Socially Savvy Scattered Spider Traps Cloud Admins in Web

The dangerous ransomware group is targeting financial and insurance sectors using smishing and vishing against IT service desk administrators, cybersecurity teams, and other employees with top-level privileges.

One of the worlds most dangerous ransomware groups has been applying its hallmark savvy social engineering to targeted, sophisticated phishing attacks against
financial and insurance companies
, aiming to steal high-level permissions to cloud-based environments to ultimately deliver ransomware.
Scattered Spider has been using SMS and voice phishing — or smishing and vishing, respectively — attacks to target target high-privileged accounts, such as those of IT service desk administrators and cybersecurity teams. Attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.
Scattered Spider frequently uses phone-based social engineering techniques … to deceive and manipulate targets, mainly targeting IT service desks and identity administrators, EclecticIQ Threat Intelligence Analyst Arda Büyükkaya wrote
in a recent analysis
. The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals.
The attacks are so well-crafted that they often prompt unsuspecting identity administrators in charge of cloud infrastructures to enter credentials for VMware Workspace ONE, an application management and identity access policy platform, so attackers can gain unauthorized access even to accounts protected by multifactor authentication (MFA), Büyükkaya said.
Other ways Scattered Spider gains persistent access to cloud enviroments is to purchase stolen credentials, execute SIM swaps, and use cloud-native tools. In fact, the threat group is leveraging legitimate features of cloud infrastructure to carry out its nefarious activities, making their operations increasingly difficult to detect and counter, Büyükkaya noted.
The cybercriminal group abuses legitimate cloud tools such as Azure’s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection, he wrote.
The attacks observed by EclecticIQ targeted cloud-based services like Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well
software as a service (SaaS) platforms
such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE by deploying phishing pages that closely mimic single sign-on (SSO) portals, Büyükkaya wrote. These pages are delivered via socially engineered attacks that appear highly convincing — so much so that they even can fool cloud security engineers.
Scattered Spider, known also by Octo Tempest, made a significant name for itself in the ransomware game rather quickly. The group arrived on the scene in 2022 armed with sophisticated social-engineering techniques, an aptitude for understanding the psychology of Western business minds, and a command of native English — all of which it used as part of its heavy artillery. The group soon became infamous for the massive
ransomware attacks on Caesars Palace and MGM Entertainment
about a year later.
Scattered Spider teamed with BlackCat/Alphv ransomware early on but became a ransomware-as-a-service (RaaS) affilitate of
RansomHub and Qilin
earlier this year, after BlackCat/Alphv unceremoniously
went dark in March
, leaving affiliates in the lurch.
Of late, Scattered Spider has had global law enforcement, including the FBI, hot on its trail, and
UK officials recently arrested
a 17-year-old from the town of Walsall, UK, in July for his connection to the group.
The attacks outlined by EclecticIQ are the result of analysis conducted between 2023 and the second quarter of 2024, so its as yet unclear how active Scattered Spider has been since that arrest. However, the research sheds new light on the complex web of attacks the group is capable of spinning to leverage identity compromise to target cloud environments successfully, the researchers noted.
EclecticIQ developed a specific framework outlining the ransomware deployment life cycle to help defenders thwart attacks by detailing the techniques used by the threat actor to infiltrate, persist, and execute ransomware within cloud environments. The accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to success for Scattered Spider and other ransomware actors, according to Büyükkaya.
The company made a sweeping set of recommendations for organizations in terms of prevention, detection, and incident response that relate to but are not limited to: secure authentication; monitoring and alerts; hypervisor cloud resource security; firewall and network security; and other key and varied aspects that comprise an enterprise cloud environment.
Other recommendations made specifically focused on Scattered Spiders tendency to use phishing as its key method for initial access, advising organizations to regularly monitor for
typosquatting domains
. This includes their own organization’s legitimate domains, especially those targeting their own cloud environments.
Proactively secure these domains to prevent phishing attacks and social engineering tactics, Büyükkaya advised.
Dont miss the latest
Dark Reading Confidential podcast
, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs.

Listen now!

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Socially Savvy Scattered Spider Traps Cloud Admins in Web