HC3 Warns Healthcare Sector on Scattered Spider Social Engineering Threat
The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3) warned that Scattered Spider is actively targeting healthcare and other industries with sophisticated social engineering, including help-desk impersonation, phishing, MFA fatigue, SIM swapping, and AI-assisted lures. The financially motivated group—also tracked as Octo Tempest, UNC3944, 0ktapus, and Muddled Libra—has built a reputation for using native English-speaking operators to trick employees and IT staff into resetting passwords, enrolling attacker-controlled MFA devices, and granting remote access. Federal guidance says the actors often abuse trusted tools and cloud services after initial access, making intrusions harder to distinguish from legitimate activity.
U.S. agencies and private-sector researchers have linked Scattered Spider to data theft, extortion, and collaboration with ALPHV/BlackCat ransomware operations, with victims spanning hospitality, gaming, retail, technology, and now heightened concern for healthcare organizations. Microsoft and the FBI/CISA have described the group as unusually dangerous because it combines persuasive phone-based deception with credential theft, reconnaissance, privilege escalation, mailbox manipulation, and deployment of ransomware on Windows, Linux, and VMware ESXi environments. Authorities have also tied the group to major incidents including attacks on MGM Resorts and Caesars, while UK investigators later examined whether Scattered Spider was connected to disruptive cyberattacks against retailers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
UK National Crime Agency investigates retailer attacks linked to Scattered Spider
By May 2025, Scattered Spider had become the focus of a UK National Crime Agency inquiry into cyber-attacks affecting British retailers, marking a law-enforcement response tied to the group's activity.
HC3 warns healthcare sector about Scattered Spider tactics
The HHS Health Sector Cybersecurity Coordination Center (HC3) issued a warning to healthcare organizations that Scattered Spider was using social engineering and AI-assisted techniques to infiltrate targets and evade defenses.
Scattered Spider expands from SIM swapping to enterprise intrusions
Microsoft said the financially motivated group, also tracked as Octo Tempest and UNC3944, evolved from SIM swapping and cryptocurrency theft into broader enterprise compromises beginning in 2022.
Scattered Spider becomes an ALPHV/BlackCat affiliate
Microsoft reported that by June 2023 the group had become affiliated with the ALPHV/BlackCat ransomware operation and was deploying ransomware against victim environments, including Windows and Linux systems.
FBI and CISA issue joint advisory on Scattered Spider
The FBI and CISA published a joint advisory detailing Scattered Spider's tactics, techniques, and procedures, including help-desk impersonation, phishing, MFA fatigue, SIM swapping, data theft, and collaboration with ALPHV/BlackCat.
Microsoft publishes detailed profile of Octo Tempest
Microsoft released a public threat profile describing Octo Tempest/Scattered Spider as a highly dangerous English-speaking financial hacking group using advanced social engineering, credential theft, and ransomware tactics across multiple sectors.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Scattered Spider is focus of NCA inquiry into cyber-attacks against UK retailers | Hacking | The Guardian
theguardian.com
Open sourceHC3 Issues Warning About Scattered Spider Threat Actor
hipaajournal.com
Open sourceHC3 warns of Scattered Spider hackers leveraging AI, social engineering to infiltrate healthcare, other sectors - Industrial Cyber
industrialcyber.co
Open sourceFBI shares tactics of notorious Scattered Spider hacker collective
bleepingcomputer.com
Open sourceMicrosoft: Octo Tempest is one of the most dangerous financial hacking groups
bleepingcomputer.com
Open sourceCisa
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Scattered Spider Linked to MGM and Caesars Casino Breaches
MGM Resorts and Caesars Entertainment were hit in closely timed cyberattacks that investigators and security firms tied to the **Scattered Spider** criminal community, a loose English-speaking group known for social engineering, SIM swapping, phishing, and MFA fatigue. Caesars disclosed that attackers stole customer data and reportedly paid a ransom demand, while MGM suffered a far more disruptive intrusion that knocked hotel and casino operations offline for days and was later estimated to have cost about **$100 million**. Multiple reports said the intrusions involved help-desk impersonation and other employee-targeting tactics, with Scattered Spider affiliates also linked to ransomware operators including **BlackCat/ALPHV**. The fallout expanded beyond the initial breaches as Caesars sent breach notifications to thousands of affected people and both casino companies faced lawsuits and class actions alleging failures to protect personal information. Law enforcement pressure then intensified: investigators in the US, UK, and Spain pursued suspected Scattered Spider members, including a 22-year-old British man arrested in Spain as an alleged leader and a 17-year-old arrested in the UK over the MGM attack, with additional US arrests and prosecutors reportedly moving closer to charges. Security researchers said the Las Vegas casino intrusions put a bullseye on the group, which had evolved from SIM-swapping into ransomware, extortion, and cloud-focused intrusions against major enterprises.
May 25, 2026
Cordial Spider and Snarky Spider drive SaaS extortion via vishing and AiTM phishing
CrowdStrike reported that two financially motivated threat groups tied to **The Com** — **Cordial Spider** and **Snarky Spider** — are carrying out rapid data-theft and extortion campaigns against U.S.-based organizations across critical infrastructure and enterprise sectors, including aviation, retail, hospitality, financial services, legal, technology, automotive, and academia. The actors are closely aligned with the **Scattered Spider** playbook and have used voice phishing, text messages, email, and other social-engineering tactics since at least October 2025 to compromise identity platforms, steal credentials, session keys, and tokens, and pivot through victims’ SaaS environments. Ransom demands have reportedly reached seven figures, and some victims have also faced **DDoS** attacks or swatting. The intrusions rely on adversary-in-the-middle phishing pages that mimic legitimate single sign-on and identity-provider portals, enabling access to services such as **SharePoint**, **HubSpot**, and **Google Workspace** while largely bypassing traditional endpoint defenses. After gaining access, the attackers register their own MFA devices or emulators, disable or suppress alerts through inbox rules and email deletion, and move quickly to search for sensitive data and exfiltrate it, in some cases within an hour of initial access. Researchers said the groups differ in tradecraft — including operating hours, phishing infrastructure, leak sites, and MFA-registration methods — while both use commercial VPNs and residential proxy networks such as **Mullvad**, **Oxylabs**, **NetNut**, **9Proxy**, **Infatica**, and **NSOCKS** to blend into normal traffic and evade detection.
Jun 8, 2026
US Charges Five Alleged Scattered Spider Members Over SMS Phishing and Crypto Theft
U.S. prosecutors unsealed charges against five men allegedly linked to the **Scattered Spider** cybercrime ecosystem, accusing them of running a large-scale scheme that used SMS phishing, spoofed login pages, social engineering, stolen employee credentials, email hijacking, and SIM swapping to compromise companies and individuals. Court filings say the operation targeted technical employees across the United States between September 2021 and April 2023, enabling the theft of non-public corporate data, personal identifiers, and **millions of dollars in cryptocurrency**. Four suspects were charged in the United States with conspiracy to commit wire fraud, while a separate complaint was filed against a fifth defendant in the United Kingdom. The case adds to mounting law-enforcement scrutiny of Scattered Spider, a loose English-speaking threat actor network also tracked under multiple aliases and associated with the broader **"Com"** ecosystem. Authorities and researchers have linked the group to high-profile intrusions and collaborations with ransomware operations including **BlackCat/ALPHV**, **Qilin**, and **RansomHub**, as well as incidents affecting MGM Resorts, Clorox, Snowflake-linked victims, and later investigations into the hacks at **Marks & Spencer** and **Co-op**. The charges mark a significant escalation in efforts to disrupt a group known for blending phishing, identity takeover, and extortion-focused intrusion tactics.
May 25, 2026