The notorious cybercrime group Scattered Spider has upgraded its arsenal, incorporating advanced social engineering and domain impersonation tactics, according to a recent report by cybersecurity firm ReliaQuest.
The collective, also known as UNC3944 or Octo Tempest, is believed to be behind recent cyber-attacks on major British retailers including Marks & Spencer and Harrods. According to ReliaQuest’s report, the group has evolved from a simple SIM-swapping operation into a “global threat” using sophisticated credential-harvesting campaigns.
Analysis of over 600 domains linked to the group between early 2022 and 2025 revealed that 81% of them impersonate major tech vendors, particularly targeting identity providers (like Okta), VPN services, and IT support systems. The fake domains are designed to harvest credentials from high-level employees, including system administrators and executives.
In the recent M&S breach, experts found that compromised credentials from IT outsourcing firm Tata Consultancy Services (TCS) were leveraged to gain unauthorized access. TCS also provides services to the Co-op, which was hit by a separate cyberattack, although a direct link has not been confirmed.
The gang uses a phishing tool called ‘Evilginx’ capable of bypassing multifactor authentication (MFA). Originally created for ethical hacking, Evilginx has been co-opted by cybercriminals to steal login credentials and session cookies. Its latest version, Evilginx 3.0, released in April 2024, has been used in 60% of Scattered Spider’s phishing campaigns targeting tech vendors.
Additionally, ReliaQuest found increasing collaboration between Scattered Spider and ransomware-as-a-service (RaaS) groups such as DragonForce and BlackCat/ALPHV targeting managed service providers (MSPs) to exploit their access to multiple clients in a single attack.