CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Scattered Spider's Browser-Based Attacks and Mitigation Strategies

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Scattered Spider, also known as UNC3944, Octo Tempest, or Muddled Libra, has evolved to target browser environments, exploiting vulnerabilities in web applications accessed via Chrome, Edge, Firefox, and other browsers. This group focuses on stealing sensitive data such as credentials, session tokens, and security tokens. Over 80% of security incidents now originate from these web applications, making browser security a critical concern for enterprises. Scattered Spider employs sophisticated techniques like Browser-in-the-Browser overlays, session token theft, and malicious extensions to evade traditional security tools. To counter these threats, CISOs must implement multi-layered browser security strategies, including runtime script protection, session integrity, extension governance, and browser telemetry integration.

Timeline

  1. 01.09.2025 14:55 1 articles · 28d ago

    Scattered Spider's Browser-Based Attacks Detailed

    Scattered Spider, also known as UNC3944, Octo Tempest, or Muddled Libra, has been identified as a significant threat targeting browser environments. The group uses sophisticated techniques to steal sensitive data, including credentials, session tokens, and security tokens. Over 80% of security incidents now originate from web applications accessed via browsers, making browser security a critical concern for enterprises. To counter these threats, CISOs must implement multi-layered browser security strategies, including runtime script protection, session integrity, extension governance, and browser telemetry integration. These strategies help in mitigating the risks posed by Scattered Spider and other advanced browser threats.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

GeoServer RCE Exploit Used in Federal Agency Breach

A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.

Open in new tab

Malicious npm package 'fezbox' uses QR codes to deliver cookie-stealing malware

A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.

Open in new tab

Critical SessionReaper flaw in Adobe Commerce and Magento Open Source patched

Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. The flaw, with a CVSS score of 9.1, allows unauthenticated attackers to take control of customer accounts through the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. No exploitation in the wild has been reported, but a hotfix leak may have provided threat actors with an advantage. Adobe Commerce on Cloud customers are already protected by a WAF rule. The patch disables certain internal Magento functionalities, potentially affecting custom or external code. The vulnerability impacts multiple versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source, as well as the Custom Attributes Serializable module.

Open in new tab