A sophisticated threat actor group known as Scattered Spider has expanded its targeting to UK retail organizations, leveraging advanced supply chain attack methodologies to compromise high-value targets.
The financially motivated group, operating since May 2022, has evolved from primarily targeting telecommunications and business process outsourcing (BPO) sectors to focusing on high-leverage industries including critical infrastructure and UK retail chains.
These attacks represent a significant escalation in both scope and impact, occurring during peak retail seasons to maximize financial leverage.
.png
)
Initially emerging as a specialist in social engineering tactics, Scattered Spider (also tracked as Roasting Oktapus and Scatter Swine) has demonstrated remarkable adaptability in its operational methodology.
The group has integrated cloud exploitation techniques with sophisticated social engineering, including SMS phishing, SIM swapping, and exploiting Multi-Factor Authentication (MFA) fatigue.
Their primary initial access vector involves gathering employee mobile numbers from commercially available data aggregation services, followed by targeted phishing campaigns that impersonate IT personnel to extract credentials or gain remote access.
Cyberint researchers identified a concerning pattern in mid-2023 when Scattered Spider became affiliated with the BlackCat (ALPHV) ransomware operation, initiating the deployment of ransomware payloads on both Windows and Linux systems, with particular focus on VMware ESXi servers.
This evolution indicates the group has likely embedded itself within Russian-speaking ransomware-as-a-service (RaaS) networks, though they avoid targeting organizations within the Commonwealth of Independent States (CIS).
The attacks follow a multi-stage approach that begins with initial access via phishing, transitions to establishing persistence through legitimate remote management tools, and culminates in data exfiltration and potential ransomware deployment.
While Scattered Spider has not publicly claimed responsibility for the UK retail intrusions, their distinctive initial access tactics and exploitation techniques align closely with their known behavioral patterns, making their involvement highly probable.
The evidence suggests Scattered Spider is functioning as an access broker or collaborator within the DragonForce affiliate model, reflecting a broader shift in the ransomware ecosystem where specialized actors collaborate without co-branding, often using white-labeled infrastructure to obscure attribution.
Security Bypass and Persistence Mechanisms
At the core of Scattered Spider’s technical capability is their sophisticated use of malicious drivers to disable security software.
Their primary tool, POORTRY, is designed to terminate Endpoint Detection and Response (EDR) processes on Windows systems.
The driver exploits CVE-2015-2291, a vulnerability in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys), allowing local users to execute arbitrary code with kernel privileges through crafted IOCTL calls (0x80862013, 0x8086200B, 0x8086200F, or 0x80862007).
To avoid detection, attackers sign the POORTRY driver with a Microsoft Windows Hardware Compatibility Authenticode signature.
Working in conjunction with POORTRY is STONESTOP, a Windows userland utility that functions both as a loader and installer for POORTRY. This tool orchestrates the driver’s actions, generating and introducing the malicious driver to terminate security processes.
These tools create a sophisticated kernel-level attack that allows Scattered Spider to operate with minimal detection while maintaining persistent access to compromised retail systems.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
