Scattered Spider not dark after all: researchers see signs of life in new attacks

Published: 17 September 2025
Scattered Spider
Image by Cybernews.

Scattered Spider and a bunch of other hacking groups recently announced that they were closing up shop. However, it seems they haven’t actually ceased activity.

“Our objectives having been fulfilled, it is now time to say goodbye,” Scattered Spider wrote in a farewell letter addressed to the “World” last week, penned by the ransomware gang’s apparent “leader and representative.”

Scattered Spider Goodbye letter
ADVERTISEMENT

Scattered Spider made waves this spring by allegedly targeting British retail giants Marks & Spencer, Harrods, and Co-op. Along with Shiny Hunters, it has recently been linked to the Salesloft Drift/Salesforce hacking campaign, which targeted more than 700 companies worldwide this summer.

Naturally, the announcement that the group is ceasing operations was met with a collective sigh of relief in the world of retail. However, Scattered Spider’s story seems to be far from over.

That’s because, according to ReliaQuest, Scattered Spider seems to have shifted its focus to the financial sector only a few days after saying its goodbyes.

ReliaQuest researchers have tied a fresh round of cyberattacks targeting financial services to the group.

vilius justinasv jurgita Konstancija Gasaityte profile
Don’t miss our latest stories on Google News
Google News Follow us

Their observations are supported by an increase in lookalike domains potentially linked to Scattered Spider that are geared towards the industry vertical, as well as a recently identified targeted intrusion against an unnamed US banking organization.

“Scattered Spider gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management,” the company said in a new analysis.

“From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network.”

ADVERTISEMENT

Scattered Spider made waves this spring by allegedly targeting British retail giants Marks & Spencer, Harrods, and Co-op.

To achieve privilege escalation, the attackers reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection. There are also signs that Scattered Spider attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories.

Quite obviously, this recent activity undercuts the group’s claims that it was closing up shop alongside 14 other gangs, such as LAPSUS$.

“As threat groups rotate infrastructure, change aliases, and borrow from each other’s playbooks, focusing on behavioral patterns and proactive detection is essential,” ReliaQuest said.

Unlock more exclusive Cybernews content on YouTube

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT