Scattered Spider Leverages Technology Vendor Impersonation to Target Help Desks

Scattered Spider, a ransomware collective implicated in recent retail cyberattacks in the UK, has refined its strategy by implementing more advanced techniques. A recent analysis by ReliaQuest revealed that this group, originally focused on simple SIM-swapping, has transformed into a formidable global threat with heightened social engineering skills.

The analysis utilized a dataset comprising over 600 domains linked to Scattered Spider (also known as UNC3944 or Octo Tempest) from community-shared indicators of compromise (IOCs) identified between Q1 2022 and Q1 2025. The research further correlated these findings with domain impersonation alerts flagged by GreyMatter Digital Risk Protection (DRP) services over the preceding six months.

Impersonating Tech Vendors

One significant observation from the report is that over 81% of domains associated with Scattered Spider impersonate technology vendors. These domains target services such as single sign-on (SSO), identity providers (IdP) like Okta, and virtual private network (VPN) providers, aiming to harvest credentials from high-value users, including system administrators, CFOs, COOs, and CISOs.

Following cyber incidents affecting UK retailers, investigators confirmed that Scattered Spider exploited compromised credentials from Tata Consultancy Services (TCS), a leading IT outsourcing firm, to breach systems. The Co-op, another UK retailer recently impacted by a cyberattack, has partnered with TCS for over ten years, though the connection between TCS and the Co-op breach is unclear.

These incidents underscore Scattered Spider’s tactical emphasis on infiltrating IT vendors and third-party service providers to access their clients’ networks instead of targeting retail companies directly. By breaching trusted vendors like TCS, Scattered Spider can infiltrate multiple organizations through a single access point, exponentially increasing its attack surface.

Use of Evilginx Phishing Framework

ReliaQuest further discovered that Scattered Spider employs sophisticated social engineering to exploit trust, utilizing phishing campaigns with typosquatted domains and frameworks like Evilginx to circumvent multifactor authentication (MFA). Evilginx, a man-in-the-middle attack framework developed in 2017, initially served as a tool for ethical hackers but has since been weaponized by cybercriminals to harvest login credentials and session cookies, effectively bypassing MFA protections.

The latest iteration, Evilginx 3.0, launched in April 2024, shows that 60% of Scattered Spider’s phishing domains target technology organizations and vendors. The report indicates that members of Scattered Spider exploit helpdesk systems, impersonating employees to breach organizations, particularly within high-value sectors like retail, technology, and finance. Their focus is on companies with significant funds for ransom payments or sensitive data that can be leveraged during negotiations.

Collaboration with RaaS Groups

Additionally, the investigation revealed that Scattered Spider is collaborating with ransomware-as-a-service (RaaS) groups, notably DragonForce, which allegedly provided the tools used in the Marks & Spencer breach. This approach allows them to target managed service providers (MSPs) and IT contractors, exploiting their extensive access to breach multiple client networks via a single point of compromise.

The alliance with RaaS groups has been seen multiple times previously, including partnerships with BlackCat/ALPHV and RansomHub. During discussions at Infosecurity Europe 2025, experts highlighted that the collaboration between groups like Scattered Spider and DragonForce presents a mutually beneficial scenario, with DragonForce receiving a percentage of the ransom.

Scattered Spider’s evolution from SIM-swapping attacks to sophisticated social engineering campaigns is underscored by its strategic partnerships with leading ransomware operators, gaining not just infrastructural access but also resources for deploying ransomware and negotiating ransom payments. Such tactics were exemplified when reports indicated that hackers sent a threatening email to the CEO of Marks & Spencer, boasting about their breach and demanding a ransom payment.