Scattered Spider, a notorious hacker collective active since at least 2022, continues to launch increasingly sophisticated social engineering attacks aimed at stealing usernames, login credentials, and multifactor authentication (MFA) tokens.
The group, also known as UNC3944, Star Fraud, Octo Tempest, Scatter Swine, or Muddled Libra, has been linked to several high-profile security breaches, including the Twilio incident in August 2022 and the MGM breach in September 2023.
Operating as part of a larger hacking collective known as “The Community” or “The Comm,” Scattered Spider has developed a reputation for conducting meticulous research on their targets before launching attacks.
.png
)
Their sophisticated phishing campaigns typically impersonate trusted entities, using carefully crafted domains that mimic legitimate corporate resources.
.webp)
The group has targeted numerous sectors including financial, retail, entertainment, telecommunications, cloud storage platforms, and software providers.
Silent Push researchers have successfully identified five distinct Scattered Spider phishing kits being used since at least 2023, with some showing several iterations and updates.
These kits create convincing replicas of corporate login portals, particularly focusing on Okta authentication pages, to harvest credentials and MFA tokens.
Despite the arrests of at least seven members in 2024, including an alleged leader, the group’s operations continue to evolve in 2025.
Recent findings from Silent Push analysts reveal a significant development: Scattered Spider has acquired a domain (twitter-okta.com) previously owned by Twitter/X.
This domain, likely part of a previous brand protection effort by Twitter, changed hands multiple times – initially registered on Porkbun in June 2022, taken over by Twitter (working with brand protection vendor CSC) by August 2022, and then reacquired by Scattered Spider in October 2024 through NiceNIC, their current registrar of choice.
In early 2025, Silent Push researchers discovered Scattered Spider’s updated arsenal now includes a new version of Spectre RAT (Remote Access Trojan), a sophisticated malware that enables persistent access to compromised systems.
This malware represents a concerning evolution in the group’s technical capabilities.
Spectre RAT: Technical Analysis
The Spectre RAT variant employed by Scattered Spider features advanced techniques for persistence and stealth. The malware initializes by establishing a mutex with the identifier “DF7AB1137F” to prevent duplicate instances from running.
This mechanism can also inadvertently serve as a malware vaccine against additional Spectre RAT infections on the same system.
The RAT’s communication protocol is HTTP-based, utilizing various URI parameters for different functions.
The primary command channel uses a parameter called “wber” with numeric values indicating different operations:-
wber Parameters | Purpose | ACK response
6 | beacon packet | "txru" or fail
5 | Ping Back (no data) |
35 & kiqa | Download resource | "void" or base64 encoded dataCommands are tokenized using the “|” character, with different numeric identifiers for various operations:-
CMD number | Parameter (tokenized by '|') | Description
1 | Filename | Download a file from infected machine
2 | Type*http payload * | Upload a file on infected machine
3 | FolderPath*filename | Execute an executable based on folder pathThe malware incorporates a sophisticated debug logging system that records errors with specific codes, such as “100 10010” for invalid beacon responses and “100 10002” for installation path issues.
This system allows the malware to adapt its operations dynamically while maintaining stealth.
.webp)
To counter this threat, Silent Push has developed Indicators of Future Attack (IOFA) feeds that track Scattered Spider infrastructure, including recently observed domains like “klv1.it.com” targeting Klaviyo and multiple others impersonating corporate services.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
