Despite law enforcement crackdowns, questions remain about the group’s resurgence, evolving phishing tactics, and ongoing risks to organizations.
Remember the saga involving the threat group Scattered Spider (UNC3944)?
The threat group gained notoriety by inflicting damage on major corporations and prominent Las Vegas casinos in 2023.
Known for their past association with BlackCat/ALPHV, Scatter Spider (SS in short) developed playbooks for highly successful, reproducible attacks, often using social engineering to gain access to identities. While many attackers use identity pathways, SS is notoriously slick at bypassing multi-factor authentication and infiltrating enterprises through cloud identities.
In a recent update, the Google Threat Intelligence Group (GTIG) had confirmed the threat group’s decline in activity after 2024 law enforcement actions against individuals allegedly associated with the group.
The GTIG warns that threat actors will often temporarily halt or significantly curtail operations after an arrest, possibly to reduce law enforcement attention, rebuild capabilities and/or partnerships, or shift to new tooling to evade detection. Also:
- UNC3944’s existing ties to a broader community of threat actors could potentially help them recover from law enforcement actions more quickly.
- Recent public reporting has suggested that threat actors used tactics consistent with SS to target a UK retail organization and deploy DragonForce ransomware.
- Subsequent reporting by BBC News indicates that actors associated with DragonForce had claimed responsibility for attempted attacks at multiple UK retailers. Notably, the operators of DragonForce ransomware recently claimed control of RansomHub, a ransomware-as-a-service threat that seemingly ceased operations in March 2025. SS was an affiliate of RansomHub in 2024, after the ALPHV (aka Blackcat) shut down.
Mitigating against possible SS resurrection
GTIG has not independently confirmed the involvement of SS or DragonForce groups in its own research because, according to its chief analyst, John Hultquist: “(Threat) actors pass in and out, and the associations aren’t extremely firm. That can make it hard to do attribution, and it can make it hard to completely put a stop to their activity. Historically these actors have gone after sectors in waves… and the trend in UK retail shouldn’t be ignored. There’s an opportunity for the sector to take proactive action, especially against the preferred tactics of these actors, like social engineering.”
Just in case, to harden against SS threats, organizations can follow standard best practices: enforce phishing-resistant multi-factor authentication; strictly control password resets and MFA registration; segregate privileged accounts; monitor endpoints and cloud for anomalies; restrict lateral movement; educate staff about social engineering threats; and ensure comprehensive security observability.
