Aliases
Scattered Spider is tracked under numerous aliases across the threat intelligence community, reflecting both vendor-specific naming conventions and the group's deliberate identity fragmentation:
- Scattered Spider (CrowdStrike)
- UNC3944 (Mandiant)
- 0ktapus (Group-IB)
- Octo Tempest (Microsoft)
- Muddled Libra (Palo Alto)
- Scatter Swine (Okta)
- Storm-0875 (Microsoft)
- LUCR-3 (Permiso)
- Lapsus$ (Origin group)
- DEV-0537 (Microsoft)
- Roasted 0ktapus
- Star Fraud (self-assigned)
Note: The proliferation of aliases reflects the group's decentralized structure and the independent tracking efforts of various security vendors. Cross-referencing these names is essential when correlating threat intelligence across multiple sources.
Introduction
Scattered Spider is a financially motivated cybercrime collective that emerged in late 2021 through activity linked to Lapsus$, a teenage-led group known for large-scale data theft and extortion. The group relies heavily on social engineering rather than malware, using techniques such as SIM swapping, credential theft, insider bribery, and help-desk impersonation to gain access to enterprise environments.
Tracked under aliases including UNC3944, 0ktapus, and Scatter Swine, Scattered Spider primarily targets large organizations within the technology, telecommunications, financial services, BPO, gaming, hospitality, retail, and media sectors, with a geographic focus on English-speaking countries such as the United States, Canada, the United Kingdom, and Australia, alongside recent activity in Singapore and India.
By mid-2023, the group expanded from credential-driven intrusions to ransomware-based monetization, with observed collaboration alongside actors such as ShinyHunters by mid-2025 indicating increasing consolidation within the cybercriminal ecosystem.
Lapsus$ Campaign Infrastructure
Infrastructure Hunting Methodology
According to multiple published reports, Scattered Spider has been observed using domains that
mimic
legitimate identity infrastructure, particularly domains ending with -okta.com,
as part of their social engineering and credential-harvesting operations.
Based on this reporting, we constructed a targeted urlscan.io query to identify recently observed infrastructure following this naming pattern:
page.url:"-okta.com/"
1. Initial Discovery: inside.sales-okta[.]com
This query returned a recent hit, inside.sales-okta[.]com, indicating continued or renewed use of Okta-themed domain impersonation consistent with Scattered Spider tradecraft.
Further investigation of the inside.sales-okta[.]com domain revealed the presence of a file hosted on the same infrastructure, indicating active content delivery rather than passive domain registration.
2. ASN-Based Infrastructure Expansion
We identified the associated autonomous system as
ASN16509
and subsequently expanded our analysis to identify additional domains hosted within the same ASN
that may be linked to Scattered Spider
infrastructure .
π― Impersonation of Dakota
π― Impersonation of Zendesk: vpn-zendesk[.]com
As anticipated, the analysis confirmed that the identified domain vpn-zendesk[.]com belongs to Scattered Spider.
During our investigation, a suspicious file was identified. Subsequent analysis led to the identification of the following Indicators of Compromise:
3. SSO Domain Cluster: corp-sso[.]com
We identified an additional domain
(gifts.corp-sso[.]com)
hosted under the same ASN that followed a naming convention commonly associated with
Scattered Spider activity, specifically the
inclusion of
"sso"
within the domain name.
This domain exhibited the same Indicators of Compromise
(IOCs) previously observed in a confirmed Scattered Spider domain,
vpn-zendesk[.]com.
Under the primary domain corp-sso[.]com,
we identified multiple structurally similar subdomains:
-
dash.corp-sso[.]com -
surveys.corp-sso[.]com -
unitedbancorp.corp-sso[.]com -
ceilebrite.corp-sso[.]com
This indicates a deliberate pattern of brand and service impersonation.
Further analysis uncovered additional domains following the same structural logic, extending to names that imitate U.S. government or cloud services:
redeem.govcloud.us.com
β imitating AWS GovCloud (US)
4. JARM Fingerprint & TLS Certificate Pivoting
Another previously identified domain, login.taxbit-okta[.]com, also aligned with Scattered Spider naming conventions.
Although the page itself exposed minimal content, it revealed key metadata including ASN13335, which enabled further pivoting across multiple intelligence platforms.
π Pivot Points
Identified
Additional pivot points were identified, including a matching JARM fingerprint
(27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c)
and a TLS certificate issued by C=US, O=Google Trust Services,
CN=WE1.
Domain Impersonation Analysis
π― TARGET: Binance
π― C2 Endpoint: massmutual-okta.com
We identified an additional domain, massmutual-okta[.]com, which was not actively serving visible content at the time of analysis; however, behavioral indicators suggest it was functioning as C2 endpoint.
π― Okta-Themed Domain Cluster
Other identified domains: login.taxbit-okta[.]com, ov-okta[.]com, no-reply-okta[.]com did not appear to host active services; however, a downloadable file was observed on the domain. Investigation revealed that this file shared the same IOCs previously confirmed in a known Scattered Spider domain, vpn-zendesk[.]com, reinforcing its linkage to the groupβs infrastructure.
π JARM Confirmation: pure-okta[.]com
Although inactive, it carries the same JARM fingerprint observed in other domains.
Cryptocurrency & Financial Infrastructure Targeting
π³ Elavon Payment Processor Impersonation
Domain elevon-payment[.]com impersonates Elavon Inc., a U.S. Bancorp subsidiary.
Linked to this infrastructure, we identified an additional domain, fusebox-elavon[.]org, which also impersonates Elavon and hosts the same downloadable file observed across other confirmed Scattered Spider domains.
π¦ Kraken Cryptocurrency Exchange
Using the same JARM fingerprint, we identified an additional domain, kraken-zendesk[.]com, which impersonates Kraken, a U.S.-based cryptocurrency exchange. While the domain itself does not directly host malicious content, its effective URL resolves to www.kraken[.]com, where multiple downloadable files were observed. Notably, files identified in 2025 were assessed as malicious, indicating potential abuse of redirection or trusted-brand association consistent with Scattered Spider delivery tactics.
π Ledger Hardware Wallet
Returning to our initial hypothesis, we continued searching for domains ending in β-okta[.]comβ and identified ledgerfr-okta[.]com. Given Scattered Spiderβs previously observed involvement in cryptocurrency-related targeting, the impersonation of Ledger, a widely used crypto hardware wallet provider, suggests a likely attempt to abuse trusted crypto infrastructure as part of social engineering or credential-harvesting activity.
πΌοΈ OpenSea NFT Marketplace
Sharing the same IP address, we identified another domain, opensea-okta[.]com, which exhibits the same structural and behavioral characteristics as other confirmed Scattered Spider infrastructure.
It is an imitation of OpenSea, which is an American online marketplace for non-fungible tokens. It facilitates the buying, selling, and minting of NFTs across a range of blockchains.
π IP Clusters: 149.50.97.210 & 178.16.54.185
Some domains found on the IP 149.50.97[.]210, are ripple-okta[.]com, 8923930[.]com with recent creation dates, indicating it's part of the same fresh campaign.
The domain ledgerfr-okta[.]com is also hosted on a separate IP address 178.16.54[.]185 and was observed making outgoing connections to Plesk, a web hosting control panel commonly used for managing virtual private or dedicated servers.
Identified multiple domains hosted on it that are linked to confirmed Scattered Spider infrastructure.
Extended Brand Impersonation Gallery
Impersonation of Plesk
Web hosting control panel
webmail.compliancy-sendgrid[.]com
support-keap[.]com
compliance-salesforce[.]com
por-stellar[.]com
compliance-stellar[.]org
compliancy-sendgrid[.]com
login-brevo[.]com
daims-ftx[.]com
myemma-mailling[.]com
infusionssoft[.]app
twilio-segment[.]com
myemma[.]app
firesprinng[.]com
firespring-e2ma[.]net
recoverytrustftx[.]net
app.hubcpot[.]com
airdrop-dop[.]org
post.dpsexpo[.]ae
Homograph Attack Techniques Detected
-
rnailerrlite[.]comβ themis replaced withr+nto mimic "mailerlite" -
blcckfi[.]comβ typosquat of "blockfi", a cryptocurrency lending platform -
rnyemma[.]appβmβrnpattern targeting "myemma"
Plesk Impersonation
Salesforce Impersonation
Trezor Impersonation
Keap Impersonation
Mailgun Impersonation
Brevo Impersonation
Segment.io Impersonation
SendGrid Impersonation
GolfN Impersonation
Intercom Impersonation
Microsoft Impersonation
Conclusions
This investigation reveals the extensive infrastructure footprint maintained by Scattered Spider, demonstrating a systematic approach to brand impersonation, identity infrastructure abuse, and credential harvesting operations.
Consistent use of -okta.com suffix and SSO-themed domains.
Focus on cryptocurrency platforms and payment processors.
Shared JARM fingerprints and IOCs enable hunting.
β‘ Key Takeaways
Social Engineering > Malware: Human manipulation over technical
exploits.
Fresh Infrastructure: Many domains recently created = active
campaigns.
Homograph Attacks: Character substitution (rnβm) to evade
detection.
Pivot Points: JARM, ASN, IOC correlation for hunting.