🇺🇸Scattered Spider
🇺🇸 Scattered Spider is a tracked threat actor in the Clankerusecase corpus. Attributed to US. Primary motivation: Criminal. We map 26 detection use cases to this actor across 91 MITRE ATT&CK techniques, with 4 threat-intel articles citing them. Active in our corpus from 2025-12-11 to 2026-06-12.
crit 2high 1med 1
26Use cases
4Articles
91Techniques
1IOCs
Known aliases
Scattered Spider0ktapusUNC3944Octo TempestMuddled LibraRoasted 0ktapusStorm-0875
Top techniques
All other tracked techniques
T1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1003.003 · NTDST1005 · Data from Local SystemT1006 · Direct Volume AccessT1016 · System Network Configuration DiscoveryT1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1021.004 · SSHT1021.007 · Cloud ServicesT1041 · Exfiltration Over C2 ChannelT1059.001 · PowerShellT1059.004 · Unix ShellT1059.005 · Visual BasicT1068 · Exploitation for Privilege EscalationT1069 · Permission Groups DiscoveryT1069.002 · Domain GroupsT1070.004 · File DeletionT1070.008 · Clear Mailbox DataT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1071.004 · DNST1074 · Data StagedT1078 · Valid AccountsT1078.004 · Cloud AccountsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1087 · Account DiscoveryT1087.002 · Domain AccountT1090 · ProxyT1098 · Account ManipulationT1098.003 · Additional Cloud RolesT1105 · Ingress Tool TransferT1114 · Email CollectionT1114.003 · Email Forwarding RuleT1133 · External Remote ServicesT1136 · Create AccountT1195.002 · Compromise Software Supply ChainT1204 · User ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1213.003 · Code RepositoriesT1213.005 · Messaging ApplicationsT1217 · Browser Information DiscoveryT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1219.002 · Remote Desktop SoftwareT1484.002 · Trust ModificationT1485 · Data DestructionT1486 · Data Encrypted for ImpactT1490 · Inhibit System RecoveryT1498 · Network Denial of ServiceT1530 · Data from Cloud StorageT1538 · Cloud Service DashboardT1539 · Steal Web Session CookieT1543.002 · Systemd ServiceT1552.001 · Credentials In FilesT1552.004 · Private KeysT1553.002 · Code SigningT1555.003 · Credentials from Web BrowsersT1555.005 · Password ManagersT1556.006 · Multi-Factor AuthenticationT1556.009 · Conditional Access PoliciesT1564.008 · Email Hiding RulesT1566.001 · Spearphishing AttachmentT1566.003 · Spearphishing via ServiceT1566.004 · Spearphishing VoiceT1567.002 · Exfiltration to Cloud StorageT1569.002 · Service ExecutionT1572 · Protocol TunnelingT1578.002 · Create Cloud InstanceT1580 · Cloud Infrastructure DiscoveryT1583.001 · DomainsT1583.003 · Virtual Private ServerT1585.001 · Social Media AccountsT1588.001 · MalwareT1588.002 · ToolT1589 · Gather Victim Identity InformationT1598 · Phishing for InformationT1598.003 · Spearphishing LinkT1598.004 · Spearphishing VoiceT1621 · Multi-Factor Authentication Request GenerationT1656 · T1656T1657 · Financial TheftT1684.001 · ImpersonationT1685 · Disable or Modify Tools
Detection use cases (26)
Scattered Spider (Octo Tempest / UNC3944) help-desk takeover — admin-driven MFA/credential reset followed by sign-in from new ASN within 4h Scattered Spider RMM / tunnelling agent first-time execution on host (AnyDesk, ScreenConnect, Ngrok, Cloudflared, RustDesk, MeshAgent, Splas Anti-forensic deletion/tampering of macOS Tahoe 26 App.MenuItem Biome stream Non-forensic process bulk-reading the App.MenuItem Biome stream Phishing-link click correlated to endpoint execution Email attachment opened from external sender Office app spawning script/LOLBin child process Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Trusted vendor binary / installer launching unusual children Article-specific behavioural hunt — Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered External MS Teams chat invite from IT-impersonating unmanaged or federated tenant MFA approval within minutes of inbound external Microsoft Teams chat Activity involving ommicrosoft.com Cloaked-Ursa Teams typosquat 1Password impossible-travel sign-in Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 MinutesThreat-intel articles (4)
Tracked indicators
Domains (1)
ommicrosoft.com