Scattered Spider is a financially motivated threat actor group known for its aggressive social engineering, identity-focused intrusions, and highly adaptive phishing infrastructure. Active since 2022, the group has consistently targeted telecom, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. Scattered Spider leverages techniques such as SIM swapping, helpdesk impersonation, and adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, often bypassing MFA entirely.
In recent campaigns, they’ve expanded their toolset to include modular phishing kits, dynamic C2 infrastructure, and Spectre RAT, a custom malware used for persistent, fileless access and system-level reconnaissance.
In this blog, we analyze Scattered Spider’s evolving tradecraft, map their TTPs to the MITRE ATT&CK framework to help organizations validate exposure and strengthen identity-centric defenses.
|
Aspect |
Details |
|
Timeline |
Active since early 2022, with ongoing operations as of mid-2025 |
|
Targeted Industries |
Telecommunications, financial services, software/SaaS, retail, cloud infrastructure, and identity providers |
|
Initial Access Techniques |
Social engineering (vishing, SIM-swapping, helpdesk fraud), AiTM phishing, OAuth session hijacking, identity abuse |
|
Phishing Infrastructure |
At least 5 custom phishing kits tracked; Evilginx-based proxies; dynamic DNS subdomain rental; short-lived brand-impersonating domains |
|
Post-Access Toolset |
Remote access tools (e.g., Spectre RAT, AnyDesk), LOLBins (e.g., nircmdc.exe, 7Zip), PowerShell stagers, web-based panels |
|
Persistence & Evasion |
Token replay, living-off-the-land, C2 domain rotation, cloud-based lateral movement, mutex-based malware instance control |
|
Malware Used |
Spectre RAT (custom), staged payloads (DLLs, encoded shellcode), modular downloaders |
|
Command & Control |
Web-based (HTTP), dynamic URI patterns (wber params), C2 list retrieval from embedded and runtime-loaded config files |
|
Credential Access |
OAuth & SSO token theft (T1528), session replay via browser automation, JWT manipulation |
|
Ransomware Links |
Associated with ALPHV/BlackCat, RansomHub, and others via affiliate programs (double extortion model in some operations) |
|
Notable Behavior |
Public domain repurposing (e.g., twitter-okta[.]com), multi-brand phishing templates, Rick Roll redirect for non-targets, rapid infra reuse |
Spectre RAT is a sophisticated C++‑based Remote Access Trojan (RAT) first detected in September 2020 and offered as a Malware‑as‑a‑Service (MaaS) to cybercriminals. Its modular design encompasses three key components:
To maintain stealth, Spectre RAT utilizes code obfuscation, malware crypters, mutex logic to prevent multiple instances, and even legitimate code‑signing certificates. Infection typically begins through phishing emails or malicious documents, often macro‑enabled Office files or VBS scripts, that trick users into execution, after which the malware establishes persistent access, steals sensitive data, and supports further operations such as lateral movement or credential dumping.
In early 2025, the notorious extortion group Scattered Spider (also known as UNC3944) incorporated an enhanced version of Spectre RAT into their campaigns, deploying updated obfuscation techniques, a sophisticated crypter, and issuing public tools like a string‑decoder and a C2 emulator to aid defenders. This notable evolution and professional distribution model make Spectre RAT a potent and ongoing threat to enterprise environments.
Scattered Spider’s phishing ops are built around five modular phishing kits, refined across 2023–2025. Each kit targets identity providers (Okta, Duo, OneLogin), often embedding multiple brands per template.
|
Kit # |
Distinctive Traits |
Usage Timeline |
Infra/Tools |
|
Kit #1 |
Polished Okta mimicry, “Powered by Okta” footer |
2023–Feb 2025 |
Short-lived domains (<30min), SSL immediately issued |
|
Kit #2 |
Simpler UI, no Okta branding |
2024 mid |
Evilginx2 redirects (Rick Roll), dashes in domains |
|
Kit #3 |
Advanced mimicry with persistent hosting |
Feb–Oct 2024, Feb 2025 |
Delayed content deployment |
|
Kit #4 |
Minor code tweaks to Kit #3 |
Late 2024–early 2025 |
Njalla + Cloudflare infra |
|
Kit #5 |
Multi-brand payloads, dev slip-ups in page triggers |
Active in 2025 |
Dynamic DNS (e.g., klv1.it[.]com) + Cloudflare |
Phishing kit URLs typically follow:
|
https://[brand-themed-domain]/index?id=[base64-string] |
This structure:
Enables real-time session hijack via AiTM
Encodes tracking tokens for each target
Supports MFA bypass by capturing cookies in-transit
As mentioned earlier, Scattered Spider uses Spectre RAT, a custom remote access trojan, to perform host profiling and environment-aware reconnaissance following initial access. Its discovery functions are triggered immediately upon execution to collect system context and support staging of subsequent operations.
During initialization, Spectre RAT creates a local file named 733949 to store host-level reconnaissance data. This file contains both string and boolean values, delimited by *, and is later exfiltrated to the C2.
The data includes:
|
0: trxu → Beacon ID / static marker |
This lightweight data structure enables the malware to perform early profiling of the infected system and remain idle until explicitly instructed by the attacker. The presence of unpopulated or hardcoded fields indicates the malware is modular and under active development.
Spectre RAT performs silent directory discovery during initialization using built-in functions to avoid shell-based enumeration.
|
get_user_folder_paths() |
Collected paths include user profiles, install locations, and config file directories, which are later used for payload staging or exfiltration.
These values are stored in memory using a custom C++ structure (CXXStringStruct), optimized for both static and dynamic strings
|
struct CXXStringStruct { |
For strings ≤10 characters, data is stored inline within the struct to avoid heap allocation and reduce noise.
Some of the discovered paths are written to config files (733949, 89CC88) and used by the C2 to determine where to execute or retrieve staged content.
This process supports stealthy reconnaissance, allowing the malware to locate usable directories while minimizing EDR visibility.
Spectre RAT performs process discovery using a C2-issued instruction, CMD 10, which prompts the malware to enumerate all active processes on the compromised host. This is triggered through an HTTP request containing the parameter wber=1, indicating a tasking operation from the command-and-control server.
Upon receiving this command, Spectre RAT likely uses Windows APIs such as:
|
CreateToolhelp32Snapshot() |
to iterate through the system’s running processes. These functions provide process names, IDs, and optionally memory usage or parent-child relationships.
The collected process list is then XOR-encoded and Base64-wrapped, consistent with other Spectre RAT telemetry, and sent back to the C2 server. This enables the operator to:
This technique is executed entirely in-memory, avoiding command-line artifacts, and supports the broader goal of environment-aware post-exploitation. It provides attackers with near real-time telemetry to adapt their operations and maximize dwell time while avoiding detection.
Spectre RAT performs software discovery via CMD 15, a command-and-control instruction delivered through the malware’s custom HTTP-based C2 protocol (wber=1). When this command is received, the RAT executes the Sysinternals utility psinfo.exe on the infected system to collect detailed information about the host environment.
This includes:
Although current analysis and reports do not show the exact command string, it is highly likely that Spectre RAT spawns a hidden shell to execute something similar to:
|
psinfo.exe -h -s > %TEMP%\output.txt |
and reads the contents for exfiltration. The collected output is likely encoded (XOR + Base64) and sent to the C2, consistent with the malware's other communication routines.
This discovery method enables Scattered Spider operators to:
Because Spectre RAT uses a trusted Microsoft utility (psinfo.exe) for this task, the activity blends in with legitimate administrative behavior and may evade command-line or process-based detection mechanisms, especially if telemetry is noisy or filtered.
In short, CMD 15 allows Spectre RAT to enrich its situational awareness using LOLBins (Living-Off-the-Land Binaries), supporting stealthy decision-making and environment-specific post-compromise operations.
While registry interaction isn’t detailed in current analysis, Spectre RAT gathers install paths and config locations, and sets up persistence-related values (like mutexes and config file references), suggesting likely abuse of:
Scattered Spider frequently maintains access via cloud consoles (Okta, AWS, Salesforce) using replayed OAuth tokens and imported session cookies.
This behavior provides persistent access without needing local malware or implants, relying instead on identity-level persistence, especially when MFA isn’t re-enforced.
Spectre RAT uses XOR encoding combined with Base64 to obfuscate command-and-control (C2) communications and configuration data.
This applies to:
This encoding approach evades signature-based detection and hinders basic content inspection.
Following a successful AiTM phishing interaction, Scattered Spider exfiltrates both login credentials and critical authentication artifacts, including:
Their phishing kits (particularly Kits #1, #3, and #5) act as transparent proxies, intercepting traffic in real time via Evilginx2 forks. Victims unknowingly authenticate to legitimate identity providers, while session tokens are silently relayed to attacker-controlled infrastructure.
|
Aspect |
Details |
|
Used Against |
Microsoft 365, AWS Console, Okta Admin, HubSpot, Salesforce |
|
Reentry Method |
Token replay via Chromium automation (e.g., Playwright, Puppeteer) or import into hardened containers |
|
Detection Difficulty |
Tokens are valid → no login event → no MFA → low SIEM/log visibility |
|
Persistence Window |
From minutes to several days, depending on session TTL; follow-up phishing often used to extend access |
Token Capture: Once valid credentials are passed, the phishing proxy captures the following.
|
# Authorization headers |
Storage: Tokens are logged server-side using PHP scripts (e.g., f⬛ckyo⬛.php from Kit #1) and sometimes bundled with:
|
# IP address |
These entries are likely pushed to attacker-accessible dashboards or exfiltrated via HTTP POST to dedicated collection domains.
Reuse: Tokens are injected directly into browser sessions using dev tools or headless frameworks.
|
document.cookie = "sid=eyJraWQiOi...; path=/; domain=.okta.com; Secure;"; |
This allows the attacker to fully bypass password prompts, MFA challenges, and device trust verifications.
Sustained Access: If refresh tokens are captured (in cases where PKCE is poorly implemented), sessions can be extended or renewed silently. Otherwise, session duration is maximized by avoiding sign-outs or policy triggers.
Spectre RAT communicates with its C2 infrastructure using custom HTTP parameters, primarily through the wber URI field. Each value of wber represents a distinct phase of the malware's operation, enabling tasking, beaconing, and telemetry submission.
Data is frequently obfuscated using XOR and Base64, consistent with the RAT's broader stealth strategy.
|
wber Value |
Functionality |
Notes / Response |
|
6 |
Initial beacon to C2 |
Returns “txru” if accepted |
|
5 |
Silent ping (no data) |
Likely keeps session alive |
|
35 + kiqa |
Download resource (filename Base64-encoded) |
Sends back binary or plugin |
|
36 + lhpg |
Alternate resource download route |
Used for plugin delivery |
|
31 |
Retrieve bot identifier (GetXqls) |
Returns Botnet ID or config ID |
|
34 + lhpg |
Send encoded debug logs |
Logs are XOR + Base64 encoded |
|
3 + dpna |
Pingback with subcommand (e.g., dpna=5 → uninstall) |
Used for bot control events |
|
10 |
POST host data such as available drives (jkux= param) |
Discovery-related telemetry |
|
1 |
Request operational command from C2 |
Triggers command execution flow |
When the RAT sends wber=1, it signals a tasking request, prompting the C2 to respond with an operational command and arguments.
Commands are tokenized using | and mapped by CMD number.
|
CMD |
Description |
Parameters |
|
1 |
Download file from infected host |
Filename |
|
2 |
Upload file to host |
`Type |
|
3 |
Execute file from specified folder |
`FolderType |
|
5 |
Uninstall malware |
File to remove |
|
6 |
Trigger pingback |
Internal callback switch |
|
7 |
Retrieve infection/environment info |
None |
|
9 |
Terminate specific process |
Process name |
|
10 |
Enumerate and send running process list |
None |
|
12 |
Send malware debug logs |
None |
|
13 |
Add new C2 server to config |
C2 address |
|
14 |
Execute shell command via cmd.exe /c |
`Num |
|
15 |
Invoke psinfo.exe to gather recon data |
None |
Scattered Spider has been observed transitioning from credential-based access operations to manual ransomware deployment, particularly in campaigns linked to ALPHV (BlackCat) and RansomHub affiliates. While not every intrusion ends in encryption, phishing-based access often lays the groundwork for full-scale extortion.
Successful phishing campaigns provide OAuth tokens, session cookies, and admin-level credentials, especially for identity providers like Okta or Duo.
Using stolen credentials, operators log into:
These are accessed through legitimate browser sessions, often using replayed tokens or imported cookies.
After mapping the environment and verifying privileges, the operator deploys ransomware using:
In some cases, data is exfiltrated before encryption, enabling extortion through both disruption and disclosure.
The Picus Security Validation Platform helps organizations safely simulate the TTPs of threat actors like Scattered Spider, including AiTM phishing, OAuth token theft, LOLBin abuse, and modular RAT-based discovery. By emulating these behaviors through its continuously updated Threat Library, Picus enables security teams to identify blind spots across EDR, XDR, SIEM, and identity layers, before adversaries can exploit them.
The Picus Threat Library includes adversarial techniques observed in Scattered Spider campaigns, allowing defenders to continuously validate detection and prevention capabilities against real-world attack sequences. This helps organizations measure readiness, reduce identity-based exposure, and strengthen their ability to defend against targeted, post-authentication intrusions.
|
Threat ID |
Threat Name |
Attack Module |
|
42054 |
Scattered Spider Threat Group Campaign Malware Threat |
|
|
98798 |
Scattered Spider Threat Group Campaign Malware Email Threat |