- I recommend the Pixel 9 to most people looking to upgrade - especially while it's $250 off
- Google's viral research assistant just got its own app - here's how it can help you
- Sony will give you a free 55-inch 4K TV right now - but this is the last day to qualify
- I've used virtually every Linux distro, but this one has a fresh perspective
- The 7 gadgets I never travel without (and why they make such a big difference)
Scattered Spider Uses Tech Vendor Impersonation to Target Helpdesks
Scattered Spider, the ransomware collective believed to be behind recent retail hacks in the UK, including those targeting Marks & Spencer (M&S) and Harrods, has evolved its arsenal to incorporate more sophisticated tactics.
In a new report published on June 5, ReliaQuest said, “what started as a run-of-the-mill SIM-swapping crew has morphed into a global threat, armed with advanced social engineering skills and relentless ambition.”
The cybersecurity company analyzed a publicly sourced dataset comprising over 600 domains previously linked to Scattered Spider (also known as UNC3944, Octo Tempest) through community-shared indicators of compromise (IOCs) between the first quarter of 2022 and the first quarter of 2025.
It also compared the data with domain and subdomain impersonation alerts flagged by its GreyMatter Digital Risk Protection (DRP) service over the past six months.
Impersonating Tech Vendors
One of the main findings was that over eight in ten domains (81%) associated with Scattered Spider impersonate technology vendors.
These domains target services such as single sign-on (SSO), identity providers (IdP), like Okta, virtual private network (VPN) providers and IT support systems to harvest credentials from high-value users, including system administrators, CFOs, COOs and CISOs.
Following the recent cyber-attacks on UK retailers, investigators collaborating with M&S disclosed that Scattered Spider leveraged compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate systems.
Additionally, The Co-op, another UK retailer that has recently been hit by a cyber-attack, maintained a partnership with TCS for over a decade. However, the exact connection between TCS and the Co-op breach remains uncertain at the time of writing.
“These incidents illustrate Scattered Spider’s strategic focus on targeting IT providers and third-party contractors as a means to infiltrate their clients’ networks, rather than attacking retail companies directly,” said the ReliaQuest report.
“By compromising trusted vendors like TCS, Scattered Spider gains access to multiple organizations through a single point of entry, amplifying its reach and enabling widespread attacks.”
Use of Evilginx Phishing Framework
Another key finding was that Scattered Spider relies heavily on social engineering to exploit human trust, combined with phishing campaigns that utilize typosquatted domains and phishing frameworks, such as Evilginx, to bypass multifactor authentication (MFA).
Evilginx is a man-in-the-middle attack framework released in 2017 by Kuba Gretzky, a security researcher and penetration tester. It was initially released as an open-source tool for ethical hacking and red teaming, but has since been abused by cybercriminals.
It is used for phishing login credentials, along with session cookies, which in turn allow the bypassing of MFA protection.
Evilginx’s latest version, Evilginx 3.0, was launched in April 2024.
ReliaQuest has found that 60% of the Scattered Spider’s Evilginx phishing domains targeted technology organizations and vendors.
“Often fluent in English, Scattered Spider’s members exploit help-desk systems and impersonate employees to breach organizations, targeting high-value industries like retail trade, technology and finance. It also focuses on organizations with substantial capital for ransom payments or valuable data to leverage in negotiations,” the ReliaQuest report reads.
Collaboration with RaaS Groups
Finally, ReliaQuest found that Scattered Spider and DragonForce, a ransomware-as-a-service (RaaS) group whose tolls were allegedly used by Scattered Spider in the Marks & Spencer hack, are increasingly targeting managed service providers (MSPs) and IT contractors, exploiting their “one-to-many” access to breach multiple client networks through a single point of compromise.
Scattered Spider has utilized alliances with RaaS groups on several occasions in the past, including with BlackCat/ALPHV and RansomHub.
Speaking at Infosecurity Europe 2025, Sunil Patel, Information Security Officer at River Island, said Scattered Spider’s use of RaaS tools was “an easy way to make money for both parties,” in a “mutually beneficial” partnership that sees DragonForce take 20% of the ransom.
“Originally known for SIM-swapping attacks, [Scattered Spider] has evolved into running sophisticated social engineering campaigns. Through strategic alliances with major ransomware operators, [the group] gains access to infrastructure, ransomware deployment tools, and platforms for ransom negotiations,” concluded ReliaQuest.
Recently, BBC News reported that the hackers behind the M&S breach sent an abusive email to the retailer’s CEO, boasting about their attack and demanding a ransom payment.
