🐙

0ktapus

Aliases

ScatterSwine, UNC3944 (Mandiant), Octo Tempest (MSFT), Storm-0875 (MSFT), Scattered Spider, Muddled Libra (Unit42), LUCR-3 (Permiso)

Tags

ExtortionistRansomOps

Attribution

💰Cybercrime

Incidents

Twilio incidentSIM swapping to serial port abuseScattered Spider Azure Run abuseMuddled Libra campaigns (2024)Scattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024)Ransomware operators exploit ESXi vulnerabilityScattered Spider Abuses Cloud Management AgentScattered Spider targeting Azure environmentScattered Spider targeting GCP environment

References

https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/https://blog.sekoia.io/scattered-spider-laying-new-eggs/https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries

Last edited

Jun 30, 2025 1:25 PM

Status

Finalized

Cloud-fluent

Targeted geography

United States/North AmericaEurope

Targeted industries

AerospaceTelecommunicationTechnologicalFinanceGamingRetail

The 0ktapus cyber group, also known by aliases such as ScatterSwine, UNC3944, Scattered Spider, and Muddled Libra, is a cybercrime group known for its phishing campaigns and credential theft operations. The group gained particular notoriety for targeting organizations primarily in the United States across various sectors, aiming to steal credentials that could grant them access to victim networks and resources. Their tactics often involve the use of SMS phishing (smishing) and voice phishing (vishing) to deceive employees into revealing their login details, particularly focusing on circumventing multi-factor authentication mechanisms.

One of their most significant campaigns involved attempting to compromise the Okta identity and access management services used by companies to manage user authentication and access permissions. By gaining access to such systems, the group could potentially have wide-ranging access to multiple platforms and sensitive data belonging to the compromised organization.