Sıla Özeren | 14 MIN READ

CREATED ON July 08, 2025

Tracking Scattered Spider Through Identity Attacks and Token Theft

Scattered Spider is a financially motivated threat actor group known for its aggressive social engineering, identity-focused intrusions, and highly adaptive phishing infrastructure. Active since 2022, the group has consistently targeted telecom, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. Scattered Spider leverages techniques such as SIM swapping, helpdesk impersonation, and adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, often bypassing MFA entirely.

In recent campaigns, they’ve expanded their toolset to include modular phishing kits, dynamic C2 infrastructure, and Spectre RAT, a custom malware used for persistent, fileless access and system-level reconnaissance.

In this blog, we analyze Scattered Spider’s evolving tradecraft, map their TTPs to the MITRE ATT&CK framework to help organizations validate exposure and strengthen identity-centric defenses.

Scattered Spider APT: Key Findings from Recent Campaigns

Aspect	Details
Timeline	Active since early 2022, with ongoing operations as of mid-2025
Targeted Industries	Telecommunications, financial services, software/SaaS, retail, cloud infrastructure, and identity providers
Initial Access Techniques	Social engineering (vishing, SIM-swapping, helpdesk fraud), AiTM phishing, OAuth session hijacking, identity abuse
Phishing Infrastructure	At least 5 custom phishing kits tracked; Evilginx-based proxies; dynamic DNS subdomain rental; short-lived brand-impersonating domains
Post-Access Toolset	Remote access tools (e.g., Spectre RAT, AnyDesk), LOLBins (e.g., nircmdc.exe, 7Zip), PowerShell stagers, web-based panels
Persistence & Evasion	Token replay, living-off-the-land, C2 domain rotation, cloud-based lateral movement, mutex-based malware instance control
Malware Used	Spectre RAT (custom), staged payloads (DLLs, encoded shellcode), modular downloaders
Command & Control	Web-based (HTTP), dynamic URI patterns (wber params), C2 list retrieval from embedded and runtime-loaded config files
Credential Access	OAuth & SSO token theft (T1528), session replay via browser automation, JWT manipulation
Ransomware Links	Associated with ALPHV/BlackCat, RansomHub, and others via affiliate programs (double extortion model in some operations)
Notable Behavior	Public domain repurposing (e.g., twitter-okta[.]com), multi-brand phishing templates, Rick Roll redirect for non-targets, rapid infra reuse

Inside Spectre RAT: Scattered Spider’s Tool for Covert Access and Data Theft

Spectre RAT is a sophisticated C++‑based Remote Access Trojan (RAT) first detected in September 2020 and offered as a Malware‑as‑a‑Service (MaaS) to cybercriminals. Its modular design encompasses three key components:

a core bot that facilitates remote command execution, payload management, file transfer, and persistence;
a stealer module that exfiltrates credentials, screenshots, keystrokes, clipboard information, and other sensitive data; and
a hidden‑application module that provides attackers with a concealed window or command shell on the compromised system.

To maintain stealth, Spectre RAT utilizes code obfuscation, malware crypters, mutex logic to prevent multiple instances, and even legitimate code‑signing certificates. Infection typically begins through phishing emails or malicious documents, often macro‑enabled Office files or VBS scripts, that trick users into execution, after which the malware establishes persistent access, steals sensitive data, and supports further operations such as lateral movement or credential dumping.

In early 2025, the notorious extortion group Scattered Spider (also known as UNC3944) incorporated an enhanced version of Spectre RAT into their campaigns, deploying updated obfuscation techniques, a sophisticated crypter, and issuing public tools like a string‑decoder and a C2 emulator to aid defenders. This notable evolution and professional distribution model make Spectre RAT a potent and ongoing threat to enterprise environments.

Initial Access (ATT&CK TA0001)

Spearphishing via Link (MITRE T1566.002)

Scattered Spider’s phishing ops are built around five modular phishing kits, refined across 2023–2025. Each kit targets identity providers (Okta, Duo, OneLogin), often embedding multiple brands per template.

Phishing Kits Overview

Kit #	Distinctive Traits	Usage Timeline	Infra/Tools
Kit #1	Polished Okta mimicry, “Powered by Okta” footer	2023–Feb 2025	Short-lived domains (<30min), SSL immediately issued
Kit #2	Simpler UI, no Okta branding	2024 mid	Evilginx2 redirects (Rick Roll), dashes in domains
Kit #3	Advanced mimicry with persistent hosting	Feb–Oct 2024, Feb 2025	Delayed content deployment
Kit #4	Minor code tweaks to Kit #3	Late 2024–early 2025	Njalla + Cloudflare infra
Kit #5	Multi-brand payloads, dev slip-ups in page triggers	Active in 2025	Dynamic DNS (e.g., klv1.it[.]com) + Cloudflare

Phishing kit URLs typically follow:

https://[brand-themed-domain]/index?id=[base64-string]

This structure:

Enables real-time session hijack via AiTM
Encodes tracking tokens for each target
Supports MFA bypass by capturing cookies in-transit

Discovery (ATT&CK TA0007)

As mentioned earlier, Scattered Spider uses Spectre RAT, a custom remote access trojan, to perform host profiling and environment-aware reconnaissance following initial access. Its discovery functions are triggered immediately upon execution to collect system context and support staging of subsequent operations.

System Information Discovery (MITRE T1082)

During initialization, Spectre RAT creates a local file named 733949 to store host-level reconnaissance data. This file contains both string and boolean values, delimited by *, and is later exfiltrated to the C2.

The data includes:

0: trxu → Beacon ID / static marker
1: USER → Username
2: COMP_NAME → Computer name
3: OS Name → Operating system version
4-6: true/false flags → Unspecified system states or environment checks
7-8: numeric values → Possibly used for internal scoring or mode flags
9-10: void → Placeholder fields (unimplemented logic)
11: false → Execution control (e.g., "wait for C2 signal")

This lightweight data structure enables the malware to perform early profiling of the infected system and remain idle until explicitly instructed by the attacker. The presence of unpopulated or hardcoded fields indicates the malware is modular and under active development.

File and Directory Discovery (MITRE T1083)

Spectre RAT performs silent directory discovery during initialization using built-in functions to avoid shell-based enumeration.

get_user_folder_paths()
get_install_path()
get_config_filename()

Collected paths include user profiles, install locations, and config file directories, which are later used for payload staging or exfiltration.

These values are stored in memory using a custom C++ structure (CXXStringStruct), optimized for both static and dynamic strings

struct CXXStringStruct {
char* ptr; // Pointer to string buffer
int* UN1; // Unknown field
int UN2;
const int sizeHdr; // Typically 0x0A or 0x0C
unsigned int length; // Actual string length
unsigned int max_length; // Allocated buffer size
};

For strings ≤10 characters, data is stored inline within the struct to avoid heap allocation and reduce noise.

Some of the discovered paths are written to config files (733949, 89CC88) and used by the C2 to determine where to execute or retrieve staged content.

This process supports stealthy reconnaissance, allowing the malware to locate usable directories while minimizing EDR visibility.

Process Discovery (MITRE T1057)

Spectre RAT performs process discovery using a C2-issued instruction, CMD 10, which prompts the malware to enumerate all active processes on the compromised host. This is triggered through an HTTP request containing the parameter wber=1, indicating a tasking operation from the command-and-control server.

Upon receiving this command, Spectre RAT likely uses Windows APIs such as:

CreateToolhelp32Snapshot()
Process32First()
Process32Next()

to iterate through the system’s running processes. These functions provide process names, IDs, and optionally memory usage or parent-child relationships.

The collected process list is then XOR-encoded and Base64-wrapped, consistent with other Spectre RAT telemetry, and sent back to the C2 server. This enables the operator to:

Identify running EDRs, AV agents, forensic tools, or sandbox processes
Detect virtualization or analysis environments based on process anomalies
Determine whether to follow up with evasive payloads or clean plugin modules
Chain further commands such as:
- CMD 9 – terminate specific processes
- CMD 14 – execute obfuscated shell commands via cmd.exe /c

This technique is executed entirely in-memory, avoiding command-line artifacts, and supports the broader goal of environment-aware post-exploitation. It provides attackers with near real-time telemetry to adapt their operations and maximize dwell time while avoiding detection.

Software Discovery (MITRE T1518)

Spectre RAT performs software discovery via CMD 15, a command-and-control instruction delivered through the malware’s custom HTTP-based C2 protocol (wber=1). When this command is received, the RAT executes the Sysinternals utility psinfo.exe on the infected system to collect detailed information about the host environment.

This includes:

Installed software packages
OS version and architecture
Logged-in users
System uptime and kernel build
Installed services or startup programs (depending on psinfo.exe switches)

Although current analysis and reports do not show the exact command string, it is highly likely that Spectre RAT spawns a hidden shell to execute something similar to:

psinfo.exe -h -s > %TEMP%\output.txt

and reads the contents for exfiltration. The collected output is likely encoded (XOR + Base64) and sent to the C2, consistent with the malware's other communication routines.

This discovery method enables Scattered Spider operators to:

Understand what endpoint defenses or management tools are present
Tailor plugin or payload delivery to avoid incompatibility or detection
Assess the target’s value and role (e.g., workstations vs. privileged servers)

Because Spectre RAT uses a trusted Microsoft utility (psinfo.exe) for this task, the activity blends in with legitimate administrative behavior and may evade command-line or process-based detection mechanisms, especially if telemetry is noisy or filtered.

In short, CMD 15 allows Spectre RAT to enrich its situational awareness using LOLBins (Living-Off-the-Land Binaries), supporting stealthy decision-making and environment-specific post-compromise operations.

Persistence (ATT&CK TA0003)

Registry Run Keys / Startup Folder (Inferred from Spectre RAT design) (MITRE T1547.001)

While registry interaction isn’t detailed in current analysis, Spectre RAT gathers install paths and config locations, and sets up persistence-related values (like mutexes and config file references), suggesting likely abuse of:

Registry run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
Startup folder drops
- Especially given its ability to retrieve and execute files via CMD 3 and reconfigure C2 via CMD 13 (see the ATT&CK TA0011 heading in this blog).

External Remote Services (MITRE T1133)

Scattered Spider frequently maintains access via cloud consoles (Okta, AWS, Salesforce) using replayed OAuth tokens and imported session cookies.

This behavior provides persistent access without needing local malware or implants, relying instead on identity-level persistence, especially when MFA isn’t re-enforced.

Defense Evasion (ATT&CK TA0005)

Obfuscated Files or Information (MITRE T1027)

Spectre RAT uses XOR encoding combined with Base64 to obfuscate command-and-control (C2) communications and configuration data.

This applies to:

C2 responses and command payloads
Debug logs sent via wber=34
Hardcoded and dynamically retrieved C2 URIs stored in files like 89CC88

This encoding approach evades signature-based detection and hinders basic content inspection.

Disable or Modify Tools: Security Software Discovery and Targeting (MITRE T1562.001)

Via CMD 10, Spectre RAT enumerates all running processes, allowing operators to identify and assess endpoint protection tools (e.g., EDRs, AVs).
Once detected, operators may use CMD 9 (terminate process) to selectively kill defenses, though the blog doesn't confirm actual termination behavior beyond support for the command.

Deobfuscate/Decode Files or Information (MITRE T1140)

The RAT includes routines to decode XOR+Base64-encoded data from memory, particularly C2 configurations and plugins.
This allows on-the-fly loading of malicious logic while keeping encoded blobs static on disk or in configs.

Masquerading (MITRE T1036)

Spectre RAT uses trusted filenames and benign services, such as psinfo.exe (via CMD 15) to collect system and software information.
This LOLBin usage allows reconnaissance and system profiling without raising alerts from behavioral or EDR-based detection systems.

Credential Access (ATT&CK TA0006)

Steal Application Access Token (MITRE T1528)

Following a successful AiTM phishing interaction, Scattered Spider exfiltrates both login credentials and critical authentication artifacts, including:

SSO session cookies
OAuth 2.0 bearer tokens
JWTs from Okta and other identity providers

Their phishing kits (particularly Kits #1, #3, and #5) act as transparent proxies, intercepting traffic in real time via Evilginx2 forks. Victims unknowingly authenticate to legitimate identity providers, while session tokens are silently relayed to attacker-controlled infrastructure.

Aspect	Details
Used Against	Microsoft 365, AWS Console, Okta Admin, HubSpot, Salesforce
Reentry Method	Token replay via Chromium automation (e.g., Playwright, Puppeteer) or import into hardened containers
Detection Difficulty	Tokens are valid → no login event → no MFA → low SIEM/log visibility
Persistence Window	From minutes to several days, depending on session TTL; follow-up phishing often used to extend access

Token Processing Workflow (Inferred from Kit #1/#3/#5)

Token Capture: Once valid credentials are passed, the phishing proxy captures the following.

# Authorization headers
# Session cookies (.AspNetCore.Cookies, auth_token, sid, etc.)
# ID tokens (JWTs) from IDPs such as Okta, Auth0, OneLogin

Storage: Tokens are logged server-side using PHP scripts (e.g., f⬛ckyo⬛.php from Kit #1) and sometimes bundled with:

# IP address
# Timestamp
# User agent string

These entries are likely pushed to attacker-accessible dashboards or exfiltrated via HTTP POST to dedicated collection domains.

Reuse: Tokens are injected directly into browser sessions using dev tools or headless frameworks.

document.cookie = "sid=eyJraWQiOi...; path=/; domain=.okta.com; Secure;";
window.location.href = "https://<target-service>";

This allows the attacker to fully bypass password prompts, MFA challenges, and device trust verifications.

Sustained Access: If refresh tokens are captured (in cases where PKCE is poorly implemented), sessions can be extended or renewed silently. Otherwise, session duration is maximized by avoiding sign-outs or policy triggers.

Command and Control (ATT&CK TA0011)

HTTP-Based Communication Protocol

Spectre RAT communicates with its C2 infrastructure using custom HTTP parameters, primarily through the wber URI field. Each value of wber represents a distinct phase of the malware's operation, enabling tasking, beaconing, and telemetry submission.

Data is frequently obfuscated using XOR and Base64, consistent with the RAT's broader stealth strategy.

wber Value	Functionality	Notes / Response
6	Initial beacon to C2	Returns “txru” if accepted
5	Silent ping (no data)	Likely keeps session alive
35 + kiqa	Download resource (filename Base64-encoded)	Sends back binary or plugin
36 + lhpg	Alternate resource download route	Used for plugin delivery
31	Retrieve bot identifier (GetXqls)	Returns Botnet ID or config ID
34 + lhpg	Send encoded debug logs	Logs are XOR + Base64 encoded
3 + dpna	Pingback with subcommand (e.g., dpna=5 → uninstall)	Used for bot control events
10	POST host data such as available drives (jkux= param)	Discovery-related telemetry
1	Request operational command from C2	Triggers command execution flow

wber=1: Operational Command Handler

When the RAT sends wber=1, it signals a tasking request, prompting the C2 to respond with an operational command and arguments.

Commands are tokenized using | and mapped by CMD number.

CMD	Description	Parameters
1	Download file from infected host	Filename
2	Upload file to host	`Type
3	Execute file from specified folder	`FolderType
5	Uninstall malware	File to remove
6	Trigger pingback	Internal callback switch
7	Retrieve infection/environment info	None
9	Terminate specific process	Process name
10	Enumerate and send running process list	None
12	Send malware debug logs	None
13	Add new C2 server to config	C2 address
14	Execute shell command via cmd.exe /c	`Num
15	Invoke psinfo.exe to gather recon data	None

Impact (ATT&CK TA0011)

Scattered Spider has been observed transitioning from credential-based access operations to manual ransomware deployment, particularly in campaigns linked to ALPHV (BlackCat) and RansomHub affiliates. While not every intrusion ends in encryption, phishing-based access often lays the groundwork for full-scale extortion.

Credential-to-Ransomware Workflow

Initial Access via Phishing or AiTM Kits

Successful phishing campaigns provide OAuth tokens, session cookies, and admin-level credentials, especially for identity providers like Okta or Duo.

Cloud Console Access

Using stolen credentials, operators log into:

Cloud management panels (e.g., AWS, Azure, Salesforce)
Backup interfaces and storage platforms

These are accessed through legitimate browser sessions, often using replayed tokens or imported cookies.

Privilege Escalation & Lateral Movement

VPN-themed and corp-prefixed infrastructure (e.g., vpn-, corp-) is used to blend into enterprise naming conventions.
Once internal access is obtained, they identify vSphere, Active Directory, or shared drives to escalate privileges and move laterally.

Manual Ransomware Deployment

After mapping the environment and verifying privileges, the operator deploys ransomware using:

vSphere consoles to encrypt virtualized environments
Remote scripting tools (e.g., PowerShell, PsExec) to distribute payloads internally
File shares or GPOs for broad propagation

Double Extortion Model

In some cases, data is exfiltrated before encryption, enabling extortion through both disruption and disclosure.

How Picus Helps Defend Against Scattered Spider APT Attacks?

The Picus Security Validation Platform helps organizations safely simulate the TTPs of threat actors like Scattered Spider, including AiTM phishing, OAuth token theft, LOLBin abuse, and modular RAT-based discovery. By emulating these behaviors through its continuously updated Threat Library, Picus enables security teams to identify blind spots across EDR, XDR, SIEM, and identity layers, before adversaries can exploit them.

The Picus Threat Library includes adversarial techniques observed in Scattered Spider campaigns, allowing defenders to continuously validate detection and prevention capabilities against real-world attack sequences. This helps organizations measure readiness, reduce identity-based exposure, and strengthen their ability to defend against targeted, post-authentication intrusions.

Threat ID	Threat Name	Attack Module
42054	Scattered Spider Threat Group Campaign Malware Threat	Network Infiltration
98798	Scattered Spider Threat Group Campaign Malware Email Threat	Email Infiltration