Scattered Spider financial services targeting campaign
Campaign
Summary
Hide ▲
Show ▼
The Scattered Spider campaign is targeting the financial sector, including a live intrusion against an unnamed U.S. banking organization. Researchers reported lookalike domains, social engineering, and abuse of Azure Active Directory Self-Service Password Management to gain access, then movement through Citrix, VPN, and VMware ESXi environments. The activity also involved Veeam service account changes, Azure Global Administrator permissions, and attempted exfiltration from Snowflake and Amazon Web Services (AWS). A later report added signs of continued finance-sector targeting after the group’s claimed shutdown, reinforcing that the operation remains active.
Related Happenings
Finnish arrest and U.S. charges in Bouquet Scattered Spider case
Law Enforcement
First: 28.04.2026 18:39
Last: 28.04.2026 18:39
Sources 1
About this happening:
**Finnish law enforcement** arrested **Bouquet**, and **U.S. federal prosecutors** later charged him in a cross-border **Scattered Spider** cybercrime case. The charges include **...
Finnish arrest and U.S. charges in Bouquet Scattered Spider case
Law EnforcementAbout this happening: **Finnish law enforcement** arrested **Bouquet**, and **U.S. federal prosecutors** later charged him in a cross-border **Scattered Spider** cybercrime case. The charges include **...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
**Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor MetaAbout this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Operation Atlantic approval-phishing takedown
Law Enforcement
First: 13.04.2026 11:00
Last: 13.04.2026 11:00
Sources 1
About this happening:
A **UK-led** cross-border operation carried out a **takedown** of **approval phishing** crypto fraud networks, freezing **$12m** and identifying **more than 20,000 victims**. The...
Operation Atlantic approval-phishing takedown
Law EnforcementAbout this happening: A **UK-led** cross-border operation carried out a **takedown** of **approval phishing** crypto fraud networks, freezing **$12m** and identifying **more than 20,000 victims**. The...
Europol-coordinated Tycoon2FA takedown
Law Enforcement
First: 04.03.2026 19:01
Last: 04.03.2026 19:01
Sources 1
About this happening:
**Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Europol-coordinated Tycoon2FA takedown
Law EnforcementAbout this happening: **Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Latest development: 23.03.2026 23:52
CrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.
Timeline
-
17.09.2025 11:49 3 articles · 8mo ago
Scattered Spider linked to financial-sector attacks
Initial DisclosureScattered Spider is linked to a new wave of financial-sector attacks against an unnamed U.S. banking organization, with initial access gained by socially engineering an executive's account and resetting the password through Azure Active Directory Self-Service Password Management. The intrusion included access to sensitive IT and security documents, lateral movement through the Citrix environment and VPN, compromise of VMware ESXi infrastructure, privilege escalation through a Veeam service account reset and Azure Global Administrator permissions, and attempted data exfiltration from Snowflake and Amazon Web Services (AWS).
Show sources
- Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims — thehackernews.com — 17.09.2025 11:49
- Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims — thehackernews.com — 17.09.2025 11:49
- 'Scattered Lapsus$ Hunters,' Others Announce End of Hacking Spree — www.darkreading.com — 17.09.2025 22:12