Scripted Sparrow
Scripted Sparrow is a newly identified, prolific Business Email Compromise (BEC) threat group. Fortra tracked the group from June 2024 through December 2025 and described it as one of the most active BEC collectives currently operating. The group runs large-scale, highly targeted phishing and fraud campaigns, with reporting indicating it sends millions of scam emails per month and operates across three continents. Scripted Sparrow primarily targets finance and Accounts Payable personnel, including organizations in North America and Europe, by impersonating executive coaching, leadership training, and other professional services consultancies. Its campaigns use well-crafted social engineering rather than malware or credential theft. Common tactics include spoofed or forged reply chains, lookalike domains, fabricated executive approvals, and PDF attachments containing fraudulent invoices and W-9 forms. The invoices often reference fictitious entities such as Catalyst Executive Circle and are crafted just under common approval thresholds, including examples at $49,927.00, to increase the likelihood of payment. The group is notable for industrialized, automated operations at global scale. Reported tradecraft includes sending messages in small targeted batches, reusing templates with minor variations, rotating domains and bank accounts, and adapting lures over time, including missing-attachment prompts intended to bypass security filters. Fortra linked the operation to large supporting infrastructure, including domains, webmail accounts, and bank accounts, and reported that the group continually refines its fraud techniques. Technical observations in the reporting include heavy use of PDF generation via the Skia/PDF library, automated scripting to manage correspondence volume, geolocation-spoofing browser plug-ins, and indications of Telegram use for internal communication. The activity described in the reporting is financially motivated cybercrime focused on inducing wire transfers to fraud-controlled accounts. The content does not provide a confirmed nation-state attribution. Reported possible operator locations include Nigeria, South Africa, Iran, Turkey, and possibly the United States, United Kingdom, and Canada, but these are presented as attribution suggestions rather than confirmed facts. No additional aliases or sub-groups are provided in the content beyond the name Scripted Sparrow.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A prolific BEC collective sending an estimated 6 million highly targeted scam emails each month, impersonating executive coaching firms and using spoofed reply chains, missing attachment lures, and multilingual campaigns to conduct fraud at scale.
Business Email Compromise (BEC) group conducting invoice/W-9 fraud against Accounts Payable using spoofed reply chains and likely automation to scale outreach.
Scripted Sparrow is known for conducting large-scale, industrialized business email compromise (BEC) campaigns, targeting organizations globally with millions of malicious emails.
Large-scale BEC operations using automation and social engineering, targeting organizations globally for financial fraud.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.