Scattered Spider targets browser environments for identity theft

First reported

01.09.2025 14:55

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

Scattered Spider, also known as UNC3944, Octo Tempest, or Muddled Libra, is actively targeting browser environments to steal sensitive data from enterprises. The group leverages techniques such as Browser-in-the-Browser (BitB) overlays, session token theft, and malicious extensions to bypass traditional security measures. This shift in tactics highlights the growing importance of browser security in protecting enterprise assets. Scattered Spider's methods focus on exploiting human identity and browser environments, differentiating them from other cybercriminal groups like Lazarus Group, Fancy Bear, and REvil. The group's precision targeting and advanced techniques pose a significant threat to organizations that rely heavily on web applications. The threat actor's activities underscore the need for CISOs to elevate browser security as a central pillar of their defense strategies.

Timeline

01.09.2025 14:55 📰 1 articles

Scattered Spider targets browser environments for identity theft
Scattered Spider, also known as UNC3944, Octo Tempest, or Muddled Libra, has been actively targeting browser environments to steal sensitive data from enterprises. The group leverages techniques such as Browser-in-the-Browser (BitB) overlays, session token theft, and malicious extensions to bypass traditional security measures. This shift in tactics highlights the growing importance of browser security in protecting enterprise assets. The threat actor's activities underscore the need for CISOs to elevate browser security as a central pillar of their defense strategies.
Show sources

When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
Open in new tab

Information Snippets

Over 80% of security incidents originate from web applications accessed via browsers.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
Scattered Spider targets browser environments to steal sensitive data.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
The group uses techniques like Browser-in-the-Browser (BitB) overlays and session token theft.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
Scattered Spider avoids high-volume phishing in favor of precision exploitation.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
The group steals saved credentials and manipulates browser runtime.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
Scattered Spider bypasses Multi-Factor Authentication (MFA) to capture tokens and personal cookies.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
Malicious payloads are delivered through fake extensions and execute in-browser via drive-by techniques.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
Web APIs and probing of installed extensions allow attackers to map critical internal systems.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55
CISOs must implement a multi-layered browser security strategy to counteract Scattered Spider.
First reported: 01.09.2025 14:55

📰 1 source, 1 article
Show sources
- When Browsers Become the Attack Surface: Rethinking Security for Scattered Spider — thehackernews.com — 01.09.2025 14:55

Similar Happenings

MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users

A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.

Open in new tab

GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.

Open in new tab

Exploit chain in Sitecore Experience Platform enables remote code execution

Three new vulnerabilities in the Sitecore Experience Platform can be chained to achieve remote code execution (RCE). The flaws include HTML cache poisoning, RCE through insecure deserialization, and information disclosure via the ItemService API. Patches for these vulnerabilities were released in June and July 2025. The exploit chain leverages a combination of pre-authentication and post-authentication vulnerabilities to compromise fully-patched instances of the platform. Additionally, a zero-day vulnerability (CVE-2025-53690) has been exploited by threat actors to deliver malware, including WeepSteel, and perform extensive reconnaissance and lateral movement. The flaw is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2025 Sitecore guides. The attackers target the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieve RCE under the IIS NETWORK SERVICE account by leveraging CVE-2025-53690. The malicious payload dropped by the attackers is WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information. The attack observed by Mandiant stemmed from a documentation issue involving sample machine keys provided for customer use. Sitecore advised customers to rotate and secure ASP.NET machine keys, encrypt elements in web.config files, and restrict access to administrators only. CISA has ordered FCEB agencies to update their Sitecore instances by September 25, 2025.

Open in new tab

Malicious PyPI and npm Packages Exploit Dependencies in Supply Chain Attacks

Cybersecurity researchers have identified malicious packages in the Python Package Index (PyPI) and npm repositories that exploit dependencies to execute supply chain attacks. The PyPI package termncolor, with 355 downloads, and its dependency colorinal, with 529 downloads, were found to perform DLL side-loading to achieve persistence and remote code execution. The malware can infect both Windows and Linux systems. Additionally, npm packages were discovered to harvest sensitive data, including iCloud Keychain, web browser, and cryptocurrency wallet information. The attacks highlight the risks associated with automated dependency upgrades and the importance of monitoring open-source ecosystems for potential threats. In a recent supply chain attack, attackers injected malware into npm packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. The attack impacted roughly 10% of all cloud environments. The malware operates by injecting itself into the web browser, monitoring cryptocurrency transactions, and redirecting them to attacker-controlled wallet addresses. The compromised packages include debug, chalk, and ansi-styles, among others. The impact of the attack is limited to fresh installs between ~9 AM and ~11.30 AM ET on September 8, 2025, when the packages were compromised. This attack follows a series of similar incidents targeting JavaScript libraries, highlighting the ongoing threat to the open-source ecosystem.

Open in new tab