Scattered Spider, a hacker collective behind several high-profile attacks against large U.S. brands, continues to operate with new strategies in 2025 despite a series of 2024 arrests, according to Silent Push.The group’s latest tactics, techniques and procedures (TTPs), indicators and compromise (IoCs) and activities were outlined in a Silent Push blog post published Monday.Most notable were the creation of a new phishing kit, the use of a new version of the Spectre RAT remote access trojan and the registration of a brand domain previously owned by Twitter.

Scattered Spider faces disruption after quick rise to infamy

The Scattered Spider group first emerged in 2022 and is best known for conducting a supply chain attack against cloud communications platform Twilio in 2022 and a ransomware attack against MGM International and Caesars Entertainment in 2023.The group launches a high volume of sophisticated social-engineering campaigns targeting well-known brands, mostly in the United States, and phishing kits impersonating employee log-in pages in attempts to gain access to corporate environments.The gang also targets software providers, such as cloud storage services, used by its target companies, according to Silent Push. In the past, Scattered Spider was an affiliate of the now-defunct ALPHV/BlackCat ransomware-as-a-service (RaaS) group, and more recently has been observed using Qilin and RansomHub ransomware.Scattered Spider faced a number of setbacks in 2024, namely the arrests of seven suspected members, including its alleged leader Tyler Buchanan aka “tylerb.” The group’s activity appeared to slow down during this time, according to SilentPush. However, the group’s activity continues to persist in 2025.

Latest Scattered Spider phishing TTPs, IoCs uncovered

Digital fingerprints of four previous phishing kits leveraged by Scattered Spider were leveraged by Silent Push to help track the group’s activity and use of infrastructure to conduct its social-engineering attacks.Most of these past phishing kits impersonated Okta log-in pages for targeted companies, such as Apple, Klaviyo, DoorDash, Comcast and dozens more. The phishing pages leveraged both Okta and target-company branding to entice employees of target companies to input their credentials.The latest phishing kit, discovered by a threat intel researcher known as Lontz in January 2025, appears to include several different brands on the same website, which Silent Push noted may be “a development mistake.”The discovery of this latest phishing template, which also impersonates an Okta login page, revealed the group’s most recent targets, including HubSpot, Morningstar, New York Digital Investment Group, Instacart, Vodafone and cloud storage provider Pure Storage.Silent Push also found that Scattered Spider began using dynamic domain name system (DNS) services beginning this year, particularly the “it[.]com” service, which allows the threat actor to rent subdomains of it[.]com. These services make it more difficult to track malicious domains due to the lack of domain registration fingerprints; thus, organizations should consider blocking all domains provided by these dynamic DNS services.Another notable recent development in Scattered Spider’s activity was the registration of a domain that was previously legitimately owned by Twitter, which is now known as X. Silent Push tracked the registration records of the domain twitter-okta[.]com and found it was owned by Twitter beginning on Aug. 22, but changed hands on Oct. 6, 2024, and was traced back to Scattered Spider through the fingerprint of one of their phishing kits.Scattered Spider’s squatting of the twitter-okta[.]com domain demonstrates the group’s aggressive acquisition of brand impersonation domains, with Silent Push noting the group often registers many domains at a time targeting a particular company for its social engineering.

New SpectreRAT added to Scattered Spider toolkit

Silent Push was able to obtain a malware sample from one of Scattered Spider’s suspected impersonation domains, registered with NiceNIC, which is the group’s preferred registrar as of 2025.This sample revealed a new version of the Spectre RAT remote access trojan, which includes updated obfuscation features and a sophisticated crypter, according to Silent Push. Obtaining this sample allowed Silent Push to provide resources for defenders to use against Scattered Spider and Spectre RAT infection.The RAT is designed to prevent multiple instances from running at once by setting up a mutex that the malware checks for before running. This mutex could be used as a “malware vaccine” for Spectre RAT to prevent a new infection from succeeded, Silent Push noted.The Silent Push team was also able to leverage information from the Spectre RAT sample to develop string decoder and C2 emulator code that can be used by cyber defenders to better analyze and understand the malware. These tools were made publicly available for free via GitHub.“This allows researchers to simulate real-world scenarios and analyze how the malware responds to various operational commands, thereby deepening our understanding of its functionality,” Silent Push researchers wrote.