Scattered Spider financial services targeting campaign
Campaign
Summary
Hide ▲
Show ▼
The Scattered Spider campaign is targeting the financial sector, including a live intrusion against an unnamed U.S. banking organization. Researchers reported lookalike domains, social engineering, and abuse of Azure Active Directory Self-Service Password Management to gain access, then movement through Citrix, VPN, and VMware ESXi environments. The activity also involved Veeam service account changes, Azure Global Administrator permissions, and attempted exfiltration from Snowflake and Amazon Web Services (AWS). A later report added signs of continued finance-sector targeting after the group’s claimed shutdown, reinforcing that the operation remains active.
Related Happenings
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score34
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Finnish arrest and U.S. charges in Bouquet Scattered Spider case
Law Enforcement
H score17
First: 28.04.2026 18:39
Last: 28.04.2026 18:39
Sources 1
About this happening:
**Finnish law enforcement** arrested **Bouquet**, and **U.S. federal prosecutors** later charged him in a cross-border **Scattered Spider** cybercrime case. The charges include **...
Finnish arrest and U.S. charges in Bouquet Scattered Spider case
Law EnforcementAbout this happening: **Finnish law enforcement** arrested **Bouquet**, and **U.S. federal prosecutors** later charged him in a cross-border **Scattered Spider** cybercrime case. The charges include **...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
H score33
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
H score41
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
**Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor MetaAbout this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Operation Atlantic approval-phishing takedown
Law Enforcement
H score38
First: 13.04.2026 11:00
Last: 13.04.2026 11:00
Sources 1
About this happening:
A **UK-led** cross-border operation carried out a **takedown** of **approval phishing** crypto fraud networks, freezing **$12m** and identifying **more than 20,000 victims**. The...
Operation Atlantic approval-phishing takedown
Law EnforcementAbout this happening: A **UK-led** cross-border operation carried out a **takedown** of **approval phishing** crypto fraud networks, freezing **$12m** and identifying **more than 20,000 victims**. The...
Timeline
-
17.09.2025 11:49 3 articles · 8mo ago
Scattered Spider linked to financial-sector attacks
Initial DisclosureScattered Spider is linked to a new wave of financial-sector attacks against an unnamed U.S. banking organization, with initial access gained by socially engineering an executive's account and resetting the password through Azure Active Directory Self-Service Password Management. The intrusion included access to sensitive IT and security documents, lateral movement through the Citrix environment and VPN, compromise of VMware ESXi infrastructure, privilege escalation through a Veeam service account reset and Azure Global Administrator permissions, and attempted data exfiltration from Snowflake and Amazon Web Services (AWS).
Show sources
- Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims — thehackernews.com — 17.09.2025 11:49
- Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims — thehackernews.com — 17.09.2025 11:49
- 'Scattered Lapsus$ Hunters,' Others Announce End of Hacking Spree — www.darkreading.com — 17.09.2025 22:12