In a recent episode of Intel 471’s Happy Hunting series, we broke down Scattered Spider, a group behind several high profile breaches over the past few years, and one of the ways it maintains access once inside a victim’s environment: silently installed remote monitoring and management (RMM) software.
In this blog post, we will conduct a targeted threat hunt intended to uncover malicious activity associated with Scattered Spider using Intel 471’s HUNTER library on the Verity471 platform. HUNTER contains sets of prewritten threat hunt queries for a variety of security information and event management (SIEM), endpoint detection and response (EDR) and other logging system platforms. Threat hunters can use these queries to search for malicious activity associated with malware and other types of intrusion campaigns, which are drawn from Intel 471’s intelligence and open sources.
The Threat Actor
Scattered Spider has been active since at least 2022 and is somewhat unusual compared to many cybercriminal groups: its operators are native English speakers, which makes their social engineering unusually convincing. Early targeting focused on customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies. By 2023, the group had expanded into gaming, hospitality, retail, managed service providers (MSPs), manufacturing, and financial services. MITRE ATT&CK tracks the group as G1015 and documents its reliance on impersonation of IT and help-desk staff to gain initial access and bypass multifactor authentication (MFA). For a broader look at the group’s history and targeting, see Intel 471’s Navigating the Web of Scattered Spider: Understanding the Threat Landscape.
Unlike many intrusions, Scattered Spider’s rarely begin with malware or an exploit. They begin with a phone call. An employee is contacted by someone posing as internal IT staff, who explains there’s a technical issue that needs resolving, maybe a credential reset, an authentication prompt to approve, or a remote tool to install so the “technician” can take a closer look. Because the caller sounds legitimate and has researched the organization’s internal processes, victims often comply, handing the attacker their initial foothold. Intel 471 has tracked this same help-desk-style social engineering across the broader Com ecosystem, detailed in Targeted Phishing Linked to ‘The Com’ Surges.
Once inside, the group moves into reconnaissance, enumerating users, identifying privileged accounts and mapping the network, before pivoting into lateral movement across both cloud and on-premises systems. Scattered Spider doesn’t rely on one signature malware family. Depending on the target, it pulls from a mix of legitimate admin tools and known offensive utilities, including ADExplorer for Active Directory reconnaissance, Mimikatz for credential access, Chisel for tunneling and persistence, BruteRatel for remote access, and defense evasion tools such as POORTRY and STONESTOP. For maintaining remote access inside a compromised environment, the group frequently turns to something simpler than custom malware: legitimate remote desktop software.
Legitimate Tools, Nefarious Use
Tools like AnyDesk, TeamViewer, ScreenConnect, LogMeIn and VNC are standard in enterprise IT environments, which is exactly what makes them useful to an attacker. MITRE ATT&CK technique T1219.002, Remote Access Software, covers this behavior directly, noting that adversaries can use legitimate desktop support software to establish an interactive command and control channel, since these tools are often already permitted by application control policies in a target environment. Once one of these tools is running on a compromised system, the attacker can see the victim’s screen, control the keyboard and mouse and run commands as though sitting in front of the machine, all while the activity resembles ordinary IT support traffic from the outside.
AnyDesk shows up frequently in Scattered Spider investigations specifically. It is lightweight, easy to install and commonly allowed in corporate environments. It also offers free trial access, meaning an attacker can deploy it in minutes without needing to stand up any long-term infrastructure. Since the goal at this stage is simply gaining access, that trial window is often all the group needs, as it will typically move to a different persistence mechanism, whether Remote Desktop Protocol or a tool like BruteRatel, once it has a stronger foothold. That combination of legitimacy and low friction is what makes the installation of the tool itself worth hunting for, particularly when it happens silently through the command line rather than through a normal, user-driven install.
Behavioral Hunting Versus IoCs
Indicators of compromise (IoCs) have a short shelf life. A specific AnyDesk installer hash or a renamed binary tied to one campaign will not necessarily appear in the next. Searching for a known-bad hash or filename may produce a quick win, but the absence of that indicator means nothing on its own, since attackers can rename executables or swap infrastructure between operations.
This is where IoC scanning and behavioral hunting work best in combination. Intel 471’s Verity471 Retroactive Threat Detections (RTD) use static IoCs to quickly generate queries and check whether those indicators ever appeared in your historical telemetry. It is a fast way to determine if known-bad infrastructure or file hashes touched your environment with the full context of the report the RTD query was generated from. If the query finds a match, you can begin a broader search for the behaviors linked to the actor. That’s where the HUNTER hunt package fills the gap. By hunting on the installation behavior itself rather than any specific indicator, the “AnyDesk Silent Installation” package surfaces the underlying pattern regardless of which specific AnyDesk build, filename or hash the attacker used. A clean IoC scan is not a clean bill of health. The behavior is what persists. We made a similar case in our DragonForce case study, which also traces back to actors operating in TheCom ecosystem that overlaps heavily with Scattered Spider.
The Hunt
The hunt package used here is called “AnyDesk Silent Installation – Potential Malicious RMM Tool Installation” and it is available in the Community Edition of HUNTER for free upon registration.
The logic is built around command-line arguments rather than a specific file or hash. The query looks for a combination of values appearing together in a single process command line: a reference to AnyDesk, a silent install flag and a start-with-Windows argument. Finding all three of these elements together in one command line is a strong indication that AnyDesk was pushed onto a machine through scripted or automated means, rather than a user clicking through a standard installer window.
Running the Hunt in Splunk
Let’s put this hunt into practice using Windows Event logs imported into Splunk.
The query returns a small number of results showing a PowerShell.exe child process spawned from a PowerShell parent process, along with the host and timestamp for each. Drilling into the command-line arguments for these results confirms exactly what the hunt is built to catch: install and silent flags, a start-with-Windows argument, and a reference to AnyDesk, all appearing together on the same command line.

That combination is a solid lead, but it isn’t automatically a confirmed compromise. The next step is determining how widespread the behavior is across the environment. If this pattern shows up on one isolated endpoint, it warrants immediate follow-up. If the same silent-install pattern is turning up consistently across many machines, that trend points toward a legitimate, sanctioned deployment process rather than attacker activity. Checking for that trend across the environment is what separates a one-off signal worth escalating from routine IT behavior that happens to match the query logic.
Conclusion
Scattered Spider is a reminder that an intrusion doesn’t need a novel exploit to be effective. A convincing phone call and a piece of legitimate remote access software can be enough to establish a lasting foothold inside an environment. By hunting on the command-line pattern behind a silent AnyDesk install rather than on any single hash or filename, defenders get detection coverage that holds up even as the specific installer or campaign infrastructure changes.
Register for a free HUNTER community account to access the hunt package highlighted in this case study and others, along with Intel 471’s broader library of threat hunt content built on Malware Intelligence and Adversary Intelligence. HUNTER also includes the HUNT Management Module, a purpose-built tool for tracking hunt performance metrics, coordinating collaborative hunts, managing queries and reporting. For more information, contact Intel 471.

