Scattered Spider Shifts to Aviation, Retail, and Transport in Latest Campaigns

Threat Group: Scattered Spider
Threat Type: Cybercrime Group (Focused on Cloud Environments, Ransomware)
Exploited Vulnerabilities: Azure Cross-Tenant Synchronization, Federated Identity Providers, Cloud Platforms
Malware Used: AlphV ransomware, Spectre RAT
Threat Score: 🔴 High (8.8/10) – Due to its sophisticated exploitation of cloud-based systems, privilege escalation methods, and use of advanced tools for lateral movement.
Last Threat Observation: 6 July 2025

Overview

Scattered Spider is a highly adaptive cybercriminal group known for targeting cloud environments, especially within the insurance, retail, and financial sectors. As of July 2025, the group has escalated its operations and expanded into the aviation industry, exploiting help desk processes, SSO environments, and third-party services to gain unauthorised access.

New developments show that the group used updated variants of the Spectre RAT and custom phishing kits, impersonating Okta and ServiceNow portals to harvest credentials and bypass MFA protections. Notably, Qantas Airways disclosed a breach affecting nearly six million customers linked to Scattered Spider's operations.

Despite multiple arrests in 2024, the group continues to evolve its tactics and expand into new verticals such as manufacturing and transport.

Key Details

Cloud Reconnaissance: The group targets SSO-enabled dashboards and Microsoft 365 to access platforms like CRMs, file shares, and document repositories.

Privilege Escalation: Exploits Azure Cross-Tenant Synchronization to traverse cloud tenants and abuses federated identity providers for persistent access.

Security Evasion: Scattered Spider disables Microsoft Defender, manipulates firewall settings, and reboots into Safe Mode to bypass endpoint protections.

Persistence Techniques: Includes social engineering, SIM swapping, and exploitation of help desk protocols to register malicious MFA tokens.

Remote Tools: Legitimate applications such as AnyDesk, TeamViewer, and Ngrok remain integral to their operations. Additionally, Spectre RAT variants now feature enhanced obfuscation.

Attack Vectors

• SSO Exploitation: Compromising Okta, Microsoft 365, and federated login systems.
• Custom Phishing Kits: Mimicking portals for Okta, ServiceNow, and Freshworks to gather credentials.
• Remote Access Tools: Leveraging AnyDesk, TeamViewer, MeshCentral, and RustDesk.
• Cloud Tunneling: Through Ngrok, MobaXterm, and Proxifier.
• Social Engineering: Targeting IT service desks to bypass MFA or reset passwords.

Updated Known Indicators of Compromise (IoCs)

(see our previous advisory from September 2024 for older IoCs)

IP Addresses (Defanged)

• 146[.]70[.]103[.]228

Domain Names (Defanged)

• asurion-idp[.]com
• freshworks-sso[.]net
• victimname-sso[.]com
• victimname-servicedesk[.]com
• victimname-okta[.]com
• okta-247[.]com
• login.okta-247[.]com
• servicenow-hrblock[.]com
• login.servicenow-hrblock[.]com
• freshworks-hr[.]com
• login.freshworks-hr[.]com
• pfchangs-support[.]com
• login.pfchangs-support[.]com
• expediagroup-servicenow[.]com

Mitigation and Prevention

• Help Desk Security: Implement and enforce strict caller verification and identity proofing procedures before resetting credentials or registering MFA devices.
• Cloud Monitoring: Continuously audit Azure AD, M365, and federated identity logs for suspicious activity tied to tenant synchronisation or unknown MFA devices.
• IoC Watchlists: Keep threat intel platforms and SIEM systems updated with the latest IPs, domains, and tools tied to Scattered Spider.
• Employee Awareness: Train staff across IT and customer service on how to detect and report phishing, vishing, and impersonation attempts.
• Vendor Risk Management: Perform security assessments on third-party platforms and customer support vendors, ensuring their environments are monitored and secured.

Conclusion

Scattered Spider continues to evolve as one of the most dangerous cybercrime groups targeting cloud infrastructure. Their ability to pivot between industries, adapt to security controls, and exploit human and technical vulnerabilities requires a proactive and layered defence approach. Monitoring for the latest IoCs, enforcing strong identity practices, and improving help desk security protocols are critical to defending against this ongoing threat.

Sources

• Bleeping Computer - Qantas discloses cyberattack amid Scattered Spider aviation breaches
• CrowdStrike – CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries
• ABC News - What we know about Scattered Spider, the hacker group targeting airlines
• Computer Weekly - Scattered Spider link to Qantas hack is likely, say experts
• Cybersec Sentinel (Our Previous Advisory) - The Scattered Spider Group Ramps Up Cloud Attacks