3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Scattered Spider

Scattered Spider

ID: b299abb66c4452c84038fd3a4c71cb1533748
Crimeware Banking Malware Ransomware Spyware/Stealer
Threat types: Intrusion, Data Theft, Financial Extortion, Ransomware
Unknown
Updated: 2026-03-23
Created: 2025-10-22
Progress: 75% Completeness: 69% Freshness: 90%
Operation zone:
Aliases Limited alias preview
0ktapus Muddled Libra Oc********** Sc***********
St******** UN*****
Showing 2 of 6 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Octo Tempest is a financially motivated intrusion set characterized by social engineering of IT help desks and identity workflows (MFA fatigue, SIM swap/OTP coercion) to gain access, deploy legitimate remote tooling, steal data for extortion, and at times deploy ransomware and destructive actions. Public reporting and joint advisories highlight a repeatable operational loop and sector-wave targeting patterns. Defensive focus should prioritize help-desk and identity hardening, governance of remote access tooling, and rapid detection of anomalous admin role changes and data exfiltration.


Technique Technique name Tactics Evidence
T1598.004 Spearphishing Voice TA0043
  • 2025-07-29 — Joint CSA describes social engineering via phone calls/SMS to obtain credentials (help desk targeting). · ref
T1566 Phishing TA0001
  • 2023-10-25 — Microsoft describes broad social engineering campaigns as a core access method. · ref
T1110 Brute Force TA0006
  • 2025-07-29 — Joint CSA discusses credential acquisition methods including repeated prompts and identity abuse (supporting credential attacks). · ref
T1621 Multi-Factor Authentication Request Generation TA0006
  • 2025-07-29 — Joint CSA explicitly references MFA fatigue / push bombing behavior. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-06-13 — Mandiant describes admin access and abuse in SaaS environments; valid account control is central to the threat model. · ref
T1219 Remote Access Tools TA0011
  • 2023-11-16 — Joint CSA lists legitimate remote access tools used in operations (e.g., ScreenConnect) which enable remote access. · ref
T1572 Protocol Tunneling TA0011
  • 2023-11-16 — Joint CSA lists tunneling tools such as Ngrok used to facilitate access; treat as encrypted channel/tunnel behavior. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-07-29 — Joint CSA notes data theft for extortion; exfiltration is part of the operational loop. · ref
T1486 Data Encrypted for Impact TA0040
  • 2025-07-29 — Joint CSA update notes deployment of ransomware variants including DragonForce alongside usual TTPs. · ref
T1562.001 Disable or Modify Tools TA0005
  • 2023-10-25 — Microsoft describes destructive behaviors; this often includes defense evasion and evidence removal (map conservatively). · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-28T14:57:34+00:00

Scattered Spider (aka Octo Tempest)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Octo Tempest


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Octo Tempest (Identity & Help Desk Abuse → Extortion)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-28T14:58:48+00:00

IOC Appendix — Octo Tempest (Operational Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-28T14:59:01+00:00

OSINT Library — Octo Tempest


2025-07-16 — Microsoft Security — “Protecting customers from Octo Tempest attacks across multiple industries”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.