Scattered Spider’s 2025 Campaign: Expanding Its Reach

Summary

CRIL came across a blog published by SilentPush that highlights ongoing activity by the threat group Scattered Spider in 2025. The group is actively targeting key services such as Klaviyo, HubSpot, and Pure Storage, along with major global brands like Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, News Corp, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone. SilentPush researchers have been tracking five different phishing kits used by the group since at least 2023. These kits have seen regular updates, but older versions are now being phased out as the group continues to refine its tools and techniques.

In addition, the researchers have analyzed a new version of the Spectre RAT malware being used by Scattered Spider. One concerning finding from 2024 is that Scattered Spider acquired the domain “twitter-okta[.]com”, which was once owned by Twitter/X. While it’s unclear if the domain will be used to target the company or its users, it could potentially be used in phishing attacks due to its appearance of legitimacy. The report highlights the group’s ongoing evolution and the need for continued vigilance from security teams.

Technical Details

In 2025, Scattered Spider introduced new tactics, techniques, and procedures (TTPs), including significant updates to their phishing infrastructure. Their latest toolkit, Phishing Kit #5, has evolved with new features and was spotted hosted on Cloudflare. Compared to previous years, the threat group has made noticeable changes in how they deploy their phishing kits, including:

• Switching hosting providers

• Updating phishing kit code

• Using dynamic DNS and rented subdomains, such as klv1.it.com, which complicate tracking efforts for defenders

This marks the first observed use of dynamic DNS and subdomain leasing by Scattered Spider. These evolving tactics make it crucial for organizations to monitor and block requests associated with such DNS vendors and leased subdomains. On February 6, 2025, researchers identified a host “klv1.it[.]com” registered under a public subdomain provider. While this technique offers anonymity for attackers, it creates challenges for defenders attempting to track these domains through traditional methods. Another example, corpasurion[.]com, followed their older pattern but was still active as recently as December 2024.

Phishing Kit no.5:

Security researchers shared information about new infrastructure tied to Scattered Spider, helping establish a fingerprint for the updated Phishing Kit #5. This version contained phishing pages with multiple brand templates on the same domain—possibly a development oversight. Domains like okta-louisvuitton[.]com were observed hosting content targeting brands like T-Mobile, Tinder, and Nike. Researchers also noted a specific URL structure used by the kit: “hxxps://[domain].[TLD]/index?id=[base64 string]”

Updated Spectre RAT

Scattered Spider is also using a new version of Spectre RAT, a remote access Trojan that gives attackers persistent access to infected systems. This upgraded version includes several advanced features:

• Obfuscation and custom crypter usage for stealth

• Both 32-bit and 64-bit support for Intel processors

• A wide range of new Command and Control (C2) commands

• Evidence that the malware is still under active development

Key Technical Behaviours:

Spectre RAT initializes many functions at startup, some of which are null or placeholders, indicating ongoing development. It uses XOR encoding for strings and sets a mutex to block multiple instances, also serving as a basic anti-analysis method.

C2 Communication:

The malware contacts a hardcoded C2 server once to retrieve dynamic C2 addresses stored in a config file named 89CC88. Another file, 733949, collects and stores system data to be sent to the C2 as needed.

Command System:

The malware accepts instructions from its C2 server using HTTP-based communication. Specific commands are triggered using a URI parameter, most notably wber=1, which signals the malware to perform an action. The command payloads are structured using the “|” character as a delimiter, allowing the malware to interpret and execute a wide variety of operational tasks.

Spectre RAT maintains an internal log for errors and debugging, helping it adapt, stay hidden, and provide feedback to attackers. This enhances its stealth and persistence in infected systems.

Recommendations

• Regularly train employees to recognize phishing attempts, especially those mimicking login portals or known brands. Implement email filtering and link analysis to block malicious domains early.

• Track dynamic DNS services and publicly rented subdomains that attackers may use for phishing. Set up alerts for lookalike or suspicious domains tied to your brand or partners.

• Deploy advanced endpoint detection and response (EDR) tools to spot suspicious behaviors like unauthorized executions or process injections. Continuously monitor for anomalous traffic tied to potential C&C communications.

• Apply the principle of least privilege across your environment to reduce lateral movement. Segregate sensitive assets and enforce multi-factor authentication (MFA) for access to critical systems and admin accounts.

Conclusion

Scattered Spider remains a persistent and evolving cyber threat in 2025, actively targeting services like Klaviyo, HubSpot, and Pure Storage, as well as prominent brands such as Nike, Twitter/X, and T-Mobile. The group's continuous updates to their phishing kits and deployment strategies indicate a sophisticated approach to cyberattacks. Notably, their acquisition of domains previously owned by targeted companies, like "twitter-okta[.]com" underscores their strategic planning. The discovery of a new version of Spectre RAT further highlights their commitment to enhancing their toolset for persistent access to compromised systems.