Around 500 suspected Scattered Spider phishing domains have been identified, indicating the group is preparing to target a wider range of industries.
Check Point researchers found that some of these domains appear to target technology, retail and aviation, which have already been targeted by Scattered Spider in recent months.
However, others impersonate companies across a much broader set of industries, including manufacturing, medical technology, financial services and enterprise platforms.
These domains follow Scattered Spider’s known naming conventions, which the researchers said indicates the group is developing phishing infrastructure that is either in use or being prepared for future attacks.
“While not all domains are confirmed to be actively malicious, their alignment with known tactics, techniques and procedures (TTPs) strongly suggests targeting intent,” the researchers said.
The group’s cross-sector targeting demonstrates how it takes an opportunistic approach, adapting to high-value vulnerabilities rather than focusing on a specific vertical.
Advanced Social Engineering and Post-Compromise Tactics
Scattered Spider uses advanced social engineering techniques, such as targeted phishing and phone impersonation, to capture credentials of third-party IT providers.
This is designed to enable initial access to target organizations, utilizing typosquatted domains and phishing frameworks to bypass multifactor authentication (MFA).
The new Check Point research, published on July 7, highlighted a range of remote access tools used by Scattered Spider post-compromise to help maintain long-term access.
These include legitimate tools such as TeamViewer, ScreenConnect and Splashtop.
Others are solely used for malicious purposes, such as the credential dumping tool Mimikatz.
The group has been observed using common infostealer malware to exfiltrate data from victims, such as Raccoon Stealer and Vidar Stealer.
It also leverages ransomware-as-a-service (RaaS) infrastructure provided by groups such as DragonForce to launch ransomware attacks on targets.
Scattered Spider Linked to Retail and Airline Attacks
Scattered Spider was linked to a spate of ransomware attacks on high-profile retailers in late April and early May 2025, including Marks & Spencer (M&S), The Co-op and Harrods, resulting in major financial costs and operational disruption.
In June, the FBI warned that the hacking collective is actively targeting airlines with ransomware and data extortion attacks.
A number of major airlines have reported cyber incidents in recent weeks, including Canada’s WestJet Airlines, Hawaiian Airlines in the US, and Australia-based Qantas. The perpetrator of these attacks has not yet been identified.
Qantas revealed in an update on July 7 that it had been contacted by a “potential cybercriminal” in relation to the incident, which has resulted in a vast volume of customer data being breached.
Read now: From WestJet to Qantas: The Rising Cyber Threats Impacting Major Airlines
How to Defend Against Scattered Spider Tactics
Check Point provided a range of recommendations for all organizations to defend against Scattered Spider attacks:
- Continuously scanning domain registrations and block suspicious ones matching Scattered Spider patterns
- Conduct simulations and awareness training focused on MFA abuse and vishing
- Deploy smart MFA solutions with behavioral anomaly detection
- Ensure robust endpoint detection and response across the organization
- Audit third-party service providers, particularly call centers, for access controls and security maturity
- Require layered verification for password resets and MFA-related support requests
No tags.
