Scattered Spider returns targeting cloud and virtualization infrastructure

According to a joint cybersecurity advisory published on July 29, 2025 by the FBI, CISA, and allied agencies from Canada, the UK, and Australia, threat actor Scattered Spider has resumed operations in mid-2025 following a brief break due to law enforcement actions. The threat group, also known as UNC3944, Octo Tempest, and 0ktapus, has reportedly adopted new tactics to compromise cloud environments and virtualization platforms. 

The advisory notes that Scattered Spider threat actors were active as recently as June 2025, targeting commercial facilities and critical infrastructure sectors. Their methods continue to rely on social engineering, including impersonation of employees during help desk interactions to reset passwords and enroll attacker-controlled multi-factor authentication (MFA) devices. 

Recent campaigns have focused on compromising VMware ESXi hypervisors and vSphere environments. Google’s Threat Intelligence Group (GTIG) reports that attackers gained access to vCenter Server Appliances (VCSA), enabled SSH access, and deployed remote access tools such as Teleport to maintain persistence. These intrusions allowed the group to exfiltrate Active Directory databases and deploy ransomware directly from the hypervisor layer. 

The ransomware variant most recently attributed to Scattered Spider is DragonForce, which was deployed during attacks on UK and US retailers in April and May 2025.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Government agencies recommend that organizations implement phishing-resistant MFA, such as FIDO or PKI-based methods, to defend against Scattered Spider’s use of push bombing and SIM swapping attacks. Restricting help desk procedures for credential resets is critical because attackers increasingly exploit these workflows through social engineering, impersonating employees to gain unauthorized access. Monitoring for anomalous behavior in privileged accounts is equally important, as these accounts have elevated access to sensitive systems and data.  

Enforcing application controls helps prevent unauthorized or malicious software from executing within the environment. By allowing only approved applications to run, organizations can block ransomware payloads and remote access tools commonly used by threat actors. Application control also generates audit logs that support early detection of suspicious activity, contributing to a layered defense strategy. 

Finally, maintaining offline, regularly tested backups is essential because ransomware actors like Scattered Spider often attempt to encrypt or delete network-connected backups to maximize leverage during extortion attempts. Regular testing ensures that these backups are functional and complete, minimizing downtime during restoration.