In mid-2025, Google Threat Intelligence Group discovered an aggressive cyber campaign attributed to threat group UNC3944, affecting retail, airline, and insurance sectors. The group relies on advanced social engineering tactics rather than software exploits, utilizing phone calls to IT desks to gain access. Experts emphasize the need for security teams to be proactive against social engineering attacks and highlight the group's living-off-the-land strategy, which involves manipulating trusted administrative systems after compromising user accounts. This approach enables the group to exfiltrate data and deploy ransomware effectively without triggering traditional security defenses.
The advanced sophistication Scattered Spider exhibits should have security teams on alert. Social engineering attacks can be prevented with proper training and challenge process to validate the caller is who they say they are. With using valid credentials and built in tools, it is difficult for security teams to discern if they are compromised or not.
Their strategy is rooted in a 'living-off-the-land' (LoTL) approach. After using social engineering to compromise one or more user accounts, they manipulate trusted administrative systems and use their control of Active Directory as a launchpad to pivot to the VMware vSphere environment, thus providing an avenue to exfiltrate data and deploy ransomware directly from the hypervisor.
Collection
[
|
...
]