The FBI and its international partners have issued a newly updated cybersecurity advisory detailing the growing threat posed by Scattered Spider, a highly adaptive cybercriminal group known for targeting IT help desks and corporate infrastructure. The July 29th update adds new technical details about the group’s expanding toolkit, including the use of ransomware, SIM swaps, social engineering, and living-off-the-land techniques to compromise networks and extort victims.
Scattered Spider – also known as UNC3944, Oktapus, and Storm-0875, among other aliases – has evolved rapidly since first gaining notoriety for targeting telecom and technology firms. According to the FBI, the group now demonstrates a much broader range of attack methods, leveraging both stolen credentials and sophisticated impersonation tricks to gain initial access. Recent activity includes deployment of the DragonForce ransomware variant and use of malware such as RattyRAT and WarZone (also known as AveMaria) for persistent access and data theft.
Read more: How to Tell if You’re a Victim of Phone Cloning or SIM Swapping
A major security consideration in this advisory is the group’s increasing emphasis on social engineering. They’ve successfully impersonated IT staff and other employees to bypass multi-factor authentication, manipulate help desk procedures, and trick staff into installing legitimate remote access tools. The updated report notes that attackers often conduct multi-call phishing campaigns using personal information gleaned from business directories, social media, and data leaks to increase their credibility with targets.
Read next: How Security Expert Troy Hunt Got Phished – and Why MFA Didn’t Save Him
In many cases, the Scattered Spider actors don’t stop at just gaining access – they stick around. The group has been observed joining internal incident response calls and monitoring Slack and Microsoft Teams channels to stay one step ahead of detection. Their tactics even include forging new user identities backed by fake social media profiles, allowing them to maintain long-term access.
From my perspective, this is yet another example of hackers evolving their methods to take advantage of weaknesses – both human and technical – in business operations and systems. The FBI's report makes it clear: organizations that treat cybersecurity training as a one-and-done checklist item are putting themselves at risk. Security awareness needs to be a continuous program, especially for frontline employees like help desk staff who are increasingly being targeted.
For organizations trying to keep up, the MITRE ATT&CK mapping included in the advisory offers a concrete framework for testing internal security controls against the specific techniques that Scattered Spider is using today.
You can view the full advisory on CISA’s website or download the updated July 2025 PDF.
[Image credit:Open AI/DALL E]
