Threat Actor Report – ScatteredSpider (UNC3944)

Infrastructure Tradecraft

Scattered Spider (UNC3944) demonstrates an exceptionally agile and deceptive infrastructure strategy that supports its broader social engineering operations. Unlike malware-centric threat actors, this group prioritizes infrastructure that facilitates identity deception, MFA manipulation, and short-lived credential phishing. Their domain choices and hosting behaviors reveal a highly tailored, iterative approach to targeting and evasion.

Keyword Analysis of Domain Infrastructure

Analysis of confirmed Scattered Spider campaigns reveals consistent use of key terms within attackerregistered domains. These terms are chosen to simulate internal IT resources and trusted access platforms. High-frequency keywords include:

"internal," "connect," "duo," "vpn," "helpdesk," "servicenow," "corp," "schedule," "okta," "servicedesk," "rsa," "info," "support," "mfa," "sso," "help," and "service."

These keywords are typically embedded into attacker-controlled infrastructure via:

• Hyphenated impersonation domains, e.g. sso-company[.]com
• Subdomain lookalikes, e.g. sso.c0mpany[.]com
• Typo squatted combinations, e.g. c0mpanysso[.]com

These domains are leveraged in smishing and vishing campaigns where victims are socially engineered into interacting with credential harvesting portals. The infrastructure closely mimics enterprise SSO or helpdesk services, facilitating high-success phishing operations that bypass email-based filtering controls.

Infrastructure hosting trends

Preferred Autonomous System Numbers (ASNs)

Hosting for malicious infrastructure has been observed across the following ASNs, which appear repeatedly across different campaigns:

• AS39287 (ABSTRACT, FI)
• AS13335 (Cloudflare, Inc)
• AS399486 (VIRTUO, CA)
• AS14061 (DIGITALOCEAN-ASN, US)
• AS20473 (AS-CHOOPA, US)

Registrar Preferences

Domain registrations are frequently traced to a handful of recurring registrars, indicating either convenience or specific features leveraged by the threat actor:

• NiceNIC
• Hosting Concepts B.V.
• NameSilo, LLC
• GoDaddy

These platforms offer easy onboarding, privacy protection, and (in some cases) fast provisioning of new domains, which aligns with the group's use of short-lived infrastructure.

Operational tempo and challenges

Scattered Spider frequently rotates infrastructure, with domains often active for less than seven days. This operational tempo underscores the group's use of agile campaigns and disposable infrastructure to avoid blacklisting and detection.

To maintain visibility into these campaigns, defenders should implement structured and automated hunting methodologies. While traditional IOCs such as IPs and hashes remain relevant, Scattered Spider's heavy reliance on rapid domain generation and impersonation tactics requires defenders to pivot toward behavioral patterns, keyword matching, and short-window detection logic. Defenders who rely solely on passive detection or threat feeds may miss the infrastructure before it disappears.

‍

Recommendations

This section outlines specific mitigation strategies for defending against Scattered Spider (UNC3944) campaigns, with a focus on social engineering entry points, identity platform abuse, remote access software exploitation, and cloud-based persistence and exfiltration.

1. Restrict Use of Remote Access and RMM Tools
   • Audit all systems for unauthorized installations of AnyDesk, TeamViewer, ScreenConnect, and other RMM software.
   • Remove unused or unapproved remote access tools from all endpoints.
   • Enforce application allowlisting to prevent execution of unauthorized RMM binaries.
   • Monitor EDR and SIEM logs for unexpected launches of remote access applications and lateral movement behavior.
2. Enhance MFA Protections and Identity Security
   • Transition from push-based MFA to phishing-resistant methods such as FIDO2 security keys or hardware tokens.
   • Detect and alert on MFA fatigue scenarios, including multiple push requests in a short time.
   • Monitor for suspicious session persistence, such as unusual refresh token behavior or unexpected Okta/Microsoft Entra ID session creations.
   • Regularly audit administrative accounts and limit persistent elevated privileges.
3. Harden Helpdesk and User Verification Workflows
   • Implement out-of-band verification procedures for all password resets and MFA changes initiated through helpdesk channels.
   • Train helpdesk staff to recognize social engineering tactics, including impersonation of employees and executives.
   • Require positive user verification through pre-established internal channels for sensitive account actions.
4. Prevent Data Exfiltration Through Known Tactics
   • Block outbound SFTP traffic (TCP port 22) except where explicitly required and approved.
   • Monitor for the use of data transfer tools such as Rclone, WinSCP, and transfer.sh across endpoints.
   • Inspect DNS and firewall logs for communication with known exfiltration domains and infrastructure (e.g., 144.76.136.153, 2a01:4f8:200:1097::2).
   • Implement Data Loss Prevention (DLP) controls on critical servers and cloud storage services.
5. Monitor for Known Adversary Infrastructure and Artifacts
   • Block or alert on communications to known Scattered Spider IP addresses listed in Appendix I.
   • Use IOC feeds to detect and alert on SHA256 hashes such as acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918 (insomnia.exe) and cce5e2ccb9836e780c6aa075ef8c0aeb8fec61f21bbef9e01bdee025d2892005 (IIatZ malware).
   • Inspect logs for use of the password string change.m31!!! as an indicator of compromise.
6. Secure Cloud and SaaS Administrative Interfaces
   • Enable logging and alerting on anomalous behavior within identity providers (e.g., unexpected user creation, MFA method changes, login anomalies).
   • Apply least privilege principles to cloud admin roles and require just-in-time elevation for high-risk operations.
   • Monitor access to sensitive SaaS portals, especially from untrusted IP ranges or unexpected geographies.
   • Smishing and Social Engineering Entry Point: Scattered Spider frequently initiates attacks through SMS-based phishing (smishing), often impersonating internal IT personnel or identity management services. Messages trick victims into visiting credential-harvesting portals or calling fraudulent helpdesks. This human-centric vector bypasses traditional email security solutions and relies heavily on exploiting trust and urgency.
   • Helpdesk Impersonation and MFA Fatigue: The group impersonates legitimate helpdesk or IT support staff to convince users to approve MFA push notifications. In some cases, they directly call targets or use pretexting to reset credentials via internal support. This "push fatigue" technique exploits user behavior and support workflows rather than technical vulnerabilities.
   • SIM Swapping and Phone Number Hijacking: Scattered Spider has successfully executed SIM swap attacks to take control of victims' phone numbers. This enables them to intercept MFA codes or password reset messages, gaining access to sensitive enterprise accounts even when MFA is enabled.
   • Abuse of Identity Platforms: Once initial access is obtained, attackers exploit identity platforms such as Okta, Microsoft Entra ID (formerly Azure AD), and VPN services to escalate privileges and maintain access. They have been observed generating session tokens and impersonating users by hijacking legitimate sessions through stolen cookies or SSO bypass techniques.
   • Use of Legitimate Remote Access Tools: Scattered Spider leverages trusted remote management and remote desktop tools, such as AnyDesk, TeamViewer, and ScreenConnect, to establish persistent, hands-on-keyboard access. These tools are often whitelisted in enterprise environments and allow attackers to blend into normal IT activity.
   • Cloud and SaaS Exploitation: The group actively targets cloud-based admin portals and SaaS environments. They use legitimate admin functionality within these platforms (e.g., user provisioning, access role changes) to deepen control over the environment, often going undetected by standard endpoint monitoring.
   • Multi-Stage Reconnaissance and Exfiltration: Post-compromise activity includes lateral movement, enumeration of cloud assets, and exfiltration of sensitive data. File transfer utilities such as Rclone and WinSCP are used to move large volumes of data to attacker-controlled infrastructure. These tools are typically benign and evade common DLP and malware detection mechanisms.
   • Coordination with Ransomware Operators: Scattered Spider has been linked to data extortion campaigns in coordination with ALPHV/BlackCat ransomware. In some incidents, they gain access and exfiltrate data, while BlackCat handles encryption and ransom negotiations. This division of labor suggests affiliate-based cooperation within a broader cybercrime ecosystem.
   • Frequent Infrastructure Rotation and OPSEC: The threat actor demonstrates strong operational security. Domains used in smishing and phishing campaigns are often short-lived and registered with privacy protection. VPNs, residential proxy services, and encrypted communication channels obscure the source of attacks, making attribution and tracking more difficult.
   • Persistent Threat to High-Value Sectors: Scattered Spider prioritizes industries with access to valuable personal or financial data. Their targets often include telecommunications firms, managed service providers (MSPs), and cloud-first enterprises, especially those with decentralized IT helpdesk procedures and high employee counts. CISA and partner agencies have warned that the group's continued targeting of these sectors represents an elevated and persistent threat.