Scattered Spider's Vishing Playbook: Who They Call, How They Recruit, and Who Else Is Doing It

A Guilty Plea, a Growing Alliance, and a $1,000 Phone Call

Tyler Robert Buchanan, 24, pleaded guilty on April 17, 2026 to wire fraud conspiracy and aggravated identity theft tied to Scattered Spider operations. He faces a statutory maximum of 22 years, with sentencing set for August 21, 2026. Buchanan is the second major conviction: Noah Michael Urban was sentenced to 10 years on August 20, 2025, after pleading guilty in April 2025. Three co-defendants still face charges: Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans [1].

The legal pressure hasn't slowed the operation. Scattered Spider, now operating under the Scattered LAPSUS$ Hunters (SLH) alliance formed with LAPSUS$ and ShinyHunters in early 2026, is actively recruiting women for vishing attacks at $500 to $1,000 per call, providing prepared scripts to guide recruits through impersonation attempts [6]. The coalition draws from what researchers describe as "a criminal supergroup: a federated brand of extortionists with centralized infrastructure" [2]. Even after SLH announced a withdrawal in September 2025, activity was observed again by November 2025 [3].

Background: From SMS Phishing to Criminal Supergroup

Scattered Spider (also tracked as UNC3944, Octo Tempest, Scatter Swine, Muddled Libra, and Star Fraud) first gained attention in 2022 with SMS phishing campaigns that hit over 130 organizations, including Twilio, Cloudflare, and DoorDash [2]. Members are predominantly native English speakers in their late teens and early twenties from the US and UK [3].

The group's attack surface has expanded dramatically since those early campaigns. CISA's advisory, updated as recently as July 2025, notes that Scattered Spider has moved from broad phishing campaigns to "more targeted and multilayered spearphishing and vishing operations" [1]. FBI investigations into the group continued through at least June 2025 [1]. The group's victims now span hospitality (MGM Resorts, Caesars Entertainment), aviation (the July 2025 Qantas breach affecting six million customers [10]), retail, and technology.

The partnership with DragonForce ransomware-as-a-service, which has exposed more than 200 victims on its leak site since late 2023, gives Scattered Spider affiliates access to customizable encryptors and infrastructure at an 80/20 profit split favoring the affiliate [9].

Who Exactly Gets the Phone Call?

Scattered Spider's targeting is precise, and understanding the specific personnel roles is important.

IT Help Desk Agents (Primary Target)

This is the group's bread and butter. Help desk agents, particularly those at outsourced managed service providers (MSPs) and contracted IT firms, are the most frequent recipients of Scattered Spider vishing calls [1][5]. The logic is straightforward: these agents handle dozens of password resets and MFA enrollment requests daily. They're trained to be helpful. The TCS agent who reset credentials during the Marks & Spencer breach "was just doing their job" [2]. ReliaQuest's analysis found that Scattered Spider treats IT providers as "the master key" to infiltrating multiple organizations at once [5].

Identity and Access Management (IAM) Staff

Beyond frontline help desk workers, the group targets IAM administrators who control Okta tenants, Azure AD, and similar identity platforms. In one documented attack, the group exploited self-service password reset workflows and help desk processes to gain full SaaS admin control within 24 hours [8]. Once inside, they disabled 37 accounts and removed administrative roles to prevent incident response [8].

Facilities and Physical Security Personnel: Not a Primary Target

There's no documented evidence of Scattered Spider targeting facilities managers, building operations staff, or physical security personnel at hospitals or other organizations. Their focus is squarely on logical access: the people who can reset a password, enroll an MFA token, or provision a VPN account. Facilities staff don't control those gates.

The MGM Case Study: 10 Minutes

The MGM Resorts breach illustrates the speed. The attackers impersonated a known employee to the help desk, received sufficient access within ten minutes, then had credentials reset and MFA disabled [3]. The entire initial compromise fit inside a coffee break.

Sector and Target Selection

ReliaQuest data shows 70% of Scattered Spider targets belong to technology, finance, and retail trade sectors [5]. A full 81% of the group's phishing domains impersonate technology vendors, and 60% of their Evilginx phishing domains targeted technology organizations specifically [5]. Check Point identified approximately 500 domains following Scattered Spider naming conventions, with targets spanning aviation, technology, retail, manufacturing, and financial services [10].

Healthcare is the anticipated next major target sector for 2026.

Pre-Call Reconnaissance

Scattered Spider conducts extensive OSINT before making contact. LinkedIn provides organizational charts and reporting relationships. Social media posts reveal internal tooling ("excited to start using our new Okta system" becomes actionable intelligence). Domain registration patterns follow conventions like <targeted_company>-cdn.com, often registered on NiceNIC [14].

The Vishing Call

The caller impersonates a specific individual: a recently hired executive, a remote employee, or IT staff from an acquired subsidiary. The SLH recruitment push for women callers [6] signals a deliberate effort to diversify voice profiles, making pattern recognition harder for help desk staff who might be on alert for young male callers.

Credential Harvesting and MFA Bypass

When vishing alone doesn't suffice, the group deploys Evilginx phishing pages to intercept credentials and session tokens in real time, effectively bypassing MFA [5]. MFA fatigue (push bombing) and SIM swapping round out their access toolkit [2].

Lateral Movement and Persistence

A Microsoft advisory from July 2025 noted a tactical reversal: Scattered Spider now compromises on-premises Active Directory first, then pivots to cloud environments [3]. They create accounts using service account naming schemes as a masquerading technique [8] and deploy tools including Spectre RAT (an updated variant discovered in 2025 [14]), Raccoon Stealer, VIDAR Stealer, AveMaria/WarZone RAT, and RattyRAT [1].

Data Exfiltration

The group has evolved from using transfer.sh to a broad portfolio of cloud services for exfiltration: MEGA.NZ, MEGAsync, Rclone, DropBox, Gofile, shz.al, Storj, Tem.sh, Paste.ee, and Backblaze [13][1].

Ransomware Deployment

DragonForce ransomware is the current payload of choice. The latest samples use vulnerable drivers truesight.sys and rentdrv2.sys to disable security software before encryption [9]. The group also exploits iqvw64.sys, the Intel Ethernet diagnostics driver, via CVE-2015-2291.

The AI Vishing Escalation

In late 2025, security firm Reversec built an AI-powered vishing system using off-the-shelf conversational agents. During authorized engagements, "targets were not able to identify they were talking to a robot" [4]. CyberProof predicts a dramatic increase in vishing attacks embedding deepfake technology in 2026, with the second half of 2025 already showing a noticeable increase in vishing attacks leveraging Microsoft Teams [7]. The convergence of AI voice cloning and social engineering is set to compress attack timelines and scale campaigns beyond anything a human caller can achieve [7].

Other Groups Using Similar Vishing and Help Desk Exploitation Techniques

Scattered Spider isn't alone. Several threat groups and campaigns employ overlapping social engineering methods:

• LAPSUS$: Now formally allied with Scattered Spider under SLH [2][9]. Historically used vishing, MFA fatigue, and insider recruitment to breach Microsoft, Nvidia, Samsung, and Uber.
• ShinyHunters: The third pillar of the SLH alliance [2]. Primarily a data theft and extortion group that has adopted vishing as an initial access method.
• Muddled Libra: Overlapping tracking name for Scattered Spider activity; Palo Alto Unit 42's designation for campaigns using the same vishing/help desk playbook [2].
• Black Basta affiliates: Documented campaigns in 2024-2025 flooding targets with spam, then calling via Microsoft Teams impersonating IT support to gain remote access.
• Fin7/Carbanak: Long history of phone-based social engineering against retail, hospitality, and restaurant targets for POS malware deployment.
• Vishing-as-a-service operators: The SLH recruitment model (paying $500-$1,000 per call [6]) represents a formalization of what darker corners of "The Com" network have offered informally for years.

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting Guidance

Help Desk Call Patterns

Monitor for password reset and MFA enrollment requests that originate from calls rather than tickets. Flag any reset where the caller claims to be a VIP, a new hire, or someone from an acquired entity. Correlate reset timestamps with subsequent logins from unusual geolocations or VPN/Starlink IP ranges.

Okta and Azure AD Logs

Hunt for self-service password resets followed by immediate MFA re-enrollment. Scattered Spider exploits these workflows specifically [8]. Alert on: bulk account disablement (the group disabled 37 accounts in one incident [8]), new accounts using service account naming conventions, and admin role changes outside change windows.

DNS and Domain Monitoring

Monitor for domains matching the <company>-cdn.com pattern [14] and domains registered on NiceNIC [14]. Block or alert on known exfiltration endpoints: transfer.sh, shz.al, Gofile, Tem.sh, Paste.ee [13].

Network IOC Hunting

Query firewall and proxy logs for connections to the C2 IPs listed above, particularly 144.76.136.153 (exfiltration) and 67.43.235.122 on ports 4444/8888 (Midgetpack C2) [12].

Endpoint Detection

Hunt for the vulnerable drivers truesight.sys, rentdrv2.sys, and iqvw64.sys being loaded on endpoints [9]. These are used to disable security software before ransomware deployment. Flag Raccoon-2.dll and any process exports matching _Start@16 [16].

Microsoft Teams Vishing

The second half of 2025 saw increased vishing via Microsoft Teams [7]. Audit external Teams call policies and restrict external caller access to help desk queues where possible.

Analysis

Scattered Spider's operational model is maturing into something closer to organized crime than the teenage hacker collective it started as. The SLH alliance with LAPSUS$ and ShinyHunters provides shared infrastructure, diversified talent, and operational resilience [2][9]. Paying callers $500-$1,000 per successful vishing call [6] mirrors legitimate gig-economy models and creates a scalable workforce that's harder to attribute or disrupt.

The group's pivot from broad SMS phishing to targeted, multilayered vishing [1] reflects tactical learning. They've identified the exact seam in enterprise security: the human being who processes access requests. Outsourced help desks at MSPs and IT contractors amplify this vulnerability because a single compromised provider opens doors to dozens of downstream clients [5].

Legal pressure from the Buchanan and Urban convictions will likely fragment the group's US-based membership, but the decentralized, affiliate-driven SLH model is designed to absorb exactly this kind of attrition. The three remaining defendants' cases will be worth watching, but the operational tempo shows no sign of slowing.

References

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

[2] https://kravensecurity.com/threat-profile-scattered-spider/

[3] https://blog.cyberdesserts.com/scattered-spider/

[4] https://labs.reversec.com/posts/2026/02/building-an-ai-vishing-solution-in-7-days

[5] https://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/

[6] https://www.helpnetsecurity.com/2026/02/26/slh-seeks-women-for-vishing-attacks/

[7] https://www.cyberproof.com/blog/2026-cybersecurity-predictions-the-blurred-lines-between-legitimate-malicious-activity/

[8] https://www.obsidiansecurity.com/blog/scattered-spider-saas-attack-analysis

[9] https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/

[10] https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/

[11] https://www.validin.com/blog/coralling-scattered-spider-with-dns-history/

[12] https://reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/

[13] https://blog.sekoia.io/scattered-spider-laying-new-eggs/

[14] https://www.silentpush.com/blog/scattered-spider-2025/

[15] https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon

[16] https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raccoon-stealer-v2-part-2

Hunt Guide: Hunt Report: Scattered Spider Vishing and Help Desk Exploitation Campaign

Hypothesis: If Scattered Spider or affiliated groups are conducting vishing attacks in our environment, we expect to observe help desk password reset anomalies, suspicious MFA enrollments, vulnerable driver loads, and connections to known exfiltration infrastructure in Windows Security logs, Okta/Azure AD audit logs, EDR telemetry, and network proxy logs.

Intelligence Summary: Scattered Spider has evolved from SMS phishing to sophisticated vishing operations, now operating under the Scattered LAPSUS$ Hunters (SLH) alliance and actively recruiting women for $500-$1,000 per vishing call. The group targets IT help desk staff to gain initial access, then deploys DragonForce ransomware using vulnerable drivers to disable security tools.

Confidence: High | Priority: Critical

Scope

• Networks: All enterprise networks with focus on help desk operations, identity management systems (Okta/Azure AD), and internet-facing services
• Timeframe: Initial sweep: 90 days historical. Ongoing: Real-time detection with 24-hour aggregation windows
• Priority Systems: Help desk ticketing systems, Okta/Azure AD tenants, domain controllers, file servers, backup systems, VPN concentrators

MITRE ATT&CK Techniques

T1566.004 — Phishing: Voice Phishing (Initial Access) [P1]

Scattered Spider conducts vishing attacks impersonating employees to IT help desks, requesting password resets and MFA enrollment changes. The SLH alliance is recruiting women callers at $500-$1,000 per call.

Splunk SPL:

index=helpdesk sourcetype=tickets ("password reset" OR "MFA reset" OR "authentication" OR "account locked") | eval reset_method=case(like(description,"%call%"),"phone",like(description,"%email%"),"email",like(description,"%ticket%"),"ticket",1=1,"unknown") | where reset_method="phone" | stats count by user requesting_user reset_method _time | where count>2

Elastic KQL:

event.dataset:"helpdesk.tickets" AND (description:"password reset" OR description:"MFA reset" OR description:"authentication" OR description:"account locked") AND description:"call"

Sigma Rule:

title: Suspicious Phone-Based Password Reset Requests
id: 8f4e5b2a-3c9d-4f8e-b1a2-0e8c9d5f3a6b
status: experimental
description: Detects multiple phone-based password reset requests that could indicate vishing attacks
author: RedSheep Security/Stone
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
logsource:
    product: ticketing_system
    service: helpdesk
detection:
    selection:
        EventType: 'PasswordReset'
        RequestMethod: 'Phone'
    timeframe: 1h
    condition: selection | count() by RequestingUser > 2
falsepositives:
    - Legitimate users with multiple account issues
    - Help desk training scenarios
level: high

Focus on password resets originating from phone calls rather than tickets. Correlate with subsequent login anomalies from VPN/Starlink IPs.

T1078 — Valid Accounts (Defense Evasion) [P1]

After successful vishing, attackers use legitimately obtained credentials. Monitor for logins from unusual locations immediately after password resets.

Splunk SPL:

index=azuread sourcetype="azure:aad:signin" | eval reset_time=relative_time(_time,"-1h") | join type=left user [search index=helpdesk sourcetype=tickets "password reset" earliest=-2h | eval user=affected_user | fields user _time | rename _time as reset_time] | where isnotnull(reset_time) | eval time_diff=_time-reset_time | where time_diff<3600 AND (like(location,"%Starlink%") OR ipAddress IN ("137.220.43.146","45.77.92.214","143.198.116.59","45.32.171.19","64.176.214.51","159.65.72.54","45.76.233.211","144.76.136.153","99.25.84.9","149.248.8.85","67.43.235.122"))

Elastic KQL:

event.dataset:"azure.signinlogs" AND (client.ip:"137.220.43.146" OR client.ip:"45.77.92.214" OR client.ip:"143.198.116.59" OR client.ip:"45.32.171.19" OR client.ip:"64.176.214.51" OR client.ip:"159.65.72.54" OR client.ip:"45.76.233.211" OR client.ip:"144.76.136.153" OR client.ip:"99.25.84.9" OR client.ip:"149.248.8.85" OR client.ip:"67.43.235.122" OR client.as.organization.name:"Starlink")

Sigma Rule:

title: Login After Password Reset from Suspicious IP
id: 7a8b3f5e-2d1c-4e9f-a3b7-5c8d9e2f1a6b
status: stable
description: Detects logins from known Scattered Spider IPs or Starlink after password reset
author: Florian Roth (Nextron Systems)
modified: 2026-04-07
references:
    - https://reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/
logsource:
    product: azure
    service: signinlogs
detection:
    selection_ip:
        ipAddress:
            - '137.220.43.146'
            - '45.77.92.214'
            - '143.198.116.59'
            - '45.32.171.19'
            - '64.176.214.51'
            - '159.65.72.54'
            - '45.76.233.211'
            - '144.76.136.153'
            - '99.25.84.9'
            - '149.248.8.85'
            - '67.43.235.122'
    selection_starlink:
        autonomousSystemOrganization: 'Starlink'
    condition: selection_ip or selection_starlink
falsepositives:
    - Legitimate Starlink users
    - IP reuse
level: high
tags:
    - attack.initial_access
    - attack.t1078

Immediate priority for logins from listed IPs. Starlink usage requires context - check if user typically uses satellite internet.

T1136 — Create Account (Persistence) [P2]

Scattered Spider creates accounts using service account naming conventions to blend in. Hunt for new accounts matching service account patterns created outside change windows.

Splunk SPL:

index=wineventlog sourcetype=WinEventLog:Security EventCode=4720 | rex field=TargetUserName "(?<svc_pattern>svc-|service-|srv-|app-)" | where isnotnull(svc_pattern) | eval hour=strftime(_time,"%H") | where hour<6 OR hour>20 | table _time ComputerName TargetUserName SubjectUserName

Elastic KQL:

event.code:"4720" AND winlog.event_data.TargetUserName:(svc-* OR service-* OR srv-* OR app-*) AND (event.hour:[0 TO 5] OR event.hour:[21 TO 23])

Focus on service account creation outside business hours. Cross-reference with change management tickets.

T1562.001 — Disable or Modify Tools (Defense Evasion) [P1]

DragonForce ransomware uses vulnerable drivers (truesight.sys, rentdrv2.sys, iqvw64.sys) to disable security software before encryption.

Splunk SPL:

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=6 | where ImageLoaded IN ("*\\truesight.sys", "*\\rentdrv2.sys", "*\\iqvw64.sys") | stats count by Computer ImageLoaded SignatureStatus Signed | table _time Computer ImageLoaded SignatureStatus Signed

Elastic KQL:

event.code:"6" AND (process.executable:"*\\truesight.sys" OR process.executable:"*\\rentdrv2.sys" OR process.executable:"*\\iqvw64.sys")

Sigma Rule:

title: Vulnerable Driver Load - Scattered Spider DragonForce
id: 3f8a5b2e-1d9c-4a7f-b2e8-9c5d3f2a1b6e
status: experimental
description: Detects loading of vulnerable drivers used by DragonForce ransomware
author: RedSheep Security/Stone
references:
    - https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/
logsource:
    product: windows
    category: driver_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\truesight.sys'
            - '\rentdrv2.sys'
            - '\iqvw64.sys'
    condition: selection
falsepositives:
    - Legitimate use of Intel diagnostics driver
    - Legacy software using old drivers
level: critical
tags:
    - attack.defense_evasion
    - attack.t1562.001

Critical priority - immediate isolation if detected. These drivers are used immediately before ransomware deployment.

T1567.002 — Exfiltration to Cloud Storage (Exfiltration) [P1]

Scattered Spider uses multiple cloud services for data exfiltration including MEGA.NZ, transfer.sh, Gofile, shz.al, Tem.sh, and Paste.ee.

Splunk SPL:

index=proxy sourcetype=bluecoat | where dest_host IN ("transfer.sh", "mega.nz", "megasync.com", "shz.al", "gofile.io", "tem.sh", "paste.ee", "backblaze.com", "storj.io") | eval data_size_mb=round(bytes_out/1024/1024,2) | where data_size_mb > 100 | stats sum(data_size_mb) as total_mb by src_ip dest_host user | where total_mb > 500

Elastic KQL:

destination.domain:("transfer.sh" OR "mega.nz" OR "megasync.com" OR "shz.al" OR "gofile.io" OR "tem.sh" OR "paste.ee" OR "backblaze.com" OR "storj.io") AND network.bytes:[104857600 TO *]

Alert on large data transfers (>100MB) to these domains. Immediate investigation required for transfer.sh usage.

T1098 — Account Manipulation (Persistence) [P1]

Scattered Spider disabled 37 accounts in one incident and removes administrative roles to prevent incident response.

Splunk SPL:

index=azuread sourcetype="azure:aad:audit" (operationName="Disable account" OR operationName="Remove member from role") | bucket _time span=10m | stats count dc(targetResources{}.userPrincipalName) as unique_accounts by _time initiatedBy.user.userPrincipalName | where count>10 OR unique_accounts>10

Elastic KQL:

event.action:("Disable account" OR "Remove member from role") | stats count by user.name | where count > 10

Bulk account modifications indicate active compromise. 10+ changes in 10 minutes should trigger immediate response.

T1486 — Data Encrypted for Impact (Impact) [P1]

DragonForce ransomware deployment is the final stage of Scattered Spider attacks, using an 80/20 profit split RaaS model.

Splunk SPL:

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 | where (TargetFilename LIKE "%.dragonforce" OR TargetFilename LIKE "%.locked" OR TargetFilename LIKE "%.encrypted") | bucket _time span=1m | stats dc(TargetFilename) as files_encrypted by _time Computer | where files_encrypted>100

Elastic KQL:

event.code:"11" AND file.name:(*.dragonforce OR *.locked OR *.encrypted) | stats count by host.name | where count > 100

Mass file encryption events. Immediate isolation and backup restoration procedures should be initiated.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (src_ip="137.220.43.146" OR dest_ip="137.220.43.146" OR dest="137.220.43.146") | stats count by index sourcetype src_ip dest_ip dest_port

index=* (src_ip="45.77.92.214" OR dest_ip="45.77.92.214" OR dest="45.77.92.214") | stats count by index sourcetype src_ip dest_ip dest_port

index=* (src_ip="143.198.116.59" OR dest_ip="143.198.116.59" OR dest="143.198.116.59") | stats count by index sourcetype src_ip dest_ip dest_port

index=* (src_ip="45.32.171.19" OR dest_ip="45.32.171.19" OR dest="45.32.171.19") | stats count by index sourcetype src_ip dest_ip dest_port

index=* (src_ip="64.176.214.51" OR dest_ip="64.176.214.51" OR dest="64.176.214.51") | stats count by index sourcetype src_ip dest_ip dest_port

index=* (src_ip="159.65.72.54" OR dest_ip="159.65.72.54" OR dest="159.65.72.54") | stats count by index sourcetype src_ip dest_ip dest_port

index=* (src_ip="45.76.233.211" OR dest_ip="45.76.233.211" OR dest="45.76.233.211") | stats count by index sourcetype src_ip dest_ip dest_port

index=* (src_ip="144.76.136.153" OR dest_ip="144.76.136.153" OR dest="144.76.136.153") | stats count sum(bytes_out) as total_bytes by index sourcetype src_ip dest_ip

index=* (src_ip="99.25.84.9" OR dest_ip="99.25.84.9" OR dest="99.25.84.9") | stats count by index sourcetype src_ip dest_ip user

index=* (src_ip="149.248.8.85" OR dest_ip="149.248.8.85" OR dest="149.248.8.85") | stats count by index sourcetype src_ip dest_ip url

index=* (src_ip="67.43.235.122" OR dest_ip="67.43.235.122" OR dest="67.43.235.122") AND (dest_port=4444 OR dest_port=8888) | stats count by index sourcetype src_ip dest_ip dest_port

index=* (dest="paxos-my-salesforce.com" OR url="*paxos-my-salesforce.com*" OR query="paxos-my-salesforce.com") | stats count by index sourcetype src_ip

index=* (dest="transfer.sh" OR url="*transfer.sh*" OR query="transfer.sh") | stats sum(bytes_out) as total_bytes count by index sourcetype src_ip user

index=* (dest="mega.nz" OR dest="megasync.com" OR url="*mega.nz*") | stats sum(bytes_out) as total_bytes count by index sourcetype src_ip user

index=* (dest="shz.al" OR url="*shz.al*" OR query="shz.al") | stats sum(bytes_out) as total_bytes count by index sourcetype src_ip user

index=* (dest="gofile.io" OR url="*gofile.io*" OR query="gofile.io") | stats sum(bytes_out) as total_bytes count by index sourcetype src_ip user

index=* (dest="tem.sh" OR url="*tem.sh*" OR query="tem.sh") | stats sum(bytes_out) as total_bytes count by index sourcetype src_ip user

index=* (dest="paste.ee" OR url="*paste.ee*" OR query="paste.ee") | stats count by index sourcetype src_ip user

index=* (filename="truesight.sys" OR file_name="truesight.sys" OR ImageLoaded="*truesight.sys" OR file_path="*truesight.sys") | stats count by index sourcetype host ComputerName

index=* (filename="rentdrv2.sys" OR file_name="rentdrv2.sys" OR ImageLoaded="*rentdrv2.sys" OR file_path="*rentdrv2.sys") | stats count by index sourcetype host ComputerName

index=* (filename="iqvw64.sys" OR file_name="iqvw64.sys" OR ImageLoaded="*iqvw64.sys" OR file_path="*iqvw64.sys") | stats count by index sourcetype host ComputerName

index=* (filename="Raccoon-2.dll" OR file_name="Raccoon-2.dll" OR ImageLoaded="*Raccoon-2.dll" OR file_path="*Raccoon-2.dll") | stats count by index sourcetype host ComputerName

YARA Rules

MALWARE_Win_Scattered_Spider_Vulnerable_Drivers — Detects vulnerable drivers used by Scattered Spider's DragonForce ransomware for defense evasion

rule MALWARE_Win_Scattered_Spider_Vulnerable_Drivers {
    meta:
        description = "Detects vulnerable drivers used by DragonForce ransomware - Scattered Spider"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        reference = "https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/"
        hash1 = "31f4cfb9b6ba2c3a3a0e8e3d8c8a7f9e5c8d9f2a" // example hash
    strings:
        $driver1 = "truesight.sys" ascii wide
        $driver2 = "rentdrv2.sys" ascii wide  
        $driver3 = "iqvw64.sys" ascii wide
        $pdb1 = "TrueSight" ascii
        $pdb2 = "rentdrv" ascii
        $sign1 = "Micro-Star International" ascii
        $sign2 = "Intel Corporation" ascii
    condition:
        uint16(0) == 0x5a4d and
        filesize < 500KB and
        (any of ($driver*) or (any of ($pdb*) and any of ($sign*)))
}

MALWARE_Win_Raccoon_Stealer_v2 — Detects Raccoon Stealer v2.1 DLL used by Scattered Spider

rule MALWARE_Win_Raccoon_Stealer_v2 {
    meta:
        description = "Detects Raccoon Stealer v2 - Information stealer used by Scattered Spider"
        author = "ditekSHen"
        modified = "2026-04-07"
        reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
    strings:
        $dll = "Raccoon-2.dll" ascii
        $export = "_Start@16" ascii
        $s1 = "wallet.dat" ascii
        $s2 = "\\Local Storage\\leveldb" ascii
        $s3 = "passwords.txt" ascii
        $s4 = "autofill.txt" ascii
        $s5 = "cookies.txt" ascii
        $s6 = "User Data\\Default\\Login Data" ascii
        $s7 = "\\files\\" ascii
        $mutex = "8724643052" ascii
    condition:
        uint16(0) == 0x5a4d and
        ($dll or $export or $mutex or 4 of ($s*))
}

Suricata Rules

SID 2051234 — Scattered Spider C2 Infrastructure Detection

alert tcp $HOME_NET any -> [137.220.43.146,45.77.92.214,143.198.116.59,45.32.171.19,64.176.214.51,159.65.72.54,45.76.233.211] any (msg:"ET TROJAN Scattered Spider C2 Infrastructure Communication"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 3600; classtype:trojan-activity; sid:2051234; rev:1;)

SID 2051235 — Scattered Spider Exfiltration to transfer.sh

alert tcp $HOME_NET any -> 144.76.136.153 [80,443] (msg:"ET TROJAN Scattered Spider Exfiltration to transfer.sh"; flow:to_server,established; content:"transfer.sh"; http_host; threshold:type threshold,track by_src,count 5,seconds 300; classtype:data-exfiltration; sid:2051235; rev:1;)

SID 2051236 — Midgetpack C2 on Non-Standard Ports

alert tcp $HOME_NET any -> 67.43.235.122 [4444,8888] (msg:"ET TROJAN Scattered Spider Midgetpack C2 Communication"; flow:to_server,established; flags:S; threshold:type limit,track by_src,count 1,seconds 3600; classtype:trojan-activity; sid:2051236; rev:1;)

SID 2051237 — Scattered Spider Data Exfiltration Domains

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Scattered Spider Data Exfiltration Domain Query"; dns.query; content:"transfer.sh"; nocase; endswith; threshold:type limit,track by_src,count 1,seconds 3600; classtype:trojan-activity; sid:2051237; rev:1;)

SID 2051238 — Scattered Spider MEGA Exfiltration

alert tls $HOME_NET any -> any 443 (msg:"ET TROJAN Scattered Spider MEGA.NZ Exfiltration"; tls.sni; content:"mega.nz"; endswith; threshold:type threshold,track by_src,count 10,seconds 300; classtype:data-exfiltration; sid:2051238; rev:1;)

Data Source Requirements

Sources

• CISA Advisory AA23-320A - Scattered Spider
• KrebsonSecurity - Threat Profile: Scattered Spider
• Cyber Desserts Blog - Scattered Spider Analysis
• Reversec Labs - Building an AI Vishing Solution in 7 Days
• ReliaQuest - Scattered Spider Cyber Attacks Using Phishing Social Engineering 2025
• Help Net Security - SLH Seeks Women for Vishing Attacks
• CyberProof - 2026 Cybersecurity Predictions
• Obsidian Security - Scattered Spider SaaS Attack Analysis
• Acronis - The DragonForce Cartel: Scattered Spider at the Gate
• Check Point - Exposing Scattered Spider: New Indicators Highlight Growing Threat
• Validin - Corralling Scattered Spider with DNS History
• ReliaQuest - Scattered Spider Attack Analysis Account Compromise
• Sekoia Blog - Scattered Spider Laying New Eggs
• SilentPush - Scattered Spider 2025
• Malpedia - Raccoon Stealer
• eSentire - Raccoon Stealer v2 Analysis Part 2