Scattered Spider cybercrime gang shifts from SIM-swapping to more advanced techniques

Scattered Spider cybercrime gang shifts from SIM-swapping to more advanced techniques

The notorious cybercrime group Scattered Spider has upgraded its arsenal, incorporating advanced social engineering and domain impersonation tactics, according to a recent report by cybersecurity firm ReliaQuest.

The collective, also known as UNC3944 or Octo Tempest, is believed to be behind recent cyber-attacks on major British retailers including Marks & Spencer and Harrods. According to ReliaQuest’s report, the group has evolved from a simple SIM-swapping operation into a “global threat” using sophisticated credential-harvesting campaigns.

Analysis of over 600 domains linked to the group between early 2022 and 2025 revealed that 81% of them impersonate major tech vendors, particularly targeting identity providers (like Okta), VPN services, and IT support systems. The fake domains are designed to harvest credentials from high-level employees, including system administrators and executives.

In the recent M&S breach, experts found that compromised credentials from IT outsourcing firm Tata Consultancy Services (TCS) were leveraged to gain unauthorized access. TCS also provides services to the Co-op, which was hit by a separate cyberattack, although a direct link has not been confirmed.

The gang uses a phishing tool called ‘Evilginx’ capable of bypassing multifactor authentication (MFA). Originally created for ethical hacking, Evilginx has been co-opted by cybercriminals to steal login credentials and session cookies. Its latest version, Evilginx 3.0, released in April 2024, has been used in 60% of Scattered Spider’s phishing campaigns targeting tech vendors.

Additionally, ReliaQuest found increasing collaboration between Scattered Spider and ransomware-as-a-service (RaaS) groups such as DragonForce and BlackCat/ALPHV targeting managed service providers (MSPs) to exploit their access to multiple clients in a single attack.

Back to the list

Latest Posts

ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025
Major police crackdown takes down 20K malicious IPs and domains linked to info-stealers

Major police crackdown takes down 20K malicious IPs and domains linked to info-stealers

Dubbed ‘Operation Secure’, the effort ran from January to April 2025 and targeted cybercriminal infrastructure worldwide.
11 June 2025
DanaBot malware dismantled after major flaw exposed operation

DanaBot malware dismantled after major flaw exposed operation

The vulnerability, dubbed ‘DanaBleed,’ stemmed from a memory leak in the malware's updated command-and-control protocol.
11 June 2025