Sep 17, 2025Ravie LakshmananThreat Intelligence / Cybercrime
Cybersecurity researchers have tied a recent spherical of cyber assaults focusing on monetary providers to the infamous cybercrime group referred to as Scattered Spider, casting doubt on their claims of going “darkish.”
Risk intelligence agency ReliaQuest mentioned it has noticed indications that the risk actor has shifted their focus to the monetary sector. That is supported by a rise in lookalike domains doubtlessly linked to the group which are geared in the direction of the trade vertical, in addition to a lately recognized focused intrusion in opposition to an unnamed U.S. banking group.
“Scattered Spider gained preliminary entry by socially engineering an govt’s account and resetting their password through Azure Energetic Listing Self-Service Password Administration,” the corporate mentioned.
“From there, they accessed delicate IT and safety paperwork, moved laterally via the Citrix surroundings and VPN, and compromised VMware ESXi infrastructure to dump credentials and additional infiltrate the community.”
To realize privilege escalation, the attackers reset a Veeam service account password, assigned Azure International Administrator permissions, and relocated digital machines to evade detection. There are additionally indicators that Scattered Spider tried to exfiltrate knowledge from Snowflake, Amazon Internet Companies (AWS), and different repositories.
Exit or Smokescreen?
The latest exercise undercuts the group’s claims that they had been ceasing operations alongside 14 different legal teams, corresponding to LAPSUS$. Scattered Spider is the moniker assigned to a loose-knit hacking collective that is a part of a broader on-line entity known as The Com.
The group additionally shares a excessive diploma of overlap with different cybercrime crews like ShinyHunters and LAPSUS$, a lot in order that the three clusters shaped an overarching entity named “scattered LAPSUS$ hunters.”
Certainly one of these clusters, notably ShinyHunters, has additionally engaged in extortion efforts after exfiltrating delicate knowledge from victims’ Salesforce cases. In these circumstances, the exercise came about months after the targets had been compromised by one other financially motivated hacking group tracked by Google-owned Mandiant as UNC6040.
The incident is a reminder to not be lulled right into a false sense of safety, ReliaQuest added, urging organizations to remain vigilant in opposition to the risk. As within the case of ransomware teams, there isn’t any such factor as retirement, as it’s totally a lot attainable for them to regroup or rebrand below a special alias sooner or later.
“The latest declare that Scattered Spider is retiring must be taken with a big diploma of skepticism,” Karl Sigler, safety analysis supervisor of SpiderLabs Risk Intelligence at Trustwave, mentioned. “Somewhat than a real disbanding, this announcement doubtless alerts a strategic transfer to distance the group from growing legislation enforcement stress.”
Sigler additionally identified that the farewell letter must be seen as a strategic retreat, permitting the group to reassess its practices, refine its tradecraft, and evade ongoing efforts to place a lid on its actions, to not point out complicate attribution efforts by making it more durable to tie future incidents to the identical core actors.
“It is believable that one thing inside the group’s operational infrastructure has been compromised. Whether or not via a breached system, an uncovered communication channel, or the arrest of lower-tier associates, one thing has doubtless triggered the group to go darkish, not less than briefly. Traditionally, when cybercriminal teams face heightened scrutiny or endure inner disruption, they typically ‘retire’ in identify solely, opting as an alternative to pause, regroup, and finally re-emerge below a brand new id.”
