CISA and FBI Release Tactics, Techniques, and Procedures of the Scattered Spider Hacker Group

The joint Cybersecurity Advisory AA23-320A, collaboratively issued by agencies such as the FBI, CISA, RCMP, ASD’s ACSC, AFP, CCCS, and NCSC-UK, serves as a critical update on the Scattered Spider cybercriminal group.

Originally published in November 2023 and revised multiple times, most recently on July 29, 2025 this advisory highlights the group’s persistent and adaptive operations targeting large organizations in critical infrastructure, commercial facilities, and related sectors.

Scattered Spider, known by aliases including UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra, specializes in data extortion, ransomware deployment, and sophisticated social engineering tactics.

Overview of Scattered Spider Threat Actors

The 2025 updates emphasize new techniques, such as advanced impersonation to manipulate IT helpdesks for password resets and MFA transfers, alongside the use of malware like RattyRAT for stealthy reconnaissance and DragonForce ransomware for encrypting systems like VMware ESXi servers.

These evolutions allow the group to exfiltrate data ...