Sarina

I. Introduction

Scattered Spider is a large and loosely affiliated cybercrime group also referred to as UNC3944 or Octo Tempest. This group is made up of teens and young adults who primarily target companies in the U.S. and U.K. for financial gain (CISA, 2025).

Their attacks are heavily reliant on social engineering. Common tactics include bombarding employees with repeated MFA prompts (“push bombing”), hijacking phone numbers through SIM-swap attacks, and impersonating IT help desk staff to steal credentials. Once inside, they use “everyday” administrative tools and legitimate remote access applications to move quietly through networks, steal sensitive data, and in many cases deploy ransomware such as DragonForce [1, 2]. Scattered Spider is a serious concern because they adapt quickly, move across multiple industries, and combine human manipulation with technical persistence. [2, 7]

In today’s fast-paced technological and cybersecurity environment, staying ahead of the game is critical, and members of the Scattered Spider understand this well. They take advantage of the newest technologies, quickly identifying vulnerable areas and exploiting them for attack. For this reason, they have gained reputation as one of the most dangerous threat groups active today.

This report will outline who they target, the tactics they use, indicators of compromise, and how different roles can defend against them.

II. Target

Scattered Spider’s targets span across multiple industries, with the most recent being retail, insurance companies, and aviation. These incidents have impacted many countries worldwide and are most heavily hit in the U.S. and U.K. They go after large companies exploiting help desks and compromising third-party vendors such as customer support platforms, IT contractors, or cloud services. The following examples highlight major attacks between April and July 2025.

• April 2025
  • Marks and Spencer (Retail, U.K.) – Struck by a ransomware attack that disrupted operations, cut into sales, and exposed customer and employee data. Attackers gained access through social engineering that targeted IT help desks, a tactic characteristic of Scattered Spider [3].
  • Co-op (Retail, U.K.) – Experienced ransomware attacks causing data loss and service outages, negatively affecting company revenue and stock. Investigators revealed that access was granted through the impersonation of support staff and later passed to a ransomware-as-a-service (RaaS) operator, methods closely matching Scattered Spider’s standard techniques [4].

• May 2025
  • Victoria’s Secret (Retail, U.S.) – Forced to shut down their website and in-store services following a security breach that was part of a wider campaign targeting retail [5].
  • Adidas (Retail, Germany, global) – Confirmed theft of company and customer contact information through a third-party customer service provider [6].
• June 2025
  • AFLAC (Insurance, U.S.) – Confirmed a data breach with Scattered Spider’s use of social engineering suspected for initial access.
  • Philadelphia Indemnity Insurance (Insurance, U.S.) – Suffered a data breach linked to Scattered Spider’s use of Multi-Factor-Authentication (MFA) fatigue attacks.
  • WestJet (Aviation, Canada) – Data centers breached along with their Microsoft Cloud environment. Scattered Spider gained their initial access through password reset on an employee account and using MFA to gain further access.
  • Hawaiian Airlines (Aviation, U.S.) – Believed to have also been attacked by Scattered Spider, although investigations are ongoing and see similarities in tactics to other airline attacks.
• July 2025
  • Qantas (Aviation, Australia) – Suffered significant data breach through a third-party customer service platform affecting nearly 6 million customers. Members of the Scattered Spider are believed to be responsible through targeting an IT call center.
  • Azpiral (Loyalty Program Provider, U.K.) – Loyalty program provider for Co-op UK, disclosed a cyberattack extending impact beyond the retail company itself [7].

III. Tactics and Techniques

Scattered Spider incorporates a wide range of Tactics, Techniques, and Procedures (TTPs) to get what they want. They consistently rely on social engineering, most commonly impersonation of IT or Helpdesk personnel to deceive employees into revealing credentials, approving MFA prompts, or granting remote access.

The following list shows their tactics and techniques, along with the corresponding MITRE ATT&CK technique IDs.

IV. Adversary Tools and Services

Scattered Spider relies on social engineering and trusted IT tools rather than custom malware. This helps them stay undiscovered in corporate environments [4].

Based on the recently published reports by CISA (2025) and CrowdStrike (2025), they use the following tools and services to maintain their persistence in the compromised systems:

1. Remote Access Tools: AnyDesk, TeamViewer, Teleport.sh, and ScreenConnect provide persistent remote connectivity by tunneling over the internet [1].
2. Cloudflare Tunnels: Cloudflare’s trycloudflare creates encrypted tunnels that bypass company firewalls and VPNs without raising suspicion. [9].
3. Communication Platforms: Slack, Microsoft Teams and even SMS platforms would be exploited for social engineering, impersonating IT staff and targeting privileged users [9].
4. Cloud Storage and Databases: Mega.nz, and Amazon S3, and Snowflake are mishandled for large-scale data exfiltration. Thousands of rapid queries would be used to pull out huge amounts of data in a very short time [9].
5. Living off the Land Tools: PsExec, Powershell and Remote Desktop Protocol (RDP) allows for stealthy command execution, credential theft, and lateral movement disguised as routine I activity [9, 10].
6. Malware and Ransomware (less common): AveMaria/WareZone (RAT), Racoon and Vidar (stealers), and ALPHV/BlackCat or DragonForce (ransomware) are deployed occasionally for persistence, theft, and extortion [1, 12].

V. Indicators of Compromise (IOCs)

Because Scattered Spider is known for blending in with legitimate user activity, this makes spotting them challenging. To stay ahead of them, defenders should look for subtle anomalies that give away their presence rather than just the tools themselves [11]. These clues, when pieced together, can help identify an attack even before major damage is done.

1. Impersonation Domains: Fake login/helpdesk sites. These domains typically impersonate corporate login or IT helpdesk pages, making them appear trustworthy to targets.

• In the past they have used: [1]
  • targetsname-sso[.]com,
  • targetsname-servicedesk[.]com,
  • targetsname-okta[.]com,
  • targetsname-helpdesk[.]com,
  • oktalogin-targetcompany[.]com

2. Remote Access Abuse: Unexpected installation of remote access tools like AnyDesk, TeamViewer, Teleport.sh, and ScreenConnect (mentioned above) or unusual connections to unknown domains.

3. Tunneling Traffic: Repeated connections to trycloudflare domains that bypass VPN/firewalls.

4. Abnormal Data Exfiltration Patterns: Bursts of SQL queries executed against databases, large uploads to Mega.nz or Amazon S3 buckets outside of normal workflow [8], or high-volume outbound traffic from accounts or servers that don’t usually transfer large datasets.

5. Credential and Privilege Abuse: Repeated failed login attempts followed by successful access from a new or foreign IPs, unexpected privilege escalations or password resets, and MFA bypass attempts via helpdesk calls (vishing) or SIM swaps [13].

VI. Recommendations

Scattered Spider has impacted a wide range of individuals within targeted organizations by exploiting both human behavior and weaknesses in cloud identity systems. Their tactics allow them to compromise accounts across all levels of a company. Because their attacks touch so many different roles, a one-size-fits-all approach to mitigation would be insufficient.

This report breaks down mitigation strategies by role group, focusing on the four most frequently targeted groups: IT Support and Help Desk Personnel, Identity & Access Administrators, Executives & High-Privilege Users, and Standard Users across the Organization. Each section highlights who these groups are, how they are attacked, and what can be done to reduce the exposure to the attack, boosting resilience to a group whose playbook is to exfiltrate victims’ data and extort them for financial gain.

1. IT Support & Help Desk Personnel: Front-liners responsible for password resets, multi-factor authentication setup/resets, as well as employee account recovery. Scattered Spider targets this group the most by frequently impersonating employees calling IT support and Help desk personnel during after-hours (A time when not many people are around to verify legitimacy) requesting an “authentication reset” to gain remote access on that employee’s device.

How to Defend:

• • Be trained in detecting social engineering, especially during after-hours or peak times when there are multiple requests in short windows.’
  • Create a process that can be implemented for out of band authorization, meaning that if an employee calls saying they have lost their password and phone, be able to differentiate between a legitimate employee calling and a threat actor, like Scattered Spider, calling in to gain initial access.
  • Log and audit all reset/MFA enrollment and reset requests.
  • Block unauthorized Remote Monitoring and Management tools.
  • Use fallback verification channels, such as alternate phone numbers, to confirm identity.

2. Identity & Access Management Administrators: Control who can log into systems and what they can access. IAM Administrators manage passwords, multi-factor authentication, cloud access, and application permissions. They essentially hold the keys to everything. If an attacker compromises an IAM account, they can access multiple systems, escalate privileges to gain even more control, disable protections like MFA, remain hidden longer, exfiltrate sensitive data, or launch larger attacks.

How to Defend:

• Have strong conditional access policies. Conditional access policies let you restrict logins to known IPs, managed devices, and geofenced locations, as well as specify token lifetimes to be short enough so even if it was stolen it will not work [14].
• Use stronger multi-factor authentication for admins, such as hardware-based tokens or NFC connections. Hardware tokens are highly resistant to phishing and are not reliant on mobile devices [15].
• Implement passkeys for employee authentication. Passkeys are cryptographic keys stored directly to a specific device and cannot be linked or synced to other devices [16].
• Don’t let admin access be “always on.” Give admin access only when necessary, not all the time. (This is also called “just-in-time” access.)
• Implement allow-listing and block known applications used by Scattered Spider and only allowing specific internal tools used within the company [17].
• Watch for suspicious activity. Flag whenever someone logs in from a new device or location, or if a login token gets reused.
• Clean up unused integrations. Disconnect old logins and apps that are no longer used, as they are an easy way to get in.

3. Executives & High-Privilege Users: Individuals with access to extremely valuable data, such as sensitive financial, legal, or insurance information. They are the prime targets for extortion and leveraging attacks due to having broader system privileges across the organization.

Why they are targeted: Offers high-value access with minimal friction. Executives often have direct access to confidential documents; their accounts typically have higher internal trust, and if compromised, could be used to trick others within the organization. Executive accounts are also often over-permissioned and interwoven in multiple high-risk systems, so one compromise can rapidly destruct laterally.

How to Defend:

• Be phishing savvy.
• Use hardware-based multi-factor authentication to prevent SIM-swaps and push bombing, a method used to overwhelm a user with repeated multi-factor authentication push notifications in hopes that the user will eventually approve out of annoyance.

4. Standard Users Across the Organization: Everybody else using email, SaaS (Software-As-A-Service, software solutions delivered over the internet on a subscription basis) apps, and cloud tools.

How they are targeted: Phishing, smishing, and multi-factor authentication attacks

How to Defend:

• Partake in ongoing training with phishing and smishing simulations and report suspicious MFA prompts.
• Use strong passwords, including no reuse, no hints, and use of password managers.
• Disable email-based onetime passwords as this can be leveraged to gain onwards authentication.
• Enable account lockouts after failed login attempts to limit brute-force access.
• Block unauthorized software, especially remote access or monitoring tools.
• Update devices and software regularly.
• Be cautious when uploading or sharing files in cloud platforms like SharePoint, Slack, or email.

VII. References

[1] Scattered spider: Cisa. Cybersecurity and Infrastructure Security Agency CISA. (2025, July 31). https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

[2] Scattered spider. Scattered Spider, Roasted 0ktapus, Octo Tempest, Storm-0875, Group G1015 | MITRE ATT&CK®. (2024, April 4). https://attack.mitre.org/versions/v17/groups/G1015/

[3] Tidy, J. (2025, May 21). M&S and co-op hacks: Scattered spider is focus of police investigation. BBC News. https://www.bbc.com/news/articles/ckgnndrgxv3

[4] Poston, H. (2022, March 21). £300m gone: How scattered spider hit the UK’s biggest retailers. Hack The Box. https://www.hackthebox.com/blog/scattered-spider-insurance-retail-attacks

[5] Silberstein, N. (2025, June 13). Update: May cyber attack expected to cost victoria’s secret $20 million. Retail TouchPoints. https://www.retailtouchpoints.com/topics/security/data-security/victorias-secret-latest-hit-in-growing-swath-of-retail-cyber-attacks

[6] Beek, K. (2025, May 27). Adidas falls victim to third-party Data Breach. https://www.darkreading.com/vulnerabilities-threats/adidas-victim-third-party-data-breach

[7] Scattered spider targets tech companies for help-desk exploitation. ReliaQuest. (2025, June 23). https://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/

[8] Fadilpašić, S. (2025, July 30). FBI, CISA warn of more scattered spider attacks to come. TechRadar. https://www.techradar.com/pro/security/fbi-cisa-warn-of-more-scattered-spider-attacks-to-come

[9] Scattered spider escalates attacks across industries. CrowdStrike. (n.d.). https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/

[10] Yasir, S. (2025, July 7). Inside the scattered Spider Attack: How a UK retail giant was breached and what it means for… Medium. https://medium.com/@shaheeryasirofficial/inside-the-scattered-spider-attack-how-a-uk-retail-giant-was-breached-and-what-it-means-for-e3e94a7ce5bf

[11] Richardson, J. (2025, July 29). Scattered spider: The looming shadow over U.S. cybersecurity. Medium. https://medium.com/@the-prototype/scattered-spider-the-looming-shadow-over-u-s-cybersecurity-e8ce141185a5

[12] Tahir. (2025, May 2). Unmasking the scattered Spider Threat actor. Medium. https://medium.com/@tahirbalarabe2/%EF%B8%8Funmasking-the-scattered-spider-threat-actor-6435c2439ed7

[13] Doyle, A., & Langley, M. (2025, June 9). Scattered spider: A web of social engineering – threat actors. Daily Security Review. https://dailysecurityreview.com/resources/threat-actors-resources/scattered-spider-a-web-of-social-engineering/

[14] Shastri, V. (2025, January 15). What is conditional access?. CrowdStrike. https://www.crowdstrike.com/en-us/cybersecurity-101/identity-protection/conditional-access/

[15] Horn, P. (2025, July 11). Passkeys vs Hardware Tokens: Phishing-resistant MFA. Accutive Security – The IAM + Crypto Products and Services Company. https://accutivesecurity.com/guide-to-passkeys-and-hardware-security-tokens-yubikeys/

[16] Passkeys: Passwordless authentication. FIDO Alliance. (2025, July 24). https://fidoalliance.org/passkeys/

[17] What is allowlisting?: Broadcom. Broadcom Inc. (n.d.). https://www.broadcom.com/topics/allowlisting

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Waratchaya Luangphairin (June), Taylor Alvarez, Lara Radovanovic, Sneha Lama

To learn more about Cyber Florida visit: www.cyberflorida.org

I. Targeted Entities

Deepfake technologies pose a threat to a wide range of entities, including but not limited to:

• Individuals / General Public
• Politicians and Political Processes
• Celebrities and Public Figures
• Organizations and Corporations:
• Senior Executives
• Financial Sector
• Government Officials and Agencies

II. Introduction and Key Treat Details

Introduction

Synthetic media generated by Artificial Intelligence (AI), commonly known as deepfakes, are rapidly multiplying and increasing in sophistication. We are currently witnessing a significant surge in deepfake incidents; for instance, there was a 257% rise in recorded incidents from 2023 to 2024, and the rest quarter of 2025 alone surpassed the total incidents of the previous year.

The potential impacts are severe and varied. These include substantial financial losses for organizations and individuals, as seen by the $25 million fraud at Arup, where executives were impersonated via deepfake video. Deepfakes are key in disinformation campaigns that erode public trust and can influence political outcomes, such as through fake calls targeting voters. Furthermore, the technology is used to create non-consensual explicit content and enhance the effectiveness of social engineering attacks.

As outlined in Section I, targets span from the general public and public gures to corporations (particularly in nance) and government entities. Addressing this emerging threat requires a multi-layered strategy. Organizations must implement robust cybersecurity policies, conduct continuous employee awareness training, deploy technical safeguards, and enforce strict verification protocols. Also, individuals need to develop media literacy, enhance personal data security, and be skeptical of certain online information. Ocial bodies, such as the FBI, are increasingly issuing warnings and guidance, indicating a move towards more collaborative defense.

Key Threat Details

Threat Type: The threat involves the malicious use of deepfakes, which are AI-generated synthetic media (audio, video, or images) carefully crafted to impersonate real individuals or fabricate events that never occurred. The primary technology empowering deepfakes is Generative Adversarial Networks (GANs). A GAN consists of two neural networks: a 'generator' that creates the fake content and a 'discriminator' that attempts to distinguish the fake content from authentic examples. Through an iterative, adversarial training process, the generator becomes progressively better at creating realistic fakes that can deceive the discriminator, and ultimately, human perception. This technology is leveraged by increasingly accessible software, with tools like Iperov's DeepFaceLab and FaceSwap, and services like Voice.ai, Mur.ai, and Elevenlabs.io for voice cloning.

Targets

• Individuals (General Public): Targeted for fraud, non-consensual explicit content, and harassment.
• Politicians and Political Processes: Disinformation campaigns, impersonation to influence elections, and reputational attacks.
• Celebrities and Public Figures: Often targeted for non-consensual explicit content, endorsement scams, and reputational damage.
• Organizations and Corporations:
  • Senior Executives (CEOs, CFOs): Impersonated in financial fraud schemes.
• Financial Sector: Targeted for large-scale fraud, market manipulation through disinformation, and undermining customer trust.
• Government Officials and Agencies: Impersonated to obtain sensitive information, spread disinformation, or authorize fraudulent actions.

Impact

If successful, deepfake attacks can lead to:

• Financial Fraud: Significant monetary losses through impersonation of executives or trusted parties to authorize fraudulent transactions (vishing).
• Disinformation and Political Destabilization: Manipulation of public opinion, interference in elections, incitement of social unrest, and damage to democratic processes.
• Reputational Harm: Severe damage to personal or corporate reputations through the creation and dissemination of non-consensual explicit material, defamatory statements, or fabricated incriminating evidence.
• Social Engineering and Data Breaches: Gaining unauthorized access to sensitive systems or information by impersonating trusted individuals and deceiving employees.
• Erosion of Trust: Diminished public trust in authentic media, institutions, and digital communication ("liar's dividend").
• Operational Disruption: Business operations can be disrupted by disinformation campaigns or internal fraud incidents.

Contextual Info

Deepfake technology is accessible to a wide spectrum of malicious actors. This includes individual fraudsters, online harassers, organized criminal enterprises focused on financial gain, and potentially state-sponsored groups deploying deepfakes for complex disinformation campaigns and political interference.

Related Campaigns/Past Activity

The versatility of deepfakes is seen through various high-prole incidents:

• The $25 million financial fraud at Arup, where attackers used deepfake video and audio to impersonate senior executives in a conference call, compelling an employee to make unauthorized transfers.
• AI-generated calls impersonating U.S. President Joe Biden, which urged voters in New Hampshire not to participate in the primary election, representing a direct attempt at election interference.
• The widespread creation and distribution of non-consensual explicit deepfake images of public gures like Taylor Swi, highlighting the potential for severe personal and reputational harm.

MITRE ATT&CK TTPs

T1566 Phishing: Deepfakes, especially audio (voice clones), are used in vishing (voice phishing) campaigns, aligning with sub-techniques like T1566.003 Spearphishing Voice.

T1591.002 Create/Modify Content: Deepfakes inherently involve creating or modifying content to deceive, related to broader information operations or influence campaigns.

IV. Recommendations

For Organizations

Policies:

• Develop and enforce robust cybersecurity policies that address the risks of deepfake attacks. Integrate deepfake scenarios into incident response plans and conduct regular practice incidents.
• Establish clear guidelines on the acceptable use of AI and synthetic media tools within the organization.

Awareness/Training:

• Implement continuous security awareness training for all employees, leadership, and relevant third parties. Training should cover deepfake identification, the psychological tactics used by attackers (e.g., urgency, authority bias), and established reporting procedures.

Technical Safeguards:

Enforce strong Multi-Factor Authentication (MFA) across all systems and users, prioritizing stronger methods for critical access points.

Deploy AI-powered detection tools for high-risk communication channels (e.g., video conferencing, customer service calls).

Adopt a Zero Trust security architecture, assuming no user or device is inherently trustworthy without continuous verification.

Monitor for Virtual Camera Software in Logs: For live deepfake attacks, attackers may use virtual camera software like Open Broadcaster Software (OBS) to feed the manipulated video into the meeting application. If logging is enabled for platforms like Zoom or Microsoft Teams, security teams can review logs for camera device names. The presence of uncommon camera names like 'OBS Virtual Camera' can be a strong indicator of a deepfake attempt, since this software is not typically used by employees for standard meetings.

Verification and Controls:

• Implement strict verification (e.g., phone call authentication) for any unusual or high-value requests, specifically those involving financial transfers, changes to payment details, or disclosure of sensitive information over digital channels.
  • Implement "master passcodes" or challenge questions for authenticating identities during sensitive communications.
  • Enforce dual approvals for significant decisions/transactions.

Preventative Measures:

• Minimize the public availability of audiovisual material of executives/employees to limit training data for attackers.
• Assess organizational susceptibility to deepfake attacks, identifying vulnerable processes and personnel.

For Individuals

Increase Media Literacy and Critical Thinking:

• Approach online content with healthy skepticism. Question the authenticity of unexpected, sensational, or emotionally manipulative videos, audio messages, or images.
• Always consider the source of information. Verify claims through multiple reputable sources before accepting them as true.

Recognize Potential Red Flags:

• Be aware of common visual indicators such as unnatural eye movements, mismatched lighting, a face that flickers when an object passes in front of it, or an unwillingness from the person to show their side prole. For audio, listen for robotic cadence, unnatural pitch, or lack of emotional inection. 17 However, understand that sophisticated deepfakes may not exhibit obvious aws.

Protect Personal Data:

• Review and tighten privacy settings on all social media accounts to limit public access to personal images, videos, and information.
• Be mindful of the amount of personal audiovisual data shared online.

Verify and Report:

• If you receive a suspicious or urgent request, even if it appears to be from a known contact, verify it through a separate, trusted communication channel (e.g., call a known phone number).
• Report suspected deepfakes immediately to the platform where they are hosted. If the deepfake is being used for malicious purposes (e.g., fraud, harassment, defamation, non-consensual explicit content), report it to law enforcement agencies.

VII. References

Works cited

Deepfake statistics 2025: how frequently are celebrities targeted?, accessed June 7, 2025, hps://surfshark.com/research/study/deepfake-statistics

Cybercrime: Lessons learned from a $25m deepfake attack | World …, accessed June 7, 2025, hps://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/

Understanding the Hidden Costs of Deepfake Fraud in Finance – Reality Defender, accessed June 7, 2025, hps://www.realitydefender.com/insights/understanding-the-hidden-costs-of-de epfake-fraud-in-nance

Top 5 Cases of AI Deepfake Fraud From 2024 Exposed | Blog – Incode, accessed June 7, 2025, hps://incode.com/blog/top-5-cases-of-ai-deepfake-fraud-from-2024-exposed/

Gauging the AI Threat to Free and Fair Elections | Brennan Center for Justice, accessed June 7, 2025, hps://www.brennancenter.org/our-work/analysis-opinion/gauging-ai-threat-free-and-fair-elections

FBI warns of fake texts, deepfake calls impersonating senior U.S. …, accessed June 7, 2025, hps://cyberscoop.com/i-warns-of-ai-deepfake-phishing-impersonating-government-ocials/

Top 10 Terrifying Deepfake Examples – Arya.ai, accessed June 7, 2025, hps://arya.ai/blog/top-deepfake-incidents

Deepfake threats to companies – KPMG International, accessed June 7, 2025,hps://kpmg.com/xx/en/our-insights/risk-and-regulation/deepfake-threats.html

Cybercrime Trends: Social Engineering via Deepfakes | Lumi Cybersecurity, accessed June 7, 2025,hps://www.lumicyber.com/blog/cybercrime-trends-social-engineering-via-dee pfakes/

Investigation nds social media companies help enable explicit deepfakes with ads for AI tools – CBS News, accessed June 7, 2025, hps://www.cbsnews.com/video/investigation-nds-social-media-companies-he lp-enable-explicit-deepfakes-with-ads-for-ai-tools/

How to Mitigate Deepfake Threats: A Security Awareness Guide – TitanHQ, accessed June 7, 2025, hps://www.titanhq.com/security-awareness-training/guide-mitigate-deepfakes/

Deepfake Defense: Your Shield Against Digital Deceit | McAfee AI Hub, accessed June 7, 2025, hps://www.mcafee.com/ai/news/deepfake-defense-your-8-step-shield-against-digital-deceit/

FBI Warns of Deepfake Messages Impersonating Senior Ocials …, accessed, June 7, 2025, hps://www.securityweek.com/i-warns-of-deepfake-messages-impersonating-senior-ocials/

FBI Alert of Malicious Campaign Impersonating U.S. Ocials Points to the Urgent Need for Identity Verication – BlackCloak | Protect Your Digital Life™, accessed June 7, 2025, hps://blackcloak.io/i-alert-of-malicious-campaign-impersonating-u-s-ocials-points-to-the-urgent-need-for-identity-verication/

AI's Role in Deepfake Countermeasures and Detection Essentials from Tonex, Inc. | NICCS, accessed June 7, 2025, hps://niccs.cisa.gov/training/catalog/tonex/ais-role-deepfake-countermeasures-and-detection-essentials

What is a Deepfake Aack? | CrowdStrike, accessed June 7, 2025, hps://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/deepfa ke-aack/

Determine Credibility (Evaluating): Deepfakes – Milner Library Guides, accessed June 7, 2025, hps://guides.library.illinoisstate.edu/evaluating/deepfakes

Understanding the Impact of Deepfake Technology – HP.com, accessed June 7, 2025, hps://www.hp.com/hk-en/shop/tech-takes/post/understanding-impact-deepfake-technology

19.Deepfakes: Denition, Types & Key Examples – SentinelOne, accessed June 7, 2025, hps://www.sentinelone.com/cybersecurity-101/cybersecurity/deepfakes/

en.wikipedia.org, accessed June 7, 2025, hps://en.wikipedia.org/wiki/Deepfake#:~:text=While%20the%20act%20of%20cr eating,generative%20adversarial%20networks%20(GANs).

What are deepfakes? – Malwarebytes, accessed June 7, 2025, hps://www.malwarebytes.com/cybersecurity/basics/deepfakes

Complete Guide to Generative Adversarial Network (GAN) – Carmatec, accessed June 7, 2025, hps://www.carmatec.com/blog/complete-guide-to-generative-adversarial-network-gan/

How to Get Started with GANs: A Step-by-Step Tutorial – Draw My Text – Text-to-Image AI Generator, accessed June 7, 2025, hps://drawmytext.com/how-to-get-started-with-gans-a-step-by-step-tutorial/

Detection of AI Deepfake and Fraud in Online Payments Using GAN-Based Models – arXiv, accessed June 7, 2025, hps://arxiv.org/pdf/2501.07033

What is a GAN? – Generative Adversarial Networks Explained – AWS, accessed June 7, 2025, hps://aws.amazon.com/what-is/gan/

Overview of GAN Structure | Machine Learning – Google for Developers,accessed June 7, 2025, hps://developers.google.com/machine-learning/gan/gan_structure

Unlocking the Power of GAN Architecture Diagram: A Comprehensive Guide for Developers, accessed June 7, 2025, hps://www.byteplus.com/en/topic/110690

We Looked at 78 Election Deepfakes. Political Misinformation Is Not an AI Problem., accessed June 7, 2025, hps://knightcolumbia.org/blog/we-looked-at-78-election-deepfakes-political-misinformation-is-not-an-ai-problem

What is a deepfake? – Internet Maers, accessed June 7, 2025, hps://www.internetmaers.org/resources/what-is-a-deepfake/

Don't Be Fooled: 5 Strategies to Defeat Deepfake Fraud – Facia.ai, accessed June 7, 2025, hps://facia.ai/blog/dont-be-fooled-5-strategies-to-defeat-deepfake-fraud/

Top 10 AI Deepfake Detection Tools to Combat Digital Deception in 2025 SOCRadar, accessed June 7, 2025, hps://socradar.io/top-10-ai-deepfake-detection-tools-2025/

How to Spot Deepfakes – Fake News – Dr. Martin Luther King, Jr. Library at San José State University Library, accessed June 7, 2025, hps://library.sjsu.edu/fake-news/deepfakes

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Derek Kravetsky

I. Targeted Entities

• Western logistics entities and technology companies involved in transportation and coordination of aid to Ukraine.
• Defense industry entities
• Transportation hubs (ports, airports)
• Maritime sectors
• Air traffic management systems
• IT services

II. Introduction

Since early 2022, the Russian General Staff Main Intelligence Directorate (GRU), specifically its 85th Main Special Service Center (85th GTsSS), also identified as APT28, Fancy Bear, Forest Blizzard, and BlueDelta, has been actively conducting cyber espionage operations against Western logistics and technology entities. This ongoing campaign primarily targets entities facilitating foreign assistance to Ukraine, highlighting a strategic effort to monitor, disrupt, or influence the flow of aid to Ukraine.

Attack Details: The GRU unit 26165 has leveraged sophisticated cyber espionage tactics, including credential guessing, spearphishing, exploitation of known vulnerabilities, and abuse of internet-facing infrastructure such as corporate VPNs. Notable vulnerabilities exploited in this campaign include CVE-2023-23397 (Outlook NTLM), CVE-2023-38831 (WinRAR), and several Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).

Recent analysis highlights the GRU’s use of geopolitical event lures, notably exploiting the Israel-Hamas conflict to deliver the HEADLACE malware, enabling comprehensive network penetration and persistent espionage (Mühr, Zaboeva, & Fasulo, 2025).

III. MITRE ATT&CK Framework

Initial Access:

• Exploitation of Public-Facing Applications (T1190)
  • Exploited known vulnerabilities in publicly accessible applications such as Microsoft Exchange and corporate VPNs to achieve initial entry.
• Spearphishing (T1566)
  • Distributed carefully crafted phishing emails using contextually relevant geopolitical lures (e.g., Israel-Hamas conflict) to trick users into executing malicious payloads.
• Brute Force and Credential Guessing (T1110)
  • Conducted systematic credential guessing and brute force attacks targeting exposed remote services, including RDP and VPN logins.

Execution:

• Command and Scripting Interpreter (T1059)
  • Command and Scripting Interpreter (T1059) is a highly prevalent execution technique in MITRE ATT&CK that adversaries use to run arbitrary commands, scripts, or binaries on target systems via built in interpreters like PowerShell, cmd.exe, Bash, Python, JavaScript, AppleScript, Visual Basic and more.
• User Execution (T1204)
  • Deployed malicious attachments and phishing links designed to prompt users into inadvertently executing malicious scripts or payloads.

Persistence:

• Scheduled Task (T1053)
  • Established scheduled tasks to regularly execute malicious scripts and maintain long-term access.
• • Shortcut Modification (T1547.009)
• o Altered desktop shortcuts to point to malicious executables, ensuring persistent and subtle execution during regular user operations.

Privilege Escalation:

• Abuse of Elevation Control Mechanisms (T1548)
  • Exploited software vulnerabilities, notably CVE-2023-23397, enabling unauthorized elevation of privileges to access sensitive resources.

Credential Access:

• Credential Dumping (T1003)
  • Harvested credentials through techniques such as memory scraping, registry dumps, and exploitation of NTLM hashes.
• Exploitation of NTLM Vulnerability (CVE-2023-23397)
  • CVE 2023 23397 is a critical “zero touch” elevation of privilege vulnerability in Microsoft Outlook for Windows that allows attackers to exfiltrate a user’s Net NTLMv2 hash without any user interaction.

Lateral Movement:

• Remote Desktop Protocol (T1021.001)
  • Employed Remote Desktop Protocol to navigate laterally through compromised networks, enhancing the attacker’s reach and access.
• Use of tools such as Impacket and PsExec
  • Impacket is a Python-based collection of modules that allows attackers to craft and send network protocol packets, making it particularly useful for exploiting protocols like SMB, RDP, and Kerberos. It’s frequently used to perform pass-the-hash, NTLM relay, and DCSync attacks.
• PsExec, part of Microsoft Sysinternals, enables remote execution of processes and is commonly used by adversaries to run commands or deploy payloads across a network without needing remote desktop access.

Discovery:

• Active Directory Enumeration (T1087)
  • Mapped organizational structures by enumerating Active Directory objects to identify high-value targets.
• Network Service Scanning (T1046)
  • Conducted extensive internal scans post-compromise to locate vulnerable or exploitable network services.

Command and Control:

• Application Layer Protocol (T1071)
  • Used standard protocols such as HTTP(S) and DNS to blend malicious traffic with legitimate communications, complicating detection efforts.
• Legitimate Web Services (T1102)
  • Leveraged trusted cloud and hosting services to host command and control infrastructure, reducing suspicion and bypassing traditional network defenses.

Exfiltration:

• Data Exfiltration via Command and Control Channel (T1041)

• Archive Collected Data (T1560)
  • Compressed and encrypted sensitive data into ZIP files using PowerShell scripts for exfiltration.

IV. Indicators of Compromise (IOCs)

• IP Addresses observed in brute force activities:

• 103[.]97[.]203[.]29
• 109[.]95[.]151[.]207
• 138[.]199[.]59[.]43
• 147[.]135[.]209[.]245
• 162[.]210[.]194[.]2
• 178[.]235[.]191[.]182
• 178[.]37[.]97[.]243
• 185[.]234[.]235[.]69
• 192[.]162[.]174[.]67
• 192[.]162[.]174[.]94
• 194[.]187[.]180[.]20
• 207[.]244[.]71[.]84
• 209[.]14[.]71[.]127
• 212[.]127[.]78[.]170
• 213[.]134[.]184[.]167
• 31[.]135[.]199[.]145
• 31[.]42[.]4[.]138
• 46[.]112[.]70[.]252
• 46[.]248[.]185[.]236
• 64[.]176[.]67[.]117
• 64[.]176[.]69[.]196

• 64[.]176[.]70[.]18
• 64[.]176[.]70[.]238
• 64[.]176[.]71[.]201
• 70[.]34[.]242[.]220
• 70[.]34[.]243[.]226
• 70[.]34[.]244[.]100
• 70[.]34[.]245[.]215
• 70[.]34[.]252[.]168
• 70[.]34[.]252[.]186
• 70[.]34[.]252[.]222
• 70[.]34[.]253[.]13
• 70[.]34[.]253[.]247
• 70[.]34[.]254[.]245
• 79[.]184[.]25[.]198
• 79[.]185[.]5[.]142
• 83[.]10[.]46[.]174
• 83[.]168[.]66[.]145
• 83[.]168[.]78[.]27
• 83[.]168[.]78[.]31
• 83[.]168[.]78[.]55
• 83[.]23[.]130[.]49

• 83[.]29[.]138[.]115
• 89[.]64[.]70[.]69
• 90[.]156[.]4[.]204
• 91[.]149[.]202[.]215
• 91[.]149[.]203[.]73
• 91[.]149[.]219[.]158
• 91[.]149[.]219[.]23
• 91[.]149[.]223[.]130
• 91[.]149[.]253[.]118
• 91[.]149[.]253[.]198
• 91[.]149[.]253[.]204
• 91[.]149[.]253[.]20
• 91[.]149[.]254[.]75
• 91[.]149[.]255[.]122
• 91[.]149[.]255[.]19
• 91[.]149[.]255[.]195
• 91[.]221[.]88[.]76
• 93[.]105[.]185[.]139
• 95[.]215[.]76[.]209

I. Targeted Entities

• Financial Institutions
• E-commerce Platforms
• Cryptocurrency Exchanges
• Government Agencies
• Individual Users with High-Value Accounts

II. Introduction

Gorilla Bot is an advanced malware strain first detected in early 2025, specializing in automated credential stuffing, web scraping, and distributed denial-of-service (DDoS) attacks. The malware operates as a botnet-as-a-service, allowing cybercriminals to rent botnet capabilities for various malicious purposes. Gorilla Bot leverages advanced evasion techniques, including rotating IP addresses, encrypted command-and-control (C2) communications, and AI-driven attack automation.

Gorilla Bot traces its lineage to the infamous Mirai botnet, which gained notoriety in 2016 for exploiting Internet of Things (IoT) devices to launch massive DDoS attacks. Mirai's source code was leaked publicly, leading to the creation of numerous variants. Gorilla Bot is one such derivative, distinguished by its enhanced capabilities and operational sophistication.

While initially believed to have surfaced in late 2024, further research indicates that Gorilla Bot has been active for over a year, suggesting a more prolonged development and deployment phase than previously understood.

Gorilla Bot has been observed infiltrating corporate networks through phishing campaigns and exploiting web application vulnerabilities. Once inside, it rapidly expands by exploiting weak credentials, unpatched software, and misconfigured cloud environments. The malware has been linked to multiple high-profile data breaches, exfiltrating sensitive information from financial institutions and large-scale e-commerce platforms.

III. Additional Background Information

Between September 4 and September 27, 2024, GorillaBot issued over 300,000 attack commands, averaging 20,000 per day. These attacks targeted over 100 countries, with China, the United States, Canada, and Germany being the most affected. Victim sectors included universities, government websites, telecommunications, banking, gaming, and gambling industries. This widespread impact underscores the botnet's global reach and the diverse range of targets it affects.

The malware's primary monetization strategies include selling stolen credentials on dark web marketplaces, launching paid DDoS-for-hire attacks, and reselling scraped data to third parties.

Capabilities:

• UDP Flood: Overwhelms the target with User Datagram Protocol packets.
• ACK BYPASS Flood: Exploits TCP acknowledgment packets to bypass filters.
• SYN Flood: Initiates multiple connection requests to exhaust system resources.
• Valve Source Engine (VSE) Flood: Targets gaming servers using the Valve gaming platform.
• ACK Flood: Similar to ACK BYPASS but uses acknowledgment packets more broadly.

Mechanics of the Malware:

GorillaBot operates by infecting a diverse array of devices, including routers, IoT gadgets, and cloud hosts. It supports multiple CPU architectures such as ARM, MIPS, x86_64, and x86, allowing it to compromise a wide range of systems. Upon execution, the malware connects to one of five predefined command-and-control (C2) servers to receive instructions.

Service Installation: It creates a service file named custom.service in the /etc/systemd/system/ directory to ensure it runs at system startup.

Script Execution: The malware downloads and executes a shell script (lol.sh) from a remote server, embedding commands in system files like /etc/inittab, /etc/profile, and /boot/bootcmd to maintain its presence.

Anti-Honeypot Measures: GorillaBot includes checks to detect and avoid analysis environments, such as verifying the existence of the /proc filesystem, a common feature in honeypots.

IV. MITRE ATT&CK Tactics and Techniques

• Initial Access (T1071.001): Gained via phishing emails, malicious browser extensions, and exploit kits.

• Persistence (T1053.005): Uses scheduled tasks and rootkits to maintain long-term control of infected systems.

• Credential Access (T1110.003): Conducts large-scale credential stuffing and brute-force attacks.

• Command and Control (T1095): Employs encrypted channels for stealthy communications with C2 servers.

• Impact (T1498.001): Executes DDoS attacks to disrupt business operations.

V. Recommendations

To mitigate the risk of Gorilla Bot infections, organizations and individuals should implement the following security measures:

Network and Infrastructure Security

• Deploy Web Application Firewalls (WAF) to block automated bot traffic.

• Enable rate-limiting to prevent excessive login attempts.

• Implement multi-factor authentication (MFA) on all critical accounts.

• Regularly update software and patch known vulnerabilities.

User Awareness and Training

• Conduct phishing awareness training to recognize suspicious emails.

• Warn employees about the risks of using reused passwords across services.

Threat Detection and Monitoring

• Monitor logs for unusual login attempts and API abuse.

• Employ behavioral analysis tools to detect automated bot activity.

• Use IP reputation services to block known malicious addresses.

Incident Response Preparedness

• Establish a response plan for large-scale DDoS attacks.

• Ensure data backups are regularly updated and stored securely.

VI. IOCs (Indicators of Compromise)

GorillaBot operates by infecting a diverse array of devices.

Suspicious IP Addresses:

193[.]143[.]1[.]70 (C2 server)

193[.]143[.]1[.]59 (C2 server)

Malicious Domains:

• gorillabot[.]net

• auth-bypass[.]cc

• datastealer[.]ru

File Hashes (SHA-256):

• e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

• 1f3870be274f6c49b3e31a0c6728957f6c5d7d17b22f0a073b3e3b8e7f23b07f

VII. Additional OSINT Information

• Gorilla Bot operators actively recruit on underground forums using aliases such as "ShadowKing" and "BotMasterX." 
• The malware is frequently distributed through cracked software downloads and malicious browser extensions. 
• Security researchers have linked Gorilla Bot's infrastructure to past cybercrime operations, including ransomware deployment and data exfiltration schemes. 

VIII. References

https://www.thousandguards.com/post/gorilla-strength-denial-of-service-for-work-and-play-industries 

https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html

https://www.darkreading.com/cyberattacks-data-breaches/gorillabot-goes-ape-cyberattacks-worldwide

https://seniortechinfo.com/gorilla-botnet-launches-300k-ddos-attacks-in-100-countries/

Threat Advisory created by The Cyber Florida Security Operations Center. 

Contributing Security Analysts: Nahyan Jamil

To learn more about Cyber Florida visit: www.cyberflorida.org 

I. Targeted Entities

Systems and applications using Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, 9.0.0.M1 through 9.0.98.

II. Introduction

CVE-2025-24813 describes a vulnerability in Apache Tomcat which would allow a malicious actor to perform a variety of attacks such as remote code execution, information disclosure, and injecting malicious payloads or content into uploaded files. This type of vulnerability is caused by improper handling of path equivalence, which normally ensures that different file paths point to the same resource. This improper handling within the Default Servlet is related to write-enabled configurations in Apache Tomcat and it impacts several versions of the application prior to the fix.

III. Additional Background Information

CVE-2025-24813 is a vulnerability affecting Apache Tomcat that can occur when the default servlet is configured to allow write functionality which is normally disabled by default. This vulnerability can be exploited when combined with the default behavior of allowing for partial PUT requests. In this scenario, an attacker could upload a specially crafted serialized session file, or simply, a malicious payload, to a writable directory within the system. Once the file is uploaded, a subsequent HTTP request triggers Tomcat to deserialize the file’s contents, executing the embedded malicious payload.

While exploiting CVE-2025-24813 can lead to significant impact, successful remote code execution requires several prerequisites:

1. Write Capability on the Default Servlet: The default servlet has to be explicitly configured to allow write functionality, which is not normally enabled by default.
2. Partial PUT Requests: The target system must allow for partial PUT requests.
3. File-Based Session Persistence: The web application has to use file-based session persistence with a default storage location, providing an accessible and writable directory for uploading malicious payloads.
4. Deserialization Vulnerability: The application must have a deserialization-vulnerable library which would enable the malicious payload to be executed during the deserialization process.
5. Knowledge of Internal File System: The attacker needs to understand the file naming conventions and directory structure of the target system for successful exploitation of the vulnerability.

IV. MITRE ATT&CK

• T1006 – File System Logical Link
  T1006 or File System Logical Link refers to when adversaries have the ability to create symbolic links or shortcuts to files in order to abuse the way some operating systems handle file paths.This is relevant since CVE-2025-24813 involves manipulating file paths to access and modify unintended files, fitting the pattern of abusing file system logical links.

V. Recommendations

To mitigate attacks leveraging this vulnerability, these are the recommendations for CVE-2025-24813:

Upgrading Apache Tomcat to a Patched Version

By immediately upgrading to:

• Tomcat 0.99 (for 9.x series)
• Tomcat 1.35 (for 10.x series)
• Tomcat 0.3 (for 11.x series)

It provides a fix for the improper handling of partial PUT requests and path equivalency issues that could be exploited for remote code execution or file manipulation.

Disabling Partial PUT Support

Configure Tomcat to disallow partial PUT requests, which allow clients to send file content in chunks or ranges. Recommended actions include:

• Modifying Tomcat’s configuration files (server.xml and/or web.xml) to block or ignore PUT methods if your application doesn’t use them.
• Implementing an HTTP filter to reject incoming PUT requests altogether (unless those requests are required for your needs)

Since this vulnerability exploits partial PUT behavior to inject content into files. If partial PUT is not supported, this attack vector is closed.

Restricting Default Servlet Write Permissions

Ensure that the default servlet (the part of Tomcat that serves static files) cannot accept uploads or write to sensitive directories. To do so, you must:

• Tighten file system permissions (chmod, chown) to ensure Tomcat processes run with minimal privileges.
• Ensure the /webapps directory and static content directories are read-only unless absolutely necessary.
• Review DefaultServlet configuration for <init-param> like readonly and set it to true.

If the default servlet has write permissions, attackers could upload or modify arbitrary files which could lead to defacement, data theft, or execution of malicious scripts.

Enforcing Strong Web Application Firewall (WAF) Policies

You should deploy or tune your WAF to:

• Detect and block unusual PUT, PATCH, or malformed HTTP methods.
• Flag requests targeting .jsp, .war, or sensitive file types.

Having a WAF can act as an additional protective layer by stopping attacks even if Tomcat is not yet patched or misconfigured.

Monitoring Server Logs Aggressively

Continuously monitor access logs (e.g., access_log, catalina.out) and security logs for:

• Unexpected PUT or PATCH requests.
• External requests targeting .jsp files in unusual locations.

Early detection of attempts allows you to respond quickly to intrusions before they escalate. Using tools such as Splunk, ELK stack, or Wazuh can make for efficient log review and analysis, with trigger alerts on anomalies.

VI. IOCs (Indicators of Compromise)

Figure 2: File paths of attack payloads (using .session extensions)

Figure 3: Payload in the request body, attempting to call the .session file (Akamai)

VII. Additional OSINT Information

Figure 1: Exposed Tomcat instances on Shodan showing being geolocated in China, Brazil, Morroco, and the U.S (Recorded Future

Figure 2: Proof of Concept for exploiting CVE-2025-24813 (GitHub – absholi7ly)

Figure 3: Signature for CVE-2025-24813 (Recorded Future)

VIII. References

Absholi7ly. (2025, March 22). POC-CVE-2025-24813: Proof of concept for CVE-2025-24813 in Apache Tomcat [Source code]. GitHub. https://github.com/absholi7ly/POC-CVE-2025-24813

Apache Software Foundation. (2025, March 10). CVE-2025-24813 Detail. National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2025-24813

Detecting and mitigating Apache Tomcat CVE-2025-24813 | Akamai. Akamai Security Intelligence Group. (2025, March 25). https://www.akamai.com/blog/security-research/march-apache-tomcat-path-equivalence-traffic-detections-mitigations

Group, I. (2025, March 28). Apache tomcat: CVE-2025-24813: Active exploitation. Recorded Future. https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis

[SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT. Lists.apache.org. (2025, March 10). https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

Threat Advisory created by The Cyber Florida Security Operations Center.

Contributing Security Analysts: Jason Doan

To learn more about Cyber Florida visit: www.cyberflorida.org