A July report authored by the Mandiant/Google Threat Intelligence Group (GTIG) revealed findings from a mid-year (2025) investigation into a malicious campaign targeting North American critical infrastructure sectors, attributed to the notorious Scattered Spider adversary cluster.
Summary
InfraShield explores a mid-2025 investigation by Mandiant/Google Threat Intelligence Group into a sophisticated attack campaign attributed to the Scattered Spider threat actor, also known as UNC3944, which targeted critical North American infrastructure sectors including aviation, transportation, and retail.
The attackers leveraged advanced social engineering tactics to compromise privileged Active Directory accounts, which they then used to access VMware vSphere environments and deploy ransomware from the hypervisor level—an evasive and devastating technique. The report outlines a five-phase attack chain, culminating in the destruction of backups and the encryption of virtual machines, effectively crippling victim operations.
Scattered Spider’s affiliation with Russian ransomware groups and its persistent evolution present an escalating threat, prompting urgent recommendations from U.S. and international cybersecurity agencies for enhanced security measures, including phishing-resistant MFA and offline backups. Critical infrastructure operators must remain particularly vigilant against this evolving threat.
The attack chain detailed in the GTIG report titled “From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944” describes highly sophisticated and stealthy methods for system takeover. Broadly, these tactics, techniques, and procedures (TTPs) consist of socially engineering (SE) privileged Active Directory (AD) credentials and using those “keys to the kingdom” as a pivot point to hijack VMware’s control planes and hypervisor hosts to deploy ransomware across all virtualized infrastructure—to devastating effect.
The specific Scattered Spider campaign investigated by GTIG focused on attacks targeting the retail, airline, and insurance sectors. Notably, the latter two verticals are classified as critical infrastructure by the Cybersecurity Infrastructure and Security Agency (Transportation Systems and Financial Services).
According to the GITG report, “Following public alerts from the Federal Bureau of Investigation (FBI), the group's targeting became clear. GTIG observed that the group was suspected of turning its ransomware and extortion operations to the U.S. retail sector. The campaign soon broadened further, with airline and transportation organizations in North America having also become targets.”
Threat Actor Background
Also known as “UNC3944,” "0ktapus," and "Octo Tempest," Scattered Spider is a moniker initially coined by CrowdStrike in 2022. While the cluster, which primarily consists of English speakers, is frequently portrayed in the media as an organized gang, Scattered Spider and its other naming conventions can be more accurately described as threat actor (TA) attributions.
In fact, this TA cluster is a loosely knit collective that often gets lumped together based on overlapping tactics, techniques, and procedures (TTPs) observed in various malicious campaigns—often where social engineering attacks against IT help desk staff serve as the initial access vector. Scattered Spider has also been known to incorporate SIM swapping attacks into their employee impersonation campaigns to better deceive IT help desk personnel.
Regardless, the group shot to global infamy when it partnered with elite and bygone Russian ransomware-as-a-service (RaaS) syndicate ALPHV/Blackcat to conduct two high-ticket ransomware attacks that brought operations at two Las Vegas resorts to a standstill in the Summer of 2023. These attacks crowned a historic event in the history of global cybercrime: This was the first time in history that a Russia-nexus RaaS syndicate had accepted an English-speaking affiliate group into its ranks.
Generally speaking, this decentralized cohort of teen and twenty-something cybercrime savants emerged from the nebulous Com online-harm ecosystem. Numerous affiliates have links to the notorious Lap$us cybercriminal collective, which is no longer active in its original form, as its most prominent members have been arrested and prosecuted.
For that matter, nearly a dozen members associated with the Scattered Spider TA cluster have been arrested over the last 18 months, according to The Hacker News, with the latest being four teen and twenty-something suspects in the UK.
The National Crime Agency arrested the quartet in July on suspicion of conducting the DragonForce ransomware attack that disrupted operations at British retail giant Marks & Spencer this past April. Nevertheless, Scattered Spider attack campaigns remain a critical threat, according to GTIG.
DragonForce Ransomware Cartel RaaS Invites New Affiliates, Source: RAMP
Five-Phase Attack Chain
The GTIG report notes that Scattered Spider’s “core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk.” Furthermore, the threat actors are “aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs,” according to GTIG.
Additionally, GTIG notes that the group’s “precise, campaign-driven operations” are laser focused on seizing their target’s “most critical systems and data.” Operationalizing a living-off-the-land (LoTL) strategy, where threat actors weaponize a victim’s pre-existing enterprise IT tool set to escalate attacks, these threat actors have perfected SE tradecraft, lateral movement, and privilege escalation. Specifically, they harness fraudulently obtained AD access as a launching point for sweeping network compromise.
After using SE to compromise privileged users’ accounts, these threat actors “manipulate trusted administrative systems and use their control of Active Directory as a launchpad to pivot to the VMware vSphere environment, thus providing an avenue to exfiltrate data and deploy ransomware directly from the hypervisor.”
VSphere is a virtualization platform that provides the infrastructure for running and managing virtual machines (VMs). One of the most important products within vSphere’s suite of offerings is the ESXI hypervisor. The hypervisor is a foundational software layer that runs directly on physical servers and allows them to host multiple VMs. It provides isolation between VMs and manages their access to physical resources like CPU, memory, and storage.
Compromising vSphere and deploying ransomware from the hypervisor is a highly effective “kill-shot” method because it “generates few traditional indicators of compromise (IoCs) and bypasses security tools like endpoint detection and response (EDR), which often have limited or no visibility into the ESXi hypervisor and vCenter Server Appliance (VCSA),” according to the GTIG report.
Additionally, the GTIG report emphasizes that “root access on the ESXi shell is the highest level privilege in a virtual environment. By encrypting at the hypervisor level, they bypass all in-guest security and compromise servers with a single action.”
GTIG noted that Scattered Spider’s attack web spins across “five distinct phases, moving methodically from a low-level foothold to complete hypervisor control.” These phases include the following:
- Initial Compromise, Recon, and Escalation
- The Pivot to vCenter — The Control Plane Compromise
- The Hypervisor Heist — Offline Credential Theft and Exfiltration
- Backup Sabotage — Removing the Safety Net
- Encryption — Ransomware from the Hypervisor
Recent Malicious Campaigns Targeting the Nuclear Sector
The GTIG report goes through each phase of Scattered Spider’s attack chain in granular detail. But for our purposes, we will extract the most interesting aspect of each phase highlighted by GTIG.
- Initial Compromise: GTIG notes that Scattered Spider targets IT help desk representatives by “using readily available personal information from previous data breaches and employing persuasive or intimidating” SE techniques to “convince an agent to reset the employee's Active Directory password.” In some cases, Scattered Spider has even been known to threaten victim personnel with physical violence. Recently, anti-ransomware firm Halycon noted that Scattered Spider has even resorted to co-opting corporate insiders through bribes and other methods to gain initial access.
-
vCenter Pivot: Once the threat actors have taken over a privileged AD account, GTIG notes they use that sweeping access to “log into the vSphere vCenter Server GUI. From there, they leverage their vCenter Admin rights to gain what amounts to "virtual physical access" to the VCSA itself. They open a remote console, reboot the appliance, and edit the GRUB bootloader to start with a root shell (init=/bin/bash), giving them passwordless root access. They then change the root password to enable SSH access upon reboot. To maintain their foothold, they upload and execute teleport, a legitimate open source remote access tool, to create a persistent and encrypted reverse shell (C2 channel) that bypasses most firewall egress rules.”
These tactics indicate a prodigious understanding of inherent weaknesses in virtualization infrastructure and mastery of LoTL tradecraft. -
Hypervisor Heist: After seizing root access to vCenter, the threats actors take over the ESXI hypervisor hosts. From vCenter, writes GTIG, Scattered Spider “enables SSH on the ESXi hosts and reset their root passwords. They then execute an offline attack by identifying a Domain Controller VM, powering it off, and detaching its virtual disk (.vmdk). This disk is then attached as a secondary drive to a forgotten or "orphaned" VM they control. From this unmonitored machine, they copy the NTDS.dit Active Directory database. The process is then reversed, and the DC is powered back on as if nothing happened.”
These tactics highlight the difficulty in monitoring malicious network traffic routed over ESXi protocols, with an emphasis on the SSH protocol. SSH delivers the highest-privilege, least-monitored, and most versatile access possible. This helps Scattered Spider avoid detection and maximize the impact of their attacks on virtual environments. As such, defenders should consider locking down and monitoring SSH access on ESXi hosts, restricting direct console/root access and centralizing logging/alerting to spot malicious use. -
Backup Sabotage: This TTP is particularly damaging. “Leveraging their full control over Active Directory,” writes GTIG, ” Scattered Spider “targets the backup infrastructure (e.g., a virtualized backup server). They either reuse the compromised Domain Admin credentials to log in via RDP or, more stealthily, add a user they control to the "Veeam Administrators" security group in AD. Once in, they delete all backup jobs, snapshots, and repositories.” This method leaves an organization helpless to Scattered Spider’s ransomware demands.
GTIG notes that this tactic works due to organizations’ reluctance to implement “administrative tiering (where the same powerful accounts manage both virtualization and backups) and insufficient monitoring of changes to critical AD security groups.” - Encryption — Ransomware from the Hypervisor: “With the target blinded and their safety net gone, the final stage commences,” notes GTIG. According to GTIG, Scattered “uses their SSH access to the ESXi hosts to push their custom ransomware binary via SCP/SFTP into a writable directory like /tmp. They then execute a script that uses the native ESXi command-line tool, vim-cmd, to forcibly power off every VM on the host. Finally, they launch the ransomware binary (often with nohup to ensure it continues after they log out), which scans the datastores and encrypts all VM files (.vmdk, .vmx, etc.).”
Critical Infrastructure Operators Must Remain Vigilant
For a comprehensive index of recommended mitigations to protect against the TTPs discussed in this blog, please refer to the GTIG report. On a more generalized mitigations note, the FBI, CISA, and six international partners released a joint Cybersecurity Advisory on July 29, 2025 in response to recent activity by Scattered Spider that highlighted several steps organizations can take to protect themselves.
The authoring agencies highlighted the following three mitigations to help guard against the Scattered Spider threat:
- Maintain offline backups of data that are stored separately from the source systems and tested regularly.
- Enable and enforce phishing-resistant multifactor authentication (MFA).
- Implement application controls to manage and control software execution.
The authoring organizations “encourage critical infrastructure organizations,” in particular, to “implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Scattered Spider malicious activity.” While there are no indications that Scattered Spider has managed to pivot from IT environments into more critical operational technology (OT) systems, the group’s targeting of aviation and transport organizations—and expanding partnerships with Russia-nexus RaaS syndicates like DragonForce and Qilin are nothing short of alarming.
In an increasingly fractured geopolitical landscape, Scattered Spider’s recent attack campaign significantly elevates the risk of a highly destructive attack targeting the aviation industry. The threat against Western aviation is further amplified by so-called pro-Ukrainian hacktivist attacks that crippled operations at Aeroflot, the largest Russian airliner, in July.
Concerned about your IT and OT security postures in the face of Scattered Spider's escalating attacks? InfraShield helps aviation and critical infrastructure operators build resilience—learn more.
