlight that the threat isn’t limited to direct impersonation of high-profile enterprises.
Scattered Spider’s brand mimicry spans well beyond client organizations, encompassing software vendors and service providers integrated with target networks.
In 2025 attacks, brands like Audemars Piguet, Credit Karma, Twitter/X, T-Mobile, Nike, and News Corporation were referenced, often via cleverly obfuscated or indirect domain names not easily caught by simple monitoring strategies.
Malware delivery has also shifted, with clusters of domains posing as CDN or support resources to facilitate payload drops, a tactic seen in the May 2024 campaign involving domains such as bestbuy-cdn[.]com and gucci-cdn[.]com.
Open directories and public file shares were used to distribute Spectre RAT variants, further complicating efforts by defenders to maintain visibility and control over inbound threats.
Despite several arrests of Scattered Spider members-including the alleged leader in mid-2024 and multiple co-conspirators later that year-the collective has demonstrated resilience, quickly adapting to disruptions with new tooling and infrastructure.
With ongoing development of their phishing kits and RAT malware, and a focus on dynamic and evasive hosting, Scattered Spider remains a significant risk to organizations in financial, telecommunications, and cloud technology sectors.
Indicators of Compromise (IOCs)
| Domain / IOC | Target/Use Case | Hosting/Registrar | Last Seen |
|---|---|---|---|
| klv1[.]it[.]com | Klaviyo impersonation | it.com (Dynamic DNS) | Feb 2025 |
| corp-hubspot[.]com | HubSpot phishing | NiceNIC | 2025 |
| pure-okta[.]com | Pure Storage phishing | NiceNIC | 2025 |
| twitter-okta[.]com | Twitter/X phishing | NiceNIC | Oct 2024 |
| bestbuy-cdn[.]com | Malware delivery | NiceNIC | May 2024 |
| freshworks-hr[.]com | HR SaaS phishing | Hosting Concepts | 2024 |
| okta-ziffdavis[.]com | Okta SSO phishing | Porkbun | 2024 |
| sso-instacart[.]com | Instacart phishing | NiceNIC | 2025 |
| sts-vodafone[.]com | Vodafone phishing | NiceNIC | 2025 |
| gemini-sso[.]com | Finance SSO phishing | Hosting Concepts | 2023-2025 |
| login.freshworks-hr[.]com | Login phishing | Hosting Concepts | 2024 |
| simpletexting-cdn[.]com | Malware CDN delivery | NiceNIC | May 2024 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
