New Developer-As-A-Service In Hacking Forums Empowering Phishing And Cyberattacks

SCATTERED SPIDER, a ransomware group, leverages cloud infrastructure and social engineering to target insurance and financial institutions by using stolen credentials, SIM swaps, and cloud-native tools to gain and maintain access, impersonating employees to deceive victims. 

Their partnership with BlackCat has enhanced their ability to target Western organizations due to their understanding of Western business practices.

It frequently exploits leaked cloud authentication tokens to gain unauthorized access to corporate networks, which are often inadvertently exposed in public repositories, providing attackers with a means to automate and scale their attacks against cloud infrastructure.

Example of AWS token leak in GitHub

It is using phishing and smishing campaigns to target high-privileged accounts in cloud services like Microsoft Entra ID and AWS EC2 and also targeting SaaS platforms like Okta, ServiceNow, and VMware Workspace ONE using phishing pages that mimic SSO portals.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Smishing campaigns are used to trick victims into clicking malicious links that lead to phishing websites aimed at stealing login credentials and intercepting OTPs.

Typosquatted domain and Phishing against
US-based financial services.

Credential stealers are used by SCATTERED SPIDER to harvest cloud service authentication tokens from victims’ devices, which are then sold on underground forums, allowing attackers to gain unauthorized access to cloud resources like AWS, Azure, and GCP.

SCATTERED SPIDER employs SIM swapping to bypass MFA on SaaS applications, gaining access to cloud infrastructures.

Threat actors create unauthorized VMs to evade detection and steal data, abusing legitimate cloud tools for remote command execution and data transfer.

AWS Tokens being sold on underground forms.

Telecom Enemies, a DaaS group, offers phishing kits and tools like Gorilla Call Bot. SCATTERED SPIDER members use their services for malicious activities, targeting various services like Coinbase and Gmail. 

Telecom Enemies’ tools are widely promoted on Telegram and sold on underground forums, with members specializing in web app exploitation, network infiltration, and malware development. 

By employing open-source tools to gather information from cloud environments, it focuses on Active Directory and Microsoft 365, which are aimed at identifying valuable data, compromising additional accounts, escalating privileges, and moving laterally across the network. 

The attackers target password management tools, network architecture, VDI/VPN configurations, PAM solutions, personnel information, third-party data, and extortion-related data.

Example detections of
reconnaissance tools and scripts.

It leverages Cross-Tenant Synchronization (CTS) and federated identity providers to maintain persistent access in Microsoft Entra ID environments. 

Attackers compromise privileged accounts to configure CTS and create malicious federated domains, allowing them to provision malicious accounts and generate forged authentication tokens. 

According to EclecticIQ, they also employ RMM tools and protocol tunneling to establish remote connections and bypass network defenses.

Linux version of the BlackCat Ransomware
downloading itself from BlackBaze.

SCATTERED SPIDER employs various techniques to evade detection and disable security measures, including using residential proxies, disabling security tools, creating virtual machines, and exploiting cloud identity systems. 

Employing automated scripts to target VMware ESXi and Azure compromises security by altering root passwords and disabling tools before encrypting data. 

Organizations can mitigate risks by strengthening authentication, closely monitoring suspicious activity, and implementing comprehensive cloud security measures.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

15 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago