Despite several arrests last year, Scattered Spider’s social engineering attacks are continuing into 2025 as the cybercrime collective targets high-profile organizations and adds another phishing kit to its arsenal along with a new version of Spectre RAT malware.

Plus, in welcome news to anyone who isn’t a Rick Astley fan, it appears the miscreants have given up on Rickrolling their victims, at least as of February, according to threat detection firm Silent Push.

In addition to publishing details about all five unique Scattered Spider phishing kits in research published today, the threat hunters shared their analysis of the new malware, which the attackers use to gain persistent access to compromised systems and steal sensitive data. Silent Push also made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace.

After a series of high-profile heists in 2022 (Twilio/Okta) and 2023 (MGM Resorts and Caesars Entertainment), as well as a possible connection to the Snowflake intrusions in 2024, Scattered Spider saw at least seven of its members arrested last year. This included a 22-year-old Brit believed to be the gang’s kingpin, and a 20-year-old American who pleaded guilty to his roles in SIM swapping and other crimes, and now faces five decades behind bars.

Five of the young men were charged by US prosecutors in November 2024, and after that the attacks seemed to slow down.

But despite the law enforcement crackdown, these pests didn’t simply disappear into the shadows. Their social engineering attacks have continued well into 2025, according to Silent Push.

The crew has reportedly updated its phishing kits at least four times through 2024, with the most recent 2025 version including additional content changes and being hosted on Cloudflare.

This newest one appears to have been used to target a wide range of companies ranging from Nike to T-Mobile, Tinder, Louis Vuitton, Instacart, and Pure Storage, we’re told.

“In 2025, Silent Push has also seen Scattered Spider targeting Pure Storage, a competitor to Snowflake, so it appears cloud storage solutions remain one of the group’s priority targets,” the researchers wrote.

Don’t take the bait

In these attacks, the criminals target major organizations and their employees by creating web domains that impersonate well-known brands as well as software vendors used by the organizations that Scattered Spider wants to compromise.

They typically start with an SMS phish used to obtain login credentials and MFA tokens from the target companies’ employees. Then, the miscreants use that illicit access to steal sensitive data, encrypt victims’ files, and blackmail organizations into paying ransom demands.

We regularly saw redirects to the YouTube video for Rick Astley, aka the ‘Rick Roll meme’

The three earliest kits, seen as far back as September 2023 and as recently as February 2025, primarily impersonate Okta login pages for targeted organizations. Plus, the analysts note that across all three “we regularly saw redirects to the YouTube video for Rick Astley, aka the ‘Rick Roll meme’.”

This, of course, being a favorite trick among pre-teens and teenagers in which they send a link purporting to be something that is not related to Rick Astley, but when the recipient clicks on the link, they get a music video or image of Astley singing “Never Gonna Give You Up.”

Apparently criminals like Rickrolling, too. Evilgnix, a man-in-the-middle attack framework used for phishing login credentials and session tokens, “features this type of redirect as an option for hiding malicious payloads,” according to Silent Push.

The good news for would-be victims and/or Rick Astley fans: “Right now, it appears their legacy phishing kits are being deprecated,” the researchers wrote.

In January, a threat intel researcher who goes by Lontz on social media posted about finding a new Scattered Spider phishing domain, this one integrating different brands into the same website, and that led Silent Push to build an infrastructure fingerprint for the group’s Phishing Kit #5.

The domain shared by Lontz, okta-louisvuitton[.]com, oddly enough targeted T-Mobile, Tinder, and Nike.

However, the Silent Push team was able to replicate Lontz’s work to confirm that the same phishing kit could be triggered against other domains to target organizations including Morningstar (Morningstar-okta[.]com), HubSpot (corp-hubspot[.]com), Pure Storage (pure-okta[.]com), New York Digital Investment Group (signin-nydig[.]com), Instacart (sso-instacart[.]com), and Vodafone (sts-vodafone[.]com).

In February, one of the security shop’s Scattered Spider “fingerprints” – this is the digital representation of the group’s behaviour and/or internet infrastructure, which Silent Push then uses to block the threat – picked up a new phishing domain targeting marketing company Klaviyo: klv1.it[.]com

This particular Scattered Spider host is registered on a subdomain of it[.]com, which is a service that allows public subdomain registrations. Using a publicly rentable subdomain is new for the criminal group, and this may make tracking it more difficult, the researchers warn. As of Silent Push’s writing of this report, klv1[.]it[.]com only had five detections in VirusTotal.

“If Scattered Spider keeps using dynamic DNS vendors (organizations that provide publicly rentable subdomains), it will be important for all targeted organizations to alert or block requests for the associated domains and all related DNS vendor subdomains,” the threat hunters wrote.

Also, in May 2024, the analysts spotted Scattered Spider registering domains using this pattern.

The miscreants mistakenly attached some of these domains to an open directory, which gave the threat hunters access to the directory and led to the discovery of a malicious file. It turned out to be an updated version of Spectre RAT, a stealthy and flexible tool for maintaining access to compromised companies:

Silent Push’s analysis includes a Spectre RAT string decoder, as well as a testing C2 server for Spectre RAT to facilitate captive bot testing, and published code for this as well. ®