Emergence of New Cybercriminal Groups and Tools Targeting European Financial Sector
UK law enforcement is facing increased pressure from the simultaneous rise of young, English-speaking hackers such as those associated with 'Scattered Spider' and the continued threat from organized Russian-speaking ransomware groups. These new threat actors, often motivated by prestige and recruited from online communities, have been implicated in high-profile attacks on UK retailers, resulting in significant financial losses and straining the resources of authorities already challenged by budget constraints and evolving technology. The operational differences between these groups—Scattered Spider's focus on social engineering and the Russian-speaking groups' technical sophistication—are creating a complex threat landscape for the UK.
Concurrently, a new phishing kit named 'Spiderman' has emerged, enabling cybercriminals to launch sophisticated phishing campaigns against dozens of European banks and cryptocurrency services. The kit allows attackers to create convincing replicas of legitimate banking and fintech sites, capture credentials and two-factor authentication codes, and even steal cryptocurrency wallet seed phrases. Its modular design and real-time control panel features make it a popular tool among cybercriminals, further complicating the security environment for financial institutions across Europe as they adapt to new e-banking authentication methods.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Bindinghook reports on UK cyber response strain from local and Russian-speaking actors
A Bindinghook article described pressure on UK responses from local hackers and Russian-speaking cybercriminals. No specific underlying incident dates or discrete real-world events were provided in the reference content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Using Advanced Kits Targeting Universities and Banks
Threat actors have launched a sophisticated phishing campaign targeting U.S. universities by leveraging the open-source Evilginx framework. At least 18 educational institutions have been affected since April 2025, with attackers using personalized emails containing TinyURL links that redirect to dynamically generated phishing pages. These pages closely mimic student single sign-on portals and employ advanced evasion techniques, such as expiring URLs, wildcard TLS certificates, bot filtering, and JavaScript obfuscation, making detection and mitigation increasingly difficult. The campaign demonstrates the growing accessibility of advanced phishing tools, enabling even unskilled actors to bypass multi-factor authentication and compromise sensitive credentials. Simultaneously, a new phishing kit called Spiderman has emerged on the dark web, targeting customers of major European banks and cryptocurrency platforms. This full-stack kit allows attackers to easily clone login pages for dozens of financial institutions and conduct real-time credential theft across multiple countries. With a large user community and features that facilitate immediate data exfiltration and hybrid fraud operations, Spiderman represents a significant escalation in the scale and efficiency of phishing threats facing the financial sector. Both campaigns highlight the evolving landscape of phishing, where sophisticated toolkits are lowering the barrier to entry for cybercriminals and increasing the risk to organizations worldwide.
Mar 21, 2026
AI-Driven Ransomware and Extortion Surge in Europe
European organizations are experiencing a significant increase in ransomware and extortion attacks, with threat actors leveraging artificial intelligence to accelerate and enhance their operations. According to CrowdStrike’s 2025 European Threat Landscape Report, Europe now accounts for nearly 22% of global ransomware and extortion victims, making it the second most targeted region after North America. AI is enabling adversaries to breach networks and deploy ransomware more quickly, with groups like SCATTERED SPIDER reducing their attack cycle to approximately 24 hours. The most targeted countries include the United Kingdom, Germany, France, Italy, and Spain, and affected sectors span manufacturing, professional services, technology, and retail. Attackers are also employing advanced social engineering tactics, such as fake CAPTCHA lures, to compromise victims. The report also highlights a rise in hacktivism and nation-state cyber operations, particularly from Russian and North Korean actors, amid ongoing geopolitical tensions. Russian threat actors have shifted focus toward Ukraine and related regions since the 2022 invasion, while North Korea is reportedly supporting Russian operations and targeting Ukraine. The European threat landscape is described as increasingly complex, with eCrime, espionage, and disruptive attacks posing significant risks to both public and private sector organizations. Security teams are urged to adapt to the evolving threat environment, where AI-driven automation and deception are reshaping the speed and scale of cyberattacks.
Mar 21, 2026
Diverse Cybercriminal Campaigns and Tactics Targeting Organizations
Multiple cybercriminal operations have been reported, each employing distinct tactics to compromise organizations and individuals. These include a large-scale business email compromise (BEC) campaign dubbed 'Scripted Sparrow,' which orchestrated a global siege involving three million emails, and a sophisticated loader attack using fake purchase orders to target manufacturing giants in Italy, Finland, and Saudi Arabia. Another campaign, referred to as 'The Payroll Trap,' leverages fake CAPTCHA pages in a quishing (QR code phishing) scheme to hijack employee paychecks. Additionally, a phishing campaign impersonating ADP was observed, where threat actors used convincing emails and counterfeit login pages to steal employee credentials and personal data. Further, the cybercriminal ecosystem is seeing notable developments, such as the unmasking of 'Fly,' the secret architect behind the infamous Russian Market, and the formation of an alliance between Qilin, DragonForce, and a declining LockBit ransomware group. These stories highlight the evolving landscape of cybercrime, with actors employing both technical deception and strategic partnerships to maximize their impact against a range of targets worldwide.
Mar 21, 2026