The notorious cybercriminal group known as Scattered Spider is intensifying its operations by targeting enterprise data storage systems after gaining initial access through impersonation of IT help desks, according to an updated advisory issued by cybersecurity agencies in the US, UK, Canada, and Australia.
The joint advisory was updated with the latest data from FBI-led investigations as recent as June 2025, indicating the group’s evolving techniques and expanding scope. Scattered Spider, also tracked as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra, has recently been linked to aggressive campaigns against large companies in the retail, insurance, and airline industries.
The attackers have attempted to locate and access clients’ Snowflake instances, a cloud-based data warehousing platform that holds massive volumes of sensitive corporate data. While Snowflake itself remains secure, the advisory emphasized that customers are responsible for securing their own credentials.
Scattered Spider threat actors employ various social engineering tactics, such as push bombing and SIM swap attacks, to gain unauthorized access to systems. They often impersonate company IT or helpdesk staff through phone calls or SMS to trick employees into revealing credentials, installing remote access tools, or bypassing multi-factor authentication (MFA). The group’s methods include convincing targets to share one-time passwords (OTPs) and guiding them to install commercial remote access software, enabling the attackers to infiltrate networks and systems.
Once inside, the group reportedly uses remote access software such as AnyDesk to sidestep security alerts. The threat actor uses malware to maintain persistence, conduct internal reconnaissance, and ultimately exfiltrate valuable data. In several cases, Scattered Spider was observed deploying the DragonForce ransomware.
“The FBI has identified that Scattered Spider threat actors may exfiltrate data from targeted organization’s systems for extortion and then encrypt data on the system for ransom. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with targeted organizations via TOR, Tox, email, or encrypted applications,” the advisory noted.
Scattered Spider leverages a variety of methods to gain initial access to a targeted organization’s network, including via employee or contractor credentials purchased on the underground marketplaces such as Russia Market, or through the compromise of third party services with access to several potential targeted organization’s networks.
The advisory follows the arrest of four individuals earlier this month in the UK suspected of being linked to recent Scattered Spider intrusions into major retail chains.