Scattered Spider weaves web of social-engineered destruction | CyberScoop<\/title> <meta name=\"description\" content=\"The cybercrime ring has infiltrated more than 100 businesses since 2022, including more than a dozen since it regrouped earlier this year.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/scattered-spider-social-engineering-cybercrime\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Scattered Spider weaves web of social-engineered destruction\"> <meta property=\"og:description\" content=\"The cybercrime ring has infiltrated more than 100 businesses since 2022, including more than a dozen since it regrouped earlier this year.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/scattered-spider-social-engineering-cybercrime\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-07-07T17:45:58+00:00\"> <meta property=\"article:modified_time\" content=\"2025-07-07T17:46:00+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1746040294g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1750115417g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1748220166g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85081\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85081\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fscattered-spider-social-engineering-cybercrime%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fscattered-spider-social-engineering-cybercrime%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85081 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/scattered-spider-social-engineering-cybercrime\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.0036900369\">\n<div class=\"single-article__header-content\" readability=\"35.107416879795\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/scattered-spider-social-engineering-cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> The cybercrime ring has infiltrated more than 100 businesses since 2022, including more than a dozen since it regrouped earlier this year. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85081\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Leucauge venusta, known as the orchard orbweaver spider, resting in the center of her web in Charleston, South Carolina.\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg 5884w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=1012,675 1012w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-2.jpg?resize=1264,843 1264w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> Leucauge venusta, known as the orchard orbweaver spider, resting in the center of her web in Charleston, South Carolina. (Daniela Duncan\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"124.87588152327\"><body readability=\"253.26300119095\"><\/p>\n<p>In an underworld fueled by infamy and money that leaves a trail of human misery in its wake, the unbound collective colloquially known as Scattered Spider deviates from many norms in cybercrime.<\/p>\n<p>The cunning threat group composed of young, native English-speaking people lacks cohesion, is rife with infighting and doesn\u2019t have a data leak site, which many financially motivated cybercriminals use to claim responsibility for alleged victims and ramp up pressure to pay extortion demands. <\/p>\n<p>Scattered Spider\u2019s preferred methods of intrusion \u2014 social engineering and phishing \u2014 makes it difficult for most threat hunters to attribute attacks to the collective with confidence. The cybercrime outfit doesn\u2019t leave the types of fingerprints behind that researchers typically track, and as a result there\u2019s considerable discrepancies and uncertainty across the industry with respect to what Scattered Spider is, how it determines targets and which companies it has attacked.<\/p>\n<p>As Scattered Spider has risen the ranks of cybercrime \u2014 most recently suspected of attacking Marks & Spencer in the United Kingdom, <a href=\"https:\/\/cyberscoop.com\/united-natural-foods-whole-foods-distributor-cyberattack\/\">United Natural Foods<\/a>, WestJet and <a href=\"https:\/\/cyberscoop.com\/scattered-spider-aviation-hawaiian-airlines-cyberattack\/\">Hawaiian Airlines<\/a> \u2014 researchers have been mapping clues about the organization and how it operates.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Following a brief hiatus starting last summer, Scattered Spider regrouped earlier this year and has hit dozens of companies in the retail, insurance and aviation industries. The group first gained notoriety for attacks on <a href=\"https:\/\/cyberscoop.com\/las-vegas-mgm-caesars-cyber-attack\/\">MGM Resorts and Caesars Entertainment<\/a> in 2023.<\/p>\n<p>Scattered Spider has infiltrated more than 100 businesses since 2022, hitting organizations in hospitality and gaming, manufacturing, technology and cloud services, telecommunications, retail, manufacturing, food production, insurance and financial services, media, apparel, business process outsourcing, health care, transportation and aviation, according to researchers.<\/p>\n<p>The group\u2019s total take on extortion demands exceeds $66 million, the cybersecurity firm Halcyon told CyberScoop, but it\u2019s likely collected much more. \u201cI\u2019ve had clients pay them eight figures,\u201d said Charles Carmakal, chief technology officer at Mandiant Consulting, which tracks the group as UNC3944.<\/p>\n<p>Scattered Spider doesn\u2019t always encrypt data or systems, but when it does the group has used multiple ransomware variants, including Akira, AlphV, Play, Qilin, RansomHub and most recently DragonForce, researchers said.<\/p>\n<p>Cynthia Kaiser, senior vice president of Halcyon\u2019s ransomware research center, describes Scattered Spider as a \u201cdecentralized but tightly aligned group\u201d with a clear division of roles and responsibilities. This includes a small band of two to four senior operators and leaders who function as project managers, coordinating with initial access brokers, ransomware affiliates and negotiators.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cMeanwhile, you have newcomers and junior affiliates, and they\u2019re conducting all those lower-tier operations to prove themselves, trying to test detection thresholds,\u201d said <a href=\"https:\/\/cyberscoop.com\/cynthia-kaiser-fbi-halcyon-ransomware\/\">Kaiser<\/a>, former deputy assistant director of the FBI\u2019s cyber policy, intelligence and engagement branch. <\/p>\n<p>Researchers wobble on the number of people involved with Scattered Spider because of this tiered structure. The inner circle is tight, followed by dozens of others and then a larger pool of people who filter in and out of the group to facilitate operations, incident response specialists told CyberScoop.<\/p>\n<p>Scattered Spider is an offshoot of <a href=\"https:\/\/cyberscoop.com\/the-com-subculture-infamy-crimes\/\">The Com<\/a>, a much larger grassroots network of more than 1,000 people responsible for a vast catalog of crimes, including social engineering, crypto theft, phishing, SIM swapping, extortion, sextortion, swatting, kidnapping and murder. <\/p>\n<p>While the volume and intensity of attacks linked to Scattered Spider following its resurgence might appear extraordinary, the group\u2019s tempo of activity was much higher in previous years, according to Carmakal. <\/p>\n<p>Many Scattered Spider victims have disclosed attacks over the years, but they were never formally attributed to the cybercrime collective. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cIt is notable again because we are paying more attention to this group,\u201d Carmakal said. \u201cNow we talk about them and people care about them because they\u2019ve seen the kinetic outcomes of their cyberattacks. That\u2019s the difference.\u201d<\/p>\n<h5 class=\"wp-block-heading\" id=\"h-social-engineering-the-help-desk\"><strong>Social engineering the help desk<\/strong><\/h5>\n<p>Another change involves the group\u2019s tactics. While Scattered Spider\u2019s early hits in 2022 and 2023 were the result of social-engineering attacks, the group transitioned to domain-based phishing through much of 2024 before activity went dormant last summer. The group\u2019s revival this year marks a throwback in tactics, as it has relied exclusively once again on social engineering as an initial access vector.<\/p>\n<p>\u201cCome March, when they basically abandoned all their phishing pages, they threw out all of the playbooks they\u2019ve been using and they went back to their very original playbooks,\u201d said Zach Edwards, threat researcher at Silent Push.<\/p>\n<p>Scattered Spider has mostly intruded companies\u2019 networks over the past few months by socially engineering help-desk employees. This includes requests for password resets, removing phone numbers from multifactor authentication solutions to enroll new devices, or adding a phone number to an account to issue a self-service password reset. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cOnce Scattered Spider calls the help desk and gets on the phone with them, there\u2019s a clock ticking, and the help desk has only so much time to close that ticket in order to hit their metrics,\u201d said Adam Meyers, senior video president of counter adversary operations at CrowdStrike. <\/p>\n<p>\u201cThey\u2019re taking advantage of the fact that these help desks validate the authenticity of the person simply by checking whatever the criteria is that they\u2019ve been given,\u201d he said.<\/p>\n<p>These callers have been very successful without much effort, according to Chris Yule, director of threat research at Sophos Counter Threat Unit. \u201cIn some cases, if not many cases, they are not getting very much pushback at all or any resistance they\u2019re having to overcome.\u201d<\/p>\n<p>There\u2019s a debate among threat researchers about the extent to which Scattered Spider is purposely targeting single industries before pivoting to new sectors, or merely going after help-desk outsourcing firms, which happen to have a lot of customers in a specific vertical.<\/p>\n<p>Researchers at Halcyon said recent attacks against U.K. retailers and U.S.-based insurance companies likely originated, at least in part, from <a href=\"https:\/\/www.halcyon.ai\/blog\/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks\">Scattered Spider\u2019s compromise of business process outsourcing providers<\/a>. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Carmakal doesn\u2019t think Scattered Spider is methodically targeting outsourced IT help desks in particular and cautioned people against concluding that any particular help-desk provider is the source of a compromise.<\/p>\n<h5 class=\"wp-block-heading\" id=\"h-mandiant-defines-patterns-of-attribution\"><strong>Mandiant defines patterns of attribution<\/strong><\/h5>\n<p>Mandiant, which has provided incident response services to many Scattered Spider victims, has repeatedly offered early warnings of patterns of attacks in a given industry, including a shift to U.S.-based retailers, and more recently the <a href=\"https:\/\/cyberscoop.com\/scattered-spider-pivot-insurance-industry\/\">insurance industry<\/a> and North American airlines. Each of those ominous warnings were proven out days or weeks later as attack sprees came to light across those sectors.<\/p>\n<p>When Mandiant says Scattered Spider is targeting a specific sector, from an investigative perspective, the attacks follow the same attacker playbook. \u201cIt\u2019s how they\u2019re getting access to credentials. It\u2019s what they\u2019re doing immediately when they have credentials. It\u2019s how they\u2019re using credentials on domain controllers in a very unique way. It\u2019s the tooling that they\u2019re using. It\u2019s the re-use of the infrastructure,\u201d Carmakal said. <\/p>\n<p>\u201cThere\u2019s a lot of patterns that allow us to predict what they\u2019re going to do over the next few days and weeks, and those patterns and predictability could change at any point in time. They\u2019re a very capable group,\u201d he continued. \u201cI see patterns in the totality of the incident. It can\u2019t just be a pattern in the social engineering and the telephone call.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Scattered Spider isn\u2019t the only cybercrime ring using social engineering or attacking organizations in sectors known to be targeted by the group. Yet, Scattered Spider often gets unsubstantiated credit for activities beyond its purview.<\/p>\n<p>Other threat groups such as <a href=\"https:\/\/cyberscoop.com\/google-unc6040-salesforce-attacks\/\">UNC6040<\/a>, which is also affiliated with the Com, have attacked companies in the same sectors via social engineering. Google Threat Intelligence Group attributed at least 20 intrusions to UNC6040 as of last month. <\/p>\n<p>\u201cActivity involving a social engineering of the help desk might look and feel like Scattered Spider,\u201d but some industry observers are prematurely drawing attribution conclusions, Carmakal said.<\/p>\n<h5 class=\"wp-block-heading\" id=\"h-web-of-destruction-drifts-in-the-wind\"><strong>Web of destruction drifts in the wind<\/strong><\/h5>\n<p>Scattered Spider\u2019s web of destruction persists and continues to catch more victims because its techniques and specialization in targeting the cloud and identity works across all sectors. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThey\u2019re targeting the weakest link in the security chain, which is the human,\u201d Meyers said. \u201cThey\u2019re very fast and, once they gain access, you have oftentimes well under 48, even 24, hours to find them and eradicate them from your infrastructure before they\u2019re able to run an encryption. So, speed is a killer.<\/p>\n<p>\u201cUnless somebody takes them off the field, they\u2019re gonna keep doing what they\u2019re doing,\u201d he added. \u201cThere\u2019s no reason not to.\u201d<\/p>\n<p>Edwards noted that social engineering attacks have been successful since the dawn of the telephone. \u201cVoice as confirmation is a fabulous way to get around security, where if you know the little keyphrases to use \u2014 the slang, the lingo \u2014 it\u2019s voice of trust,\u201d he said.<\/p>\n<p>\u201cIf you call, you know the right things to say, you know what they\u2019re going to ask, and you have answers ready,\u201d Edwards added. \u201cIt\u2019s an incredibly effective way to basically gain trust from someone and then get them to do something they normally wouldn\u2019t do.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.25\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/scattered-spider-weaves-web-of-social-engineered-destruction-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/scattered-spider-social-engineering-cybercrime\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Scattered Spider weaves web of social-engineered destruction | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[413,2350,282,78,3729,281,684,646,46,953,4534,2927,984,288,954],"tags":[415,2354,286,86,3731,285,689,650,54,958,4535,2928,986,294,959],"class_list":["post-7781","post","type-post","status-publish","format-standard","hentry","category-critical-infrastructure","category-crowdstrike","category-cybercrime","category-cybersecurity","category-google-threat-intelligence-group","category-hacking","category-halcyon","category-mandiant","category-ransomware","category-scattered-spider","category-silent-push","category-sophos","category-the-com","category-threats","category-unc3944","tag-critical-infrastructure","tag-crowdstrike","tag-cybercrime","tag-cybersecurity","tag-google-threat-intelligence-group","tag-hacking","tag-halcyon","tag-mandiant","tag-ransomware","tag-scattered-spider","tag-silent-push","tag-sophos","tag-the-com","tag-threats","tag-unc3944"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/critical-infrastructure\/\" rel=\"category tag\">critical infrastructure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crowdstrike\/\" rel=\"category tag\">CrowdStrike<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google-threat-intelligence-group\/\" rel=\"category tag\">Google Threat Intelligence Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/halcyon\/\" rel=\"category tag\">Halcyon<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/scattered-spider\/\" rel=\"category tag\">Scattered Spider<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/silent-push\/\" rel=\"category tag\">Silent Push<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sophos\/\" rel=\"category tag\">Sophos<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/the-com\/\" rel=\"category tag\">The Com<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unc3944\/\" rel=\"category tag\">UNC3944<\/a>","tag_info":"UNC3944","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7781"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7781\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7781,"date":"2025-07-07T12:45:58","date_gmt":"2025-07-07T17:45:58","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85081"},"modified":"2025-07-07T12:45:58","modified_gmt":"2025-07-07T17:45:58","slug":"scattered-spider-weaves-web-of-social-engineered-destruction","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/07\/07\/scattered-spider-weaves-web-of-social-engineered-destruction\/","title":{"rendered":"Scattered Spider weaves web of social-engineered destruction"},"content":{"rendered":"