Summary
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK)—hereafter referred to as the authoring organizations—are releasing this joint Cybersecurity Advisory in response to recent activity by Scattered Spider threat actors
against the commercial facilities sectors, subsectors, and other sectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as June 2025.
Note: Originally published Nov. 16, 2023, this advisory has been updated through several iterations:
▪ Nov. 16, 2023: Initial version.
▪ Nov. 21, 2023: Updated password recommendation language on page 12
July 29, 2025: U.S. and international federal organizations identified new TTPs associated with the Scattered Spider cybercriminal group. In addition to new TTPs that include more sophisticated social engineering techniques, the advisory describes additional malware and ransomware variants used to exfiltrate data and encrypt targeted organizations’ systems. Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.
*Update July 29, 2025:
Per trusted third parties, Scattered Spider threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual TTPs. While some TTPs remain consistent, Scattered Spider threat actors often change TTPs to remain undetected.