G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
Analyst context for executives and security teams
Scattered Spider matters because MITRE describes a financially motivated group that turns people, identity workflows, and remote administration into paths into enterprise networks. The supplied ATT&CK description emphasizes help-desk and IT impersonation, MFA bypass, administrator access in Okta, AWS, and Office 365, EDR evasion, and ransomware use. For leaders, this is less a single malware problem than a test of identity governance, help-desk controls, cloud administration, SOC visibility, and incident response speed.
Executive priority
Prioritize this as an identity-led intrusion and resilience scenario. Executives should ask whether help-desk identity proofing, MFA reset/enrollment approvals, privileged access controls, cloud admin logging, and ransomware response plans would hold up under social engineering. Sectors named by MITRE include CRM providers, BPO, telecommunications, technology, gaming, hospitality, retail, MSP, manufacturing, and financial organizations, so third-party and service-provider exposure should also be reviewed where relevant.
Technical view
ATT&CK provides no official detection text for this group, so validation should be relationship-driven. The mapped behavior includes credential access against AD/NTDS, use of Mimikatz and LaZagne, remote access via RDP, SSH, cloud services, ConnectWise, ngrok, Tor, PowerShell and Unix shell execution, discovery of systems and permission groups, exfiltration over C2, mailbox-data clearing, exploitation for privilege escalation, and ransomware-related tooling such as BlackCat. SOC teams should test whether identity, endpoint, cloud, mail, network, and remote administration telemetry can be correlated around a suspicious help-desk/MFA event through privilege escalation, lateral movement, and exfiltration.
Likely telemetry
- Help-desk tickets, MFA reset/enrollment records, identity-proofing approvals, and administrative support workflow logs
- Identity provider authentication logs, MFA challenge outcomes, privileged role changes, and Okta-related administrator activity where applicable
- AWS and Office 365 audit logs, including cloud service logins, administrative actions, mailbox activity, and suspicious export/delete behavior
- Endpoint process, script, driver, and security-control tampering telemetry, especially PowerShell, Unix shell, credential dumping, and vulnerable-driver indicators
- Active Directory domain controller logs, NTDS access indicators, group membership discovery, and privileged account use
Detection direction
- Do not rely on malware signatures alone; validate detections that connect social engineering outcomes to identity changes, new sessions, privilege escalation, and remote access.
- Tune for high-risk help-desk events: MFA resets, device re-enrollment, password resets, account recovery, new admin assignments, and access from unusual networks or support contexts.
- Correlate cloud and on-premises identity activity because ATT&CK notes administrator access in Okta, AWS, and Office 365 and relationships include cloud-services lateral movement.
- Hunt for credential-access and AD targeting patterns, including Mimikatz/LaZagne use, NTDS access, domain group discovery, and unusual domain-controller interaction.
- Validate visibility for legitimate tools used in suspicious ways, including ConnectWise, ngrok, Tor, Rclone, RDP, and SSH; false positives will be common unless baselined by user, host, destination, and business purpose.
Mitigation priorities
- Strengthen help-desk and IT support identity-proofing before account recovery, MFA reset, device enrollment, or privileged access changes are approved.
- Reduce standing privilege across identity providers, cloud consoles, Office 365, AD, and remote administration tools; require strong approval and logging for administrative actions.
- Harden MFA processes against social engineering by controlling enrollment, reset, and recovery paths, not only user login prompts.
- Restrict and monitor remote administration, tunneling, and file synchronization tools; maintain an allowlist or documented business justification where feasible.
- Protect credential stores and domain controllers, limit access to NTDS-related artifacts, and monitor privileged group membership changes.
Analyst notes and limits
This take is based on ATT&CK v19.1 object G1015 and its supplied relationships. The object names multiple aliases: Scattered Spider, Roasted 0ktapus, Octo Tempest, Storm-0875, and UNC3944. Relationship context includes campaign C0027 targeting telecommunications and BPO companies in 2022 and a broad set of tools and techniques spanning identity, endpoint, cloud, remote access, discovery, credential access, exfiltration, and ransomware-related activity.
MITRE does not provide an official detection section or explicit platform list for the intrusion-set object itself. Platform and telemetry guidance here is inferred only from the supplied technique/software relationships and official description. Local control validation, sector exposure, and evidence of activity require environment-specific logs and incident data.
Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1598 | Phishing for Information | Scattered Spider has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.CitationCrowdStrike Scattered Spider BYOVD January 2023 |
| Enterprise | T1685 | Disable or Modify Tools | Scattered Spider has uninstalled and disabled security tools.CitationMandiant UNC3944 May 2025 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.CitationCrowdStrike Scattered Spider BYOVD January 2023 |
| Enterprise | T1556.009 | Conditional Access Policies Sub-technique | Scattered Spider has added additional trusted locations to Azure AD conditional access policies. CitationMSTIC Octo Tempest Operations October 2023 |
| Enterprise | T1580 | Cloud Infrastructure Discovery | Scattered Spider enumerates cloud environments including Amazon Web Services (AWS) S3 buckets to identify server and backup management infrastructure, resource access, databases and storage containers .CitationMSTIC Octo Tempest Operations October 2023CitationMandiant UNC3944 May 2025CitationCrowdStrike Scattered Spider JUL 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | Scattered Spider has downloaded the Teleport remote access tool to compromised VMware vCenter Servers.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1114.003 | Email Forwarding Rule Sub-technique | Scattered Spider has redirected emails notifying users of suspicious account activity.CitationCrowdStrike Scattered Spider JUL 2025 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Scattered Spider has used domains mirroring corporate login portals to socially engineer victims into providing credentials.CitationCheck Point Scattered Spider JUL 2025 |
| Enterprise | T1078 | Valid Accounts | Scattered Spider has used compromised credentials for initial access.CitationMandiant UNC3944 May 2025CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1003.003 | NTDS Sub-technique | Scattered Spider has extracted the `NTDS.dit` file by creating volume shadow copies of virtual domain controller disks.CitationMSTIC Octo Tempest Operations October 2023CitationCrowdStrike Scattered Spider JUL 2025CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Scattered Spider has exfiltrated data from compromised VMware vCenter servers through an established C2 channel using the Teleport remote access tool.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Scattered Spider has enumerated legitimate domain accounts which are used in the targeted environment.CitationCISA Scattered Spider Advisory November 2023CitationMSTIC Octo Tempest Operations October 2023CitationCrowdStrike Scattered Spider JUL 2025CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1484.002 | Trust Modification Sub-technique | Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1087 | Account Discovery | Scattered Spider has identified vSphere administrator accounts.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1564.008 | Email Hiding Rules Sub-technique | Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.CitationMSTIC Octo Tempest Operations October 2023 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Scattered Spider has created matching fake social media profiles to support new accounts created in victim environments.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1539 | Steal Web Session Cookie | Scattered Spider retrieves browser cookies via Raccoon Stealer.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1588.002 | Tool Sub-technique | Scattered Spider has obtained tools for use throughout the attack lifecycle to include remote access software, protocol tunneling and proxy tools, exploitation frameworks, and reconnaissance tools.CitationMandiant UNC3944 May 2025CitationCrowdStrike Scattered Spider JUL 2025CitationCheck Point Scattered Spider JUL 2025CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1552.004 | Private Keys Sub-technique | Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1589 | Gather Victim Identity Information | Scattered Spider has used information from previous data breaches to identify employee names to be used in social engineering.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1538 | Cloud Service Dashboard | Scattered Spider abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1486 | Data Encrypted for Impact | Scattered Spider has used BlackCat and DragonForce ransomware to encrypt files including on VMWare ESXi servers.CitationCISA Scattered Spider Advisory November 2023CitationMSTIC Octo Tempest Operations October 2023CitationCrowdStrike Scattered Spider JUL 2025CitationMandiant VMware vSphere JUL 2025CitationCheck Point Scattered Spider JUL 2025 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Scattered Spider has used the command shell to upload and install the Teleport remote access tool to a compromised vCenter Server Appliance.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1133 | External Remote Services | Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.CitationCrowdStrike Scattered Spider BYOVD January 2023 |
| Enterprise | T1021.004 | SSH Sub-technique | Scattered Spider has used SSH to move laterally in victim environments and to access the vSphere vCenter Server GUI.CitationMandiant UNC3944 May 2025CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1204 | User Execution | Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1556.006 | Multi-Factor Authentication Sub-technique | After compromising user accounts, Scattered Spider registers their own MFA tokens.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1684.001 | Impersonation Sub-technique | Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.CitationCISA Scattered Spider Advisory November 2023CitationMSTIC Octo Tempest Operations October 2023 Scattered Spider has also used Microsoft Teams to pose as internal IT support or help desk personnel.CitationMandiant UNC3944 May 2025 |
| Enterprise | T1583.001 | Domains Sub-technique | Scattered Spider has registered domains to spoof legitimate corporate login portals.CitationCheck Point Scattered Spider JUL 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | Scattered Spider has used network reconnaissance commands for discovery including `ping` and `nltest`.CitationMandiant UNC3944 May 2025 |
| Enterprise | T1083 | File and Directory Discovery | Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code, user provisioning, MFA device registration, network diagrams, and shared credentials in documents or spreadsheets.CitationCISA Scattered Spider Advisory November 2023CitationMSTIC Octo Tempest Operations October 2023CitationMandiant UNC3944 May 2025CitationCrowdStrike Scattered Spider JUL 2025CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Scattered Spider has run `SYSTEMD_UNIT_PATH="/lib/systemd/ system/teleport.service` to establish persistence for the Teleport remote access tool.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including TeamViewer, AnyDesk, LogMeIn, ngrok, and ConnectWise to establish persistence on the compromised network.CitationCISA Scattered Spider Advisory November 2023CitationTrellix Scattered Spider MO August 2023CitationMandiant UNC3944 May 2025CitationCrowdStrike Scattered Spider JUL 2025CitationCheck Point Scattered Spider JUL 2025 |
| Enterprise | T1657 | Financial Theft | Scattered Spider has deployed ransomware on compromised hosts and threatened to leak stolen data for financial gain.CitationCISA Scattered Spider Advisory November 2023CitationTrellix Scattered Spider MO August 2023CitationCrowdStrike Scattered Spider JUL 2025 |
| Enterprise | T1213.003 | Code Repositories Sub-technique | Scattered Spider enumerates data stored within victim code repositories, such as internal GitHub repositories.CitationCISA Scattered Spider Advisory November 2023CitationMSTIC Octo Tempest Operations October 2023 |
| Enterprise | T1098.003 | Additional Cloud Roles Sub-technique | Scattered Spider has assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.CitationMSTIC Octo Tempest Operations October 2023 |
| Enterprise | T1069 | Permission Groups Discovery | Scattered Spider has enumerated the vSphere Admins and ESX Admins groups in targeted environments.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1621 | Multi-Factor Authentication Request Generation | Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.CitationCrowdStrike Scattered Spider BYOVD January 2023CitationCheck Point Scattered Spider JUL 2025 |
| Enterprise | T1082 | System Information Discovery | Scattered Spider has executed scripts to identify the underlying operating system to ensure it uses the correct installation package for malicious payloads.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Scattered Spider has used RDP to enable lateral movement.CitationMandiant UNC3944 May 2025 |
| Enterprise | T1098 | Account Manipulation | Scattered Spider has added accounts to the ESX Admins group to grant them full admin rights in vSphere.CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1213.005 | Messaging Applications Sub-technique | Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).CitationCrowdStrike Scattered Spider BYOVD January 2023 |
| Enterprise | T1090 | Proxy | Scattered Spider has used proxy networks to hamper detection and has installed legitimate proxy tools on VMware vCenter and adversary-controlled VMs.CitationCrowdStrike Scattered Spider JUL 2025CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1530 | Data from Cloud Storage | Scattered Spider enumerates data stored in cloud resources for collection and exfiltration purposes.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1217 | Browser Information Discovery | Scattered Spider retrieves browser histories via infostealer malware such as Raccoon Stealer.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1006 | Direct Volume Access | Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the `NTDS.dit` file.CitationMSTIC Octo Tempest Operations October 2023 |
| Enterprise | T1136 | Create Account | Scattered Spider creates new user identities within the compromised organization.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1490 | Inhibit System Recovery | Scattered Spider has stopped the Volume Shadow Copy service on compromised hosts.CitationMandiant UNC3944 May 2025 |
| Enterprise | T1018 | Remote System Discovery | Scattered Spider can enumerate remote systems, such as VMware vCenter infrastructure.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Scattered Spider has enumerated Active Directory security groups including through the use of ADExplorer, ADRecon.ps1, and Get-ADUser.CitationCrowdStrike Scattered Spider JUL 2025CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Scattered Spider has used the PowerShell cmdlet Get-ADUser.CitationCrowdStrike Scattered Spider JUL 2025 |
| Enterprise | T1555.005 | Password Managers Sub-technique | Scattered Spider has searched for credentials in password vaults and Privileged Access Management (PAM) solutions including HashiCorp Vault.CitationMandiant UNC3944 May 2025CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Scattered Spider has exfiltrated victim data to the MEGA file sharing site, SnowFlake, and AWS S3 buckets.CitationCISA Scattered Spider Advisory November 2023CitationMSTIC Octo Tempest Operations October 2023CitationCrowdStrike Scattered Spider JUL 2025 |
| Enterprise | T1598.004 | Spearphishing Voice Sub-technique | Scattered Spider has used help desk voice-based phishing and also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.CitationMSTIC Octo Tempest Operations October 2023CitationCrowdStrike Scattered Spider JUL 2025CitationMandiant VMware vSphere JUL 2025 |
| Enterprise | T1074 | Data Staged | Scattered Spider stages data in a centralized database prior to exfiltration.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | Scattered Spider has used compromised Microsoft Entra ID accounts to pivot in victim environments.CitationCrowdStrike Scattered Spider JUL 2025 |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | Scattered Spider has manually deleted emails notifying users of suspicious account activity. CitationCrowdStrike Scattered Spider JUL 2025 |
| Enterprise | T1021.007 | Cloud Services Sub-technique | Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1572 | Protocol Tunneling | Scattered Spider has installed protocol-tunneling tools on VMware vCenter and adversary-controlled VMs, including Teleport.sh, Chisel (configured to communicate with trycloudflare[.]com subdomains), MobaXterm, ngrok, Pinggy, and Teleport.CitationCrowdStrike Scattered Spider JUL 2025CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1578.002 | Create Cloud Instance Sub-technique | Scattered Spider has created Amazon EC2 instances within the victim's environment.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Scattered Spider Spider searches for credential storage documentation on a compromised host.CitationCISA Scattered Spider Advisory November 2023CitationMandiant UNC3944 May 2025CitationCrowdStrike Scattered Spider JUL 2025 |
| Enterprise | T1114 | Email Collection | Scattered Spider searched the victim’s Microsoft Exchange for emails about the intrusion and incident response.CitationCISA Scattered Spider Advisory November 2023 |
| Enterprise | T1588.001 | Malware Sub-technique | Scattered Spider has obtained malware to use at multiple stages of operations including information stealers, remote access tools, and ransomware.CitationMandiant UNC3944 May 2025CitationCheck Point Scattered Spider JUL 2025 |
Groups, software, and campaigns
S0670: WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[1][2]
S1040: Rclone
S0349: LaZagne
S0183: Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]
S0002: Mimikatz
S1148: Raccoon Stealer
Raccoon Stealer is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. Raccoon Stealer has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.[1][2]
S0508: ngrok
S1068: BlackCat
BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[1][2][3]
S0591: ConnectWise
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[1][2]
C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | cc4c91bf47cc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike Scattered Spider Profile
CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.
Open source URL -
[2]
MSTIC Octo Tempest Operations October 2023
Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
Open source URL -
[3]
CISA Scattered Spider Advisory November 2023
CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
Open source URL -
[4]
CrowdStrike Scattered Spider BYOVD January 2023
CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.
Open source URL -
[5]
Crowdstrike TELCO BPO Campaign December 2022
Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
Open source URL -
[6]
Mandiant UNC3944 May 2025
Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
Open source URL -
[7]
Mandiant VMware vSphere JUL 2025
Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025.
Open source URL -
[8]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[9]
Octo Tempest
(Citation: Microsoft Threat Actor Naming July 2023)
-
[10]
Roasted 0ktapus
(Citation: CrowdStrike Scattered Spider BYOVD January 2023)
-
[11]
Storm-0875
(Citation: Microsoft Threat Actor Naming July 2023)
-
[12]
UNC3944
(Citation: Mandiant UNC3944 May 2025)(Citation: Mandiant VMware vSphere JUL 2025)
-
[13]
mitre-attack G1015Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.