Researchers Expose Scattered Spider’s Tools, Techniques and Key Indicators

Scattered Spider’s phishing domain patterns provide actionable insights to proactively counter threats from the notorious cyber group responsible for recent airline attacks.

Scattered Spider, a sophisticated cyber threat group known for aggressive social engineering and targeted phishing, is broadening its scope, notably targeting aviation alongside enterprise environments.

Check Point Research has uncovered specific phishing domain indicators, helping enterprises and aviation companies proactively defend against this emerging threat.

Recent Aviation Attacks Linked to Scattered Spider

In a significant escalation, recent media reports and intelligence advisories have linked Scattered Spider to cyberattacks on major airlines, notably the July 2025 data breach affecting six million Qantas customers.

Cybersecurity analysts noted tactics such as MFA fatigue and voice phishing (vishing), closely matching Scattered Spider’s known methods.

Similar incidents involving Hawaiian Airlines and WestJet have further highlighted the urgency of addressing vulnerabilities in aviation-related third-party providers.

The FBI has issued warnings about the group’s expanding focus on the aviation sector, with multiple carriers reporting suspicious activity.

Key Targeting Indicators and Phishing Domains

Check Point Research has identified a consistent pattern in the phishing infrastructure registered by Scattered Spider.

These domains closely mimic legitimate corporate login portals and are designed to deceive employees into revealing their credentials.

Typical naming conventions include:

• victimname-sso.com
• victimname-servicedesk.com
• victimname-okta.com

During a targeted investigation, Check Point researchers identified approximately 500 domains that follow Scattered Spider’s known naming conventions, indicating potential phishing infrastructure either in use or prepared for future attacks.

Examples of observed domains include chipotle-sso[.]com, gemini-servicedesk[.]com, and hubspot-okta[.]com.

This cross-sector targeting underscores the group’s opportunistic approach, adapting to high-value vulnerabilities rather than focusing on a specific vertical.

Publicly available intelligence outlines Scattered Spider as active since at least 2022, composed primarily of young individuals (ages 19–22) from the US and UK.

The group is financially driven, targeting ransomware, credential theft, and cloud infrastructure while utilizing advanced social engineering techniques.

Sophisticated Attack Arsenal

Scattered Spider employs a broad range of sophisticated attack methods to infiltrate targets and maintain long-term access.

Their social engineering methods include targeted phishing, SIM swapping, multi-factor authentication (MFA) fatigue attacks, and phone impersonation tactics.

The group utilizes numerous remote access tools, including TeamViewer, AnyDesk, Splashtop, ScreenConnect, and Tailscale.

For credential theft, they employ tools like Mimikatz and ADExplorer, while their malware arsenal includes WarZone RAT, Raccoon Stealer, and Vidar Stealer.

Most notably, Scattered Spider has been linked to BlackCat/ALPHV ransomware deployments, operating under a Ransomware-as-a-Service model.

Check Point recommends tailored defensive strategies for both enterprises and aviation organizations.

For enterprises, this includes continuous domain monitoring, employee training focused on MFA abuse and vishing, adaptive authentication solutions, and robust endpoint security.

Aviation sector organizations should prioritize vendor risk management, strong identity verification for password resets, and sector-specific incident response playbooks.

The research underscores that no sector is immune to sophisticated social engineering campaigns, making proactive defense measures essential for all organizations.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now