Overview

• Recent UK arrests of alleged UNC3944 members have led to a measurable drop in Scattered Spider’s direct intrusions, according to Mandiant Consulting
• A joint advisory from the FBI, CISA and international partners highlights the group’s refined social engineering and new malware tools, including Teleport, AnyDesk, RattyRAT and DragonForce ransomware
• Attackers leverage phone-based help desk impersonation to reset privileged Active Directory credentials, reboot vCenter servers into single-user mode and gain covert ESXi shell access for data theft and ransomware deployment
• Security experts report that rival threat actors such as UNC6040 have rapidly adopted Scattered Spider’s hypervisor-level playbook, maintaining pressure on retail, insurance, airline and transportation sectors
• Defensive measures urged by authorities include disabling direct ESXi shell access, encrypting virtual machine data, isolating backups, enforcing phishing-resistant multi-factor authentication and re-architecting VMware environments before vSphere 7 reaches end-of-life