Scattered Spider Exploiting VMware vSphere

Hacking Tactics Linked to Retail, Airline Compromises Akshaya Asokan (asokan_akshaya) • July 25, 2025

The loosely connected band of adolescent cybercriminals tracked as Scattered Spider has joined the VMware hypervisor hacking bandwagon, pivoting into virtual servers through corporate instances of Active Directory.

See Also: Beyond Replication & Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks

A rash of data theft and ransomware attacks on the retail, airline and insurance sectors by the group are rooted in a "living off the land approach" that differs from traditional Windows ransomware attacks in their speed and stealth, warns Google-owned threat intel firm Mandiant said in a Wednesday blog post (see: Scattered Spider Suspected in Qantas Data Breach).

"Critical workloads can be powered off, ransomware can be deployed across the entire virtual environment and virtual machines containing sensitive data such as databases, domain controllers, or proprietary code can be cloned and exfiltrated ...