The Tangled Web: Scattered Spider, DragonForce - TTPs and Defences
TL;DR
Groups like Scattered Spider are doubling down on social engineering, whilst new Ransomware-as-a-Service (RaaS) models from groups like DragonForce are making powerful tools more accessible. Recent attacks on UK retailers highlight the impact these threats can have. This post breaks down who these actors are, their known methods, and, what your organisation can do to defend itself.
The Evolving Threat
The world of cyber extortion is in constant flux. Cybercriminal groups are becoming more sophisticated and adaptable, refining their tactics to maximise profit. The broader ransomware environment is described as "fragmenting, decentralising, and growing more dangerous", a challenging reality for organisations today.
Two prominent examples of this evolution are the persistent threat from the Scattered Spider collective and the aggressive emergence of DragonForce ransomware, recently seen targeting UK retailers with significant impact. Their activities point to key trends: the resilience of well-organised threat actors, the proliferation of RaaS models, and the severe consequences for businesses and their customers. Scattered Spider, for instance, continues to operate and innovate despite arrests in 2024, demonstrating clear operational resilience. The real-world impact is stark, with millions in lost revenue, not to mention intangible losses such as reputation and trust from clients and investors.
The differing approaches, Scattered Spider's social engineering-driven attacks versus DragonForce's affiliate-based RaaS structure, indicate a maturing cybercrime ecosystem. This diversity makes the threat far more complex for defenders, demanding multifaceted security strategies. Furthermore, the targeting of major brands by both groups (e.g., MGM Resorts, Caesars Entertainment by Scattered Spider; M&S, Harrods, Co-op by DragonForce affiliates) shows that big game hunting remains a successful strategy.
Scattered Spider: Resilient and Evolving
Who are Scattered Spider?
Operational since at least spring 2022, Scattered Spider (also known as UNC3944, 0ktapus, Muddled Libra, and others) quickly gained notoriety for significant ransomware and extortion campaigns, primarily against US-based brands. High-profile incidents include the Twilio breach (August 2022) and attacks on MGM International and Caesars Entertainment (September 2023).
Tactics, Techniques, and Procedures (TTPs)
Scattered Spiders recent activities show a continued reliance on social engineering, combined with evolving technical methods:
- Social Engineering: Attacks often start with SMS phishing (smishing) or direct calls to IT help desks to obtain password resets or bypass multi-factor authentication (MFA).
- Phishing Kits: They develop and use unique phishing kits, often impersonating Okta login pages. A new kit (#5) was seen in early 2025 targeting high-profile services and brands.
- Targeted Services & Brands (2025): Recent targets include Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Forbes, Instacart, Louis Vuitton, Nike, Twitter/X, Vodafone, and many more.
- Spectre RAT: A new version of their Spectre Remote Access Trojan (RAT) is used for persistent access, data exfiltration, and remote command execution, featuring updated obfuscation techniques.
- Infrastructure: They favour registrars like NiceNIC and hosting providers such as Njalla and Virtuo. A notable shift is their use of dynamic DNS services (e.g., it[.]com) to complicate tracking.
- Defence Evasion: They are adept at disabling antivirus/EDR solutions and installing multiple Remote Monitoring and Management (RMM) tools (AnyDesk, ScreenConnect, etc.) for persistent backdoor access.
- Ransomware Affiliation: Historically an ALPHV/BlackCat affiliate, they have more recently deployed ransomware from Qilin and RansomHub.
The group's resilience despite arrests suggests a decentralised model or rapid recruitment capabilities. Their focus on compromising Identity and Access Management (IAM) infrastructure and third-party services containing customer data (like Klaviyo and HubSpot) indicates a strategic approach to maximise impact. Installing numerous RMM tools not only ensures persistence but also complicates forensic investigations.
Suspected Involvement in UK Retail Attacks
Recent cyberattacks on UK retailers have led to speculation about Scattered Spider's involvement, particularly in the Marks & Spencer (M&S) incident. Although this was not officially confirmed as of 07/05/2025 with the National Cyber Security Centre (NCSC) still investigating potential links.
| Tactic Category | Specific Technique/Tool/Target | Brief Description & Observed Impact | Ref |
|---|---|---|---|
| Initial Access | Social Engineering of Help Desks; SMS Phishing (Smishing) | Obtaining credentials, MFA bypass, gaining initial foothold through manipulation. | 5 |
| Phishing Kits (e.g., Kit #5 impersonating Okta) | Stealing login credentials by luring victims to fake login pages. | 2 | |
| Malware & Tools | Spectre RAT (New Version) | Persistent remote access, data exfiltration, command execution, system reconnaissance; updated version includes obfuscation. | 4 |
| Persistence & Defense Evasion | Multiple RMM Tools (e.g., AnyDesk, ScreenConnect, Zoho Assist, TeamViewer) | Maintaining multiple backdoors for resilient access, evading detection by using legitimate tools. | 5 |
| Disabling AV/EDR, Deleting Firewall Profiles | Neutralizing security software to operate undetected. | 5 | |
| Infrastructure & Targeting | Dynamic DNS (it[.]com service) | Obfuscating Command & Control (C2) infrastructure, making tracking difficult. | 2 |
| Registrar: NiceNIC; Hosting: Njalla, Virtuo, Cloudflare | Preferred infrastructure providers for registering domains and hosting malicious content/C2 servers. | 4 | |
| Domain Acquisition (e.g., twitter-okta[.]com) | Aggressively registering domains impersonating legitimate brands for phishing campaigns. | 2 | |
| Targeted Services/Brands (2025): Klaviyo, HubSpot, Pure Storage, Vodafone, Instacart, NYDIG, Morningstar, Louis Vuitton, Nike, T-Mobile, Twitter/X, etc. | Gaining access to sensitive customer data, financial information, internal systems, and communication platforms for extortion/fraud. | 2 |
DragonForce
From Hacktivism to RaaS
DragonForce emerged around mid-2023, with its "DragonLeaks" dark web portal launching in December of that year. Possibly evolving from "DragonForce Malaysia," a hacktivist collective, the group is now predominantly a financially driven ransomware operation, stating they are "here for business and money". They are actively branding themselves as a "Ransomware Cartel".
The RaaS Model
DragonForce operates a sophisticated Ransomware-as-a-Service model:
- Affiliate Programme: Launched by June 2024, actively recruiting hackers and other RaaS groups.
- Revenue Share: Offers an attractive 80/20 split (affiliate/DragonForce), often better than competitors.
- White-Label Model: Allows affiliates to use DragonForce infrastructure and ransomware under their own branding, with customisable ransom notes and file extensions.
- Provided Infrastructure: Includes malware development support, a leak site ("DragonLeaks"/"RansomBay"), payment negotiation tools, and encrypted storage for stolen data.
- Strategic Positioning: Capitalises on market disruptions, such as absorbing affiliates from the defunct RansomHub.
This model lowers the barrier to entry for cybercriminals, enabling a larger number of attackers to conduct impactful campaigns.
DragonForce Malware & Technical Capabilities
Their ransomware is built on potent, leaked codebases:
- Code Origins: Initially based on leaked LockBit 3.0 (LockBit Black) builder, it has evolved to incorporate elements from the Conti v3 codebase, with some newer samples using the ChaCha8 encryption algorithm.
- Encryption: Typically uses AES for file encryption, with RSA securing the AES keys.
- Stealth: Employs techniques like embedding resources in the binary's overlay (Zlib compressed) and Address Space Layout Randomisation (ASLR) to evade detection and analysis.
- Customisation: Affiliates can extensively customise payload behaviour, including execution delays and process termination lists.
Their agile development, leveraging leaked code from successful ransomware families like LockBit and Conti, allows them to offer a credible and dangerous RaaS platform quickly. Their public claim of a "moral code" (e.g., avoiding certain healthcare targets) is likely a strategic move to manage their image and potentially reduce their priority for law enforcement.
Known TTPs of DragonForce Affiliates
Affiliates use a range of common TTPs:
- Initial Access: Phishing emails, exploitation of vulnerabilities (e.g., Log4j2 CVE-2021-44228; Ivanti CVEs CVE-2023-46805, CVE-2024-21887, CVE-2024-21893; Microsoft SmartScreen CVE-2024-21412), and stolen credentials for RDP/VPN access.
- Execution & Post-Exploitation: Use of valid accounts (e.g., NTDS.dit theft at M&S), PowerShell, and tools like Mimikatz, Cobalt Strike, and SystemBC backdoor.
- Persistence: Registry Run Keys (e.g., a "socks5" entry for hidden PowerShell execution).
- Defence Evasion: Bring Your Own Vulnerable Driver (BYOVD) techniques, using legitimate but vulnerable drivers (like RogueKiller Anti-Rootkit Driver) to disable security software.
- Data Exfiltration: Cloud storage (MEGA), WebDAV, and SFTP.
- Extortion: Multi-extortion model involving data encryption, public leakage threats via their leak sites, and reputational damage.
| Feature/Tactic Category | Specific Detail/Technique/Tool | Description & Purpose | Ref |
|---|---|---|---|
| RaaS Business Model | 80/20 Affiliate Revenue Split; White-Label Ransomware | Attracts a wide range of affiliates by offering high profit margins; allows affiliates to customize attacks and build their own "brand." | 1 |
| Provision of Malware, Leak Site ("DragonLeaks"/"RansomBay"), Negotiation Tools, Affiliate Panel | Lowers barrier to entry for affiliates by providing ready-made tools and infrastructure for conducting attacks and managing extortion. | 1 | |
| Malware Characteristics | Based on Leaked LockBit 3.0/Black & Conti v3 Code; AES/RSA Encryption (potentially ChaCha8) | Leverages proven, effective, and potent ransomware codebases for file encryption and key protection. | 6 |
| Stealth Features (Zlib compressed overlay, Dynamic Loading, ASLR) | Designed to evade static analysis by security tools and hinder reverse engineering efforts. | 10 | |
| Initial Access Vectors | Phishing Emails; Exploitation of Known Vulnerabilities (e.g., CVE-2021-44228, CVE-2023-46805, CVE-2024-21887, CVE-2024-21412); Stolen Credentials for RDP/VPN | Common entry points for malware delivery and gaining unauthorized access to networks. | 7 |
| Execution & Post-Exploitation | Valid Accounts (T1078, e.g., NTDS.dit theft); PowerShell (T1059.001); User Execution (T1204.002) | Using legitimate credentials to blend in; running malicious scripts; tricking users into executing malware. | 6 |
| Tools: Cobalt Strike, Mimikatz, Advanced IP Scanner, PingCastle, SystemBC | Command & control, lateral movement, credential harvesting, network reconnaissance, Active Directory auditing, persistent backdoor. | 7 | |
| Persistence Mechanisms | Registry Run Keys (T1547.001, e.g., "socks5" entry) | Ensures malware or backdoors automatically restart after system reboot, maintaining attacker presence. | 6 |
| Defense Evasion | Bring Your Own Vulnerable Driver (BYOVD) (e.g., using RogueKiller driver) | Disables or tampers with security software (AV/EDR) by exploiting vulnerabilities in legitimate kernel drivers. | 6 |
| Data Exfiltration | Use of MEGA, WebDAV, SFTP (Living Off the Land) | Transferring stolen data to attacker-controlled storage using common cloud services or built-in protocols. | 7 |
| Extortion Strategy | Multi-Extortion: Data Encryption + Data Leakage Threat (via leak sites) + Reputational Damage; Public display of negotiations & countdown timers | Maximizes pressure on victims to pay ransom by threatening multiple negative consequences beyond just data unavailability. | 7 |
UK Retail: A Coordinated Campaign (April-May 2025)
The Attacks
During April and May 2025, a series of cyberattacks hit prominent UK retailers, causing major disruptions. DragonForce claimed responsibility for attacks on Co-op, Harrods, and M&S. This campaign might signify a strategic pivot for DragonForce towards harvesting high-volume Personally Identifiable Information (PII) for secondary monetisation.
Impacted Retailers
- M&S: Hit around Easter (late March/early April 2025). Online orders were down for nearly two weeks, contactless payments and click-and-collect services were affected, and job postings were pulled. Crucially, attackers obtained M&S's Active Directory database (NTDS.dit) months before the ransomware deployment.
- Co-op Group: Initially reported an attempted breach with minor impact, but later confirmed data access and extraction involving names and contact details of a "significant number" of members. A DragonForce member claimed to the BBC that data of 20 million Co-op members was stolen. Internal memos advised visual verification of attendees in Teams meetings due to security concerns.
- Harrods: Confirmed an attempted unauthorised access, leading to restricted internet access across its sites as a precaution. Operations were later reported as normal.
Attribution Complexities
While DragonForce claimed these attacks, initial reports and some TTPs led to suspicion of Scattered Spider's involvement, especially in the M&S incident. SentinelOne noted that an affiliate involved in the UK retail attacks (claimed by DragonForce) showed characteristics consistent with "The Com", a collective of which Scattered Spider is a branch, and was leveraging DragonForce ransomware.
Broader Implications for Retail
The UK retail sector is facing a high volume of attacks, 8% higher than the national average and up 22% year-on-year. These incidents are a wake-up call to all organisations about the need for enhanced cybersecurity with the "data theft first, ransom second" model gaining traction and maximising attackers' leverage. The involvement of affiliates with diverse TTPs using a common RaaS platform blurs attribution and complicates defence. The significant operational disruptions highlight the vulnerability of even large organisations and the need for robust business continuity plans.
| Retailer | Reported Date(s) of Impact/Disclosure | Attributed Actor(s) | Key Impact | Relevant Sources |
|---|---|---|---|---|
| M&S | From Easter Wknd (late Mar/early Apr) - May 2025 | DragonForce (Claimed); Initial suspicion of Scattered Spider; Affiliate with "The Com" links using DragonForce RaaS | Online sales suspended ~2 weeks; NTDS.dit theft months prior; Contactless payments & Click-and-Collect services initially affected; Job postings pulled. | 3 |
| Co-op Group | Disclosed early May 2025 | DragonForce (Claimed) | Data theft (names, contact info of "significant number" of members; unconfirmed claim of 20M records); Back-office & Call center disruption; Internal Teams security alert. | 6 |
| Harrods | Disclosed early May 2025 | DragonForce (Claimed) | Attempted unauthorized access; Precautionary internet restriction across sites; Website & stores later reported operating normally. | 3 |
Connecting the Dots: Scattered Spider, DragonForce, and "The Com"
Is there a direct link between Scattered Spider and DragonForce? Based on available information, there's no direct evidence of a formal alliance. They operate as distinct entities with different primary methods.
However, indirect connections may exist via the loose collective known as "The Com":
- Scattered Spider is considered a branch of this broader hacker community.
- An affiliate involved in the DragonForce-claimed UK retail attacks exhibited TTPs consistent with "The Com". This suggests individuals or sub-groups within "The Com," potentially sharing TTPs with Scattered Spider, might be using DragonForce's RaaS platform. This highlights the fluid nature of the cybercrime ecosystem.
Whilst both groups use common tactics like social engineering and phishing, these are widespread and don't indicate a unique link. Scattered Spider has previously used various ransomware (ALPHV/BlackCat, Qilin, RansomHub), showing flexibility in tool choice, similar to how an affiliate might choose a RaaS platform like DragonForce.
DragonForce actively recruits affiliates from diverse backgrounds, making it plausible that individuals with Scattered Spider-like skills could be drawn to its platform. The cybercrime landscape is more of a networked ecosystem than a collection of isolated groups. The RaaS model itself, used by DragonForce, inherently complicates attribution by creating layers between the platform provider and the affiliate conducting the attack.
Fortifying Defences: Actionable Steps
Understanding these evolving threats is the first step. Organisations must recognise the dual challenge: sophisticated social engineering from groups like Scattered Spider and the scalable threat from RaaS platforms like DragonForce. The next step is taking the basic best-practices of information security and deploy them at a scale relative to and adequate for your business.
Strengthening Defences:
- Enhanced Identity and Access Management (IAM): Mandate phishing resistant MFA everywhere, especially for VPNs and admin interfaces. Implement measures against MFA fatigue attacks.
- Help Desk Security & Training: Train help desk staff to be aware of and resist social engineering attacks. Implement stricter identity verification for sensitive requests.
- Advanced Phishing Awareness: Conduct ongoing security awareness training on sophisticated phishing and smishing. Use realistic simulations.
- Endpoint Detection and Response (EDR): Deploy and configure advanced EDR solutions to monitor for suspicious RMM tool usage, attempts to disable security software, and known Indicators of Compromise (IoCs).
- Network Segmentation: Implement effective network segmentation to limit lateral movement.
- Domain/URL Filtering: Actively block known malicious domains and consider policies for dynamic DNS providers used for obfuscation (e.g., it[.]com).
Mitigating Threats:
- Aggressive Vulnerability Management: Prioritise patching known exploited vulnerabilities, especially those linked to DragonForce (e.g., Log4j2, Ivanti, Microsoft SmartScreen bypasses).
- Active Directory and Credential Security: Secure Active Directory, monitor for NTDS.dit access, enforce strong password policies, and monitor for credential dumping.
- Application Control & Scripting Security: Use application whitelisting and closely monitor PowerShell usage for malicious activity.
- Defence Against BYOVD: Monitor for the loading of known vulnerable drivers that could be exploited to disable security tools.
- Data Exfiltration Monitoring: Implement network traffic analysis and Data Loss Prevention (DLP) to detect unusual outbound traffic.
- Resilient Backup and Recovery: Ensure robust, regularly tested, and immutable/offline backups.
Information Security Hygiene and Preparedness:
- Continuous Threat Intelligence: Actively consume threat intelligence feeds and reports to stay informed about evolving TTPs.
- Comprehensive Incident Response Plan: Develop, maintain, and regularly test a detailed incident response plan.
- Assume Breach Mentality: Proactively hunt for threats within your network, assuming preventative measures may not be foolproof.
Modern threat models demand a defence-in-depth strategy addressing both human-centric attacks and tool-driven campaigns. The increasing professionalisation of cybercrime, with groups like DragonForce operating like businesses, means they will continue to innovate in order to profit. Defences should be equally adaptive.
References
1. Check Point Research. (2025, May 6). DragonForce Ransomware: Redefining Hybrid Extortion in 2025. https://blog.checkpoint.com/security/dragonforce-ransomware-redefining-hybrid-extortion-in-2025/
2. Silent Push. (2025, April 8). Scattered Spider: Still Hunting for Victims in 2025. https://www.silentpush.com/blog/scattered-spider-2025/
3. Pylas, P. (2025, May). Harrods becomes latest UK retailer to face cyber threat as M&S' struggles persist. Associated Press. https://apnews.com/article/uk-retailers-cyberattacks-marks-spencer-harrods-7d3c01faa7380775598a517df4db1250
4. SC Media. (2025). Scattered Spider persists with use of Spectre RAT, new phishing. https://www.scworld.com/news/scattered-spider-persists-with-use-of-spectre-rat-new-phishing-kit
5. Cyble. (2025, February 20). Threat Actor Profile: Scattered Spider. https://cyble.com/threat-actor-profiles/scattered-spider/
6. Picus Security. (2025, May 5). DragonForce Ransomware Attacks Retail Giants. https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants
7. SentinelOne. (2025, May 2). DragonForce Ransomware Gang: From Hacktivists to High-Street Extortionists. https://www.sentinelone.com/blog/dragonforce-ransomware-gang-from-hacktivists-to-high-street-extortionists/
8. PYMNTS. (2025, May 6). Hacking Group Linked to Vegas Disruptions Suspected in Recent UK Retail Attacks. https://www.pymnts.com/cybersecurity/2025/hacking-group-linked-to-vegas-disruptions-suspected-in-recent-uk-retail-attacks/
9. Arghire, I. (2025, May 5). Ransomware Group Claims Attacks on UK Retailers. SecurityWeek. https://www.securityweek.com/ransomware-group-claims-attacks-on-uk-retailers/
10. CyFox. (2025). DragonForce Ransomware: Unveiling its Tactics and Impact. https://www.cyfox.com/blog-posts/dragonforce-ransomware-unveiling-its-tactics-and-impact
11. Infosecurity Magazine. (2025, May 6). DragonForce Group Claims M&S, Co-op and Harrods Hacks. https://www.infosecurity-magazine.com/news/dragonforce-goup-ms-coop-harrods/