The notorious Scattered Spider group seems to have been rattled and its cybercriminal activity stalled following the arrest of four individuals linked to the group and suspected of orchestrating cyber-attacks.
The arrests took place in the UK on July 10, with the four individuals suspected of Computer Misuse Act offences relating to cyber-attacks on three British retailers in April 2025. They were later bailed pending further enquiries.
Since then, cybersecurity firm Mandiant, which tracks The Com-affiliated group as UNC3944, said it has not observed any new intrusions directly attributable to this specific threat actor.
The Com is a loosely organized online criminal network involving thousands of English-speaking individuals.
Commenting on the four individuals arrested, Charles Carmakal, CTO, Mandiant Consulting – Google Cloud, told Infosecurity, “They aren't the only members who are involved in Scattered Spider intrusions. But the arrests have spooked other members.”
Anthony Freed, director of research at ransomware prevention firm Halcyon, concurred that since the arrests Scattered Spider activity has “gone quiet.”
He noted that the last confirmed attack linked to UNC3944 hit in May 2025 when Darktrace observed the group’s hallmark social engineering tactics in action.
Since then, several airlines, including Hawaiian Airlines in late June and WestJet in mid-June, were targeted with some suspecting links to Scattered Spider due to familiar tradecraft. These events have not been definitively attributed to Scattered Spider.
“That said, the Scattered Spider threat has not diminished, it is likely they are being more cautious in light of the arrests,” Freed said.
Christiaan Beek, senior director, threat analytics at Rapid7, told Infosecurity that the firm’s researchers had observed some aggressive phishing email and social engineering campaigns in the past two weeks. However, Beek said it was too early to determine if these were linked to Scattered Spider.
Other Threat Actors Persist with Similar Tradecraft
Other groups, like ShinyHunters (UNC6040), also affiliated to The Com, employ the same type of social engineering tactics as Scattered Spider, such as targeting IT help desks to gain initial access.
“While one group may be temporarily dormant, others won't relent," said Carmakal.
In June 2025, the Google Threat Intelligence Group (GTIG) highlighted ShinyHunters’ specialist vishing campaigns designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion.
In recent months, the group has demonstrated repeated success in impersonating IT support personnel in telephone-based social-engineering engagements.
It has been reported that the data breach that affected Qantas Airlines in June, which was linked by some cybersecurity professionals to Scattered Spider, is likely linked to ShinyHunter.
The outfit has also been linked to a data breach that impacted Allianz Life in July. The insurer revealed that the attackers exfiltrated sensitive data after gaining access to a third-party, cloud-based CRM system.
CISA Updates Scattered Spider Advisory
The US Cybersecurity and Infrastructure Security Agency (CISA) updated it advisory on Scattered Spider on July 29.
CISA and international partners said they had identified new tactics, techniques and procedures (TTPs) associated with the cybercriminal group.
These included more sophisticated social engineering techniques. While Scattered Spider initially began their activity relying on broad phishing campaigns, the threat actors are now employing more targeted and multilayered spearphishing and vishing operations.
One hallmark of their activity is targeting IT help desks via spearphishing calls which aim to convince personnel to reset passwords and/or transfer MFA tokens.
The update also highlighted new legitimate remote access tools that are exploited by Scattered Spider including Teleport.sh and AnyDesk.
Additional malware and ransomware variants have also been identified that have been used to exfiltrate data and encrypt target organizations’ systems. CISA confirmed the group deployed DragonForce ransomware alongside its usual TTPs.
Deployment of this ransomware encrypts a target organization’s VMware Elastic Sky X integrated (ESXi) servers.
Earlier in 2025, it is understood that DragonForce encryptors were used as part of a cyber-attack against UK retailer Marks & Spencer which disrupted the company’s operations and online retail arm.
CISA also identified RattyRAT as another malware used by the hackers. This is a Java-based remote access trojan used for persistent, stealth access and initial reconnaissance.
CISA’s latest advisory recommends that organizations employ enhanced monitoring against unauthorized account misuse and look for risky logins within environments where sign-in attempts have been flagged as potentially compromised due to suspicious activity or unusual behavior.
No tags.
