This group, whose aggressive campaigns began in May 2022, had previously centered its efforts on telecommunications and business process outsourcing (BPO) sectors but is now exploiting the complex, vendor-rich environments of retail, especially during high-activity seasons.
While direct attribution remains circumstantial, the technical hallmarks of recent intrusions-including cloud exploitation and advanced social engineering-precisely match Scattered Spider’s established playbook.
Typically, the group’s initial access is followed by ransomware deployment and extortion, perpetrated by affiliates such as DragonForce or the ALPHV/BlackCat operation.
This separation of duties-between initial access brokers, ransomware developers, and extortionists-mirrors a trend in the broader ransomware ecosystem, where criminal groups collaborate using “white-label” infrastructure without overt co-branding.
The threat to UK retail organizations is amplified by their reliance on third-party vendors and the high staff turnover typical of peak sales periods.
Scattered Spider exploits this environment through persistent, stealthy operations that leverage weak points in both human and technical defenses.
Scattered Spider’s attack cycle begins with the collection of target employee details, often acquired via commercial data aggregation services or from underground forums.
The group then initiates elaborate phishing, including SMS-based (smishing), Telegram messaging, and direct voice calls (vishing), to harvest credentials and multi-factor authentication (MFA) tokens.
According to Cyberint Report, these operations are often enhanced by impersonation of IT support staff and the deployment of commercial remote management tools such as AnyDesk and ConnectWise Control, enabling covert, long-term access.
Phishing tactics are complemented by technical exploits, such as SIM swapping, MFA fatigue attacks, and the exploitation of vulnerabilities in widely used cloud and identity platforms.
In previous incidents, the attackers have used malicious, signed kernel drivers (notably POORTRY and STONESTOP) to disable endpoint detection and response (EDR) software and bypass security controls.
Their cloud expertise is evident in lateral movement across Microsoft 365, Azure, AWS, and Google Workspace environments, using harvested tokens and manipulation of identity access management (IAM) roles.
Scattered Spider’s campaigns since mid-2022 have been marked by increasing sophistication and scale.
High-profile breaches include the compromise of a U.S. cloud communications provider in August 2022 and successive attacks targeting telecom, BPO, and cryptocurrency-related entities.
Their TTPs (tactics, techniques, and procedures) consistently feature initial access via credential phishing, privilege escalation exploiting vulnerabilities like CVE-2021-35464 (ForgeRock AM server) and CVE-2015-2291 (Intel Ethernet diagnostics driver), and deployment of commodity malware and ransomware payloads-often culminating in aggressive negotiation tactics with victim organizations.
For UK retail, Scattered Spider’s attacks frequently exploit seasonal vulnerabilities: high helpdesk turnover, less experienced temporary staff, and the attractiveness of payment tokens and loyalty data as extortion assets, even when devices are not encrypted.
The group’s technical toolkit is notable for the use of the BYOVD (bring-your-own-vulnerable-driver) technique and for deploying the open-source bedevil Linux rootkit against VMware vCenter servers.
Vulnerabilities exploited include the aforementioned CVE-2015-2291 and CVE-2021-35464, as well as an emerging focus on vulnerabilities affecting VMware ESXi integration with Active Directory (CVE-2024-37085).
Throughout their campaigns, Scattered Spider demonstrates exceptional adaptability, leveraging both direct social engineering and technical exploits to maintain persistence, escalate privileges, and conduct data exfiltration through obfuscated channels such as Rclone, FileZilla, Dropbox, and others.
| Type | Value | Last Observation Date |
|---|---|---|
| IPv4 | 98.100.141.70 | Apr 30, 2025 |
| URL | http://138.68.27.0 | Apr 30, 2025 |
| IPv4 | 198.44.136.180 | Apr 30, 2025 |
| IPv4 | 195.206.107.147 | Apr 30, 2025 |
| IPv4 | 195.206.105.118 | Apr 30, 2025 |
| IPv4 | 194.37.96.188 | Apr 30, 2025 |
| IPv4 | 193.37.255.114 | Apr 30, 2025 |
| IPv4 | 193.27.13.184 | Apr 30, 2025 |
| IPv4 | 193.149.129.177 | Apr 30, 2025 |
| IPv4 | 192.166.244.248 | Apr 30, 2025 |
| IPv4 | 188.214.129.7 | Apr 30, 2025 |
| IPv4 | 188.166.92.55 | Apr 30, 2025 |
| IPv4 | 188.166.117.31 | Apr 30, 2025 |
| IPv4 | 188.166.101.65 | Apr 30, 2025 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Scattered Spider Targets UK Retail Organizations with Supply Chain Attacks appeared first on Cyber Security News.
It’s not just .now domain sales, Top.Domains posted on X that they sold Ambition.Capital for…
Cornfed Ted is moving with intention bringing together music, culture, and lifestyle in a way that…
That’s a few minutes longer than it takes to fill up the average gas-powered car—but…
Dynadot released their February 2026 Aftermarket report. The sales data comes in a number of…
A major investigation has revealed that sophisticated threat actors are exploiting fundamental vulnerabilities in global…
Today's links The (other) problem with automatic conversion of free software to proprietary software: You…
This website uses cookies.