Google Threat Intelligence Group (GTIG) discovered a “sophisticated and aggressive cyber campaign” in mid-2025, targeting retail, airline, and insurance sectors. According to the findings, this campaign was the work of UNC3944, a threat group overlapping with public reporting of groups such as 0ktapus, Octo Tempest, and Scattered Spider.

The groups tactics do not depend on software exploits; rather, they leverage phone calls to IT desks with creative, sophisticated social engineering tactics. 

Thomas Richards, Infrastructure Security Practice Director at Black Duck, explains, “The advanced sophistication Scattered Spider exhibits should have security teams on alert. Social engineering attacks can be prevented with proper training and challenge process to validate the caller is who they say they are. With using valid credentials and built in tools, it is difficult for security teams to discern if they are compromised or not.” 

These threat actors are not opportunistic. Instead, they deploy precise operations at an organization’s most critical data and systems. 

GTIG states, “Their strategy is rooted in a ‘living-off-the-land’ (LoTL) approach. After using social engineering to compromise one or more user accounts, they manipulate trusted administrative systems and use their control of Active Directory as a launchpad to pivot to the VMware vSphere environment, thus providing an avenue to exfiltrate data and deploy ransomware directly from the hypervisor. This method is highly effective as it generates few traditional indicators of compromise (IoCs) and bypasses security tools like endpoint detection and response (EDR), which often have limited or no visibility into the ESXi hypervisor and vCenter Server Appliance (VCSA).” 

Below, security leaders weigh in on Scattered Spider's movements. 

Security Leaders Weigh In 

Shane Barney, Chief Information Security Officer at Keeper Security:

Scattered Spider is evolving its tactics with a deliberate focus on VMware ESXi hypervisors, the backbone of many organizations’ digital environments. This shift targets the critical systems that support business operations in sectors such as retail, transportation and aviation. The group gains access through social engineering, impersonating IT staff and using existing admin tools to move laterally within networks. Their ultimate goal is to reach key systems, extract sensitive data and disrupt recovery by deleting backups and deploying ransomware.

Stopping these attacks requires more than just patching or threat detection. A zero trust architecture is critical to limit lateral movement and enforce identity verification at every step. A robust Privileged Access Management (PAM) solution can further block access to sensitive systems like vCenter. Since the initial breach depends heavily on social engineering, organizations need to train employees, especially IT and help desk staff, to recognize and respond to impersonation attempts.

This activity is a reminder that even well-protected organizations can be targeted by persistent, well-resourced groups. Staying ahead means strengthening identity security, limiting privileged access and preparing teams to respond to modern, multi-phased attacks.

Jason Soroko, Senior Fellow at Sectigo:

Scattered Spider has shown that the weakest link in a modern hybrid cloud is still the human who answers the help desk phone. By taking advantage of corporate familiarity rituals such as identity verification questions and extension dialing trees, the group sidesteps agent based defense layered within virtual machines and walks straight into the hypervisor. Once a trusted vSphere account is reset for them they move laterally with built in utilities, turning the supposed advantage of virtualization into a liability because the same management plane that simplifies operations also centralizes risk. Their campaign focus on retail airline and transportation firms suggests a deliberate search for businesses whose customer experience depends on constant uptime, increasing the likelihood that ransom payments feel cheaper than prolonged outages.

An unsettling aspect of their playbook is its deliberate erasure of forensic breadcrumbs. Disk swap extraction of the Active Directory database happens while the domain controller is powered off which starves logging agents of visibility. Snapshot pruning and backup job deletion eliminate the last line of easy recovery. Even high assurance secrets vaults become stepping stones once a privileged identity is hijacked. The lesson is that hypervisor management networks must adopt the same out-of-band verification rigor traditionally reserved for wire transfers and that backups must be vaulted beyond the reach of vSphere credentials. Until organizations treat social engineering resistance and privileged identity isolation as availability controls rather than mere compliance tasks threat groups like Scattered Spider will keep turning ordinary IT conveniences into precision-guided weapons.

Ms. Nivedita Murthy, Senior Staff Consultant at Black Duck:

Organizations are experiencing a rise in spear phishing attacks targeting their help desk teams, which often hold significant access to internal systems. If not properly secured, these teams can become a vulnerability, allowing attackers to use social engineering tactics to gain credentials and initiate an attack. People are typically the weakest link within an organization. To mitigate this risk, organizations should train their help desk teams to identify potential threats and implement robust security measures, including configuring SIEM systems to detect unusual activity that may not be covered by EDR tools.

Rom Carmel, Co-Founder and CEO at Apono:

Scattered Spider isn’t just back, they’ve leveled up. This crew is now directly targeting VMware ESXi hypervisors, bypassing endpoint defenses and striking at the infrastructure layer. Their latest campaigns against North American retail, airline, and transportation sectors show a shift from account compromise to hypervisor control, using stolen credentials and relentless social engineering.

They’re not relying on zero-days, so what makes this more dangerous? 

• No malware required for initial access
• Living-off-the-land persistence that blends into legitimate admin activity
• Backup destruction and root access to hypervisors ensuring no easy recovery

This isn’t smash-and-grab. It’s campaign-style cyber sabotage, with ransomware as the final blow.

Here’s where Zero Standing Privilege changes the game. Had these environments enforced Just-in-Time access, attackers wouldn’t find persistent admin credentials to abuse. And with Just-Enough-Access, even compromised accounts would be limited in scope, making lateral movement far harder. Tight, time-bound access windows and approval workflows help prevent the kind of deep, infrastructure-level compromise Scattered Spider is pulling off.