CrowdStrike recently observed SCATTERED SPIDER—a known eCrime group—broadening its scope beyond insurance and retail to now include the aviation industry. In Q2 2025, the group primarily targeted U.S. and U.K. insurance and retail companies, but June saw attacks on U.S.-based airlines using familiar tactics.
Key Tactics and Techniques (TTPs)
SCATTERED SPIDER relies heavily on voice phishing (vishing) to impersonate employees and trick IT help desks into resetting credentials, particularly for Microsoft Entra ID (Azure AD), SSO, and VDI accounts. Once inside, they pivot to SaaS apps, conduct Active Directory (AD) reconnaissance, exploit VMware infrastructure, and install tunneling tools like Chisel, ngrok, and Teleport. They also manipulate email transport rules to avoid detection and exfiltrate data from AWS S3 buckets using tools like S3 Browser.
Objectives and Threat Patterns
The group’s main goal is ransomware deployment—specifically targeting VMware ESXi environments. When stopped early, they pivot to data extortion. SCATTERED SPIDER often hits multiple organizations in the same industry within short periods but is opportunistic in nature.
Common attack vectors include:
Social engineering via IT help desks
SIM swapping and MFA bypass
Abuse of remote access tools (e.g., AnyDesk, TeamViewer)
Cloud lateral movement and identity abuse
Data exfiltration before ransomware execution
Primary targets:
VMware vCenter/ESXi
Cloud identity providers (Azure, AWS, Okta, etc.)
Privileged accounts and remote access systems
Backup infrastructure and IT help desks
Defensive Recommendations with CrowdStrike Falcon
CrowdStrike customers should activate key Falcon capabilities, including:
Falcon Next-Gen SIEM: Prioritize ingestion of vCenter, firewall, DNS, and identity logs.
Correlation Rule Templates (CRTs): Use predefined rules for detecting risky logins, MFA manipulation, and VM creation.
Falcon Shield: Integrate with SaaS and cloud platforms (e.g., Microsoft 365, Google Workspace) for advanced threat visibility.
Falcon Cloud Security: Register cloud tenants, deploy VMware Asset Inventory Collectors, and monitor for rogue VM creation.
Proactive Hardening Tips
Enforce phishing-resistant MFA (no SMS)
Tighten help desk verification protocols
Monitor for authentication anomalies and suspicious SaaS activity
Secure virtual infrastructure and apply least privilege in cloud
Train staff against social engineering
Maintain isolated, tested backups and response playbooks
Bottom Line: SCATTERED SPIDER continues to evolve its tactics and widen its target pool. Combining the CrowdStrike Falcon platform with fundamental security hardening is key to defending against this persistent and sophisticated threat group.
We hope you’ve liked this blog. Stay tuned for more awareness blogs like this. Stay safe!
