Scattered Spider's 2025 Playbook: Evolving Tactics, Techniques, and Procedures

14.05.2025

Scattered Spider has resurfaced in 2025 with a series of coordinated cyberattacks targeting major UK retailers, including Marks & Spencer, Co-op, and Harrods. These events continue a pattern of high-impact operations that have previously affected MGM Resorts, Caesars Entertainment, Transport for London, and were linked to the campaign targeting Snowflake customers in 2024.

Known for their identity-focused approach, Scattered Spider relies heavily on account takeover methods. These include phishing, stolen credentials, and sophisticated social engineering techniques such as impersonating IT support. Once access is gained, they escalate their privileges and pivot to both on-premises and cloud server environments, eventually deploying ransomware for financial gain.

In 2025, researchers have noted a significant increase in the group’s use of adversary-in-the-middle (AiTM) phishing kits, specifically designed to bypass multi-factor authentication (MFA). These attacks are becoming more difficult to detect due to a growing range of evasion tactics.

Security professionals are focusing on analyzing Scattered Spider’s evolving toolkits to better understand their infrastructure and attack chains. Strengthening identity protection measures and deploying advanced detection systems are essential steps in mitigating the impact of these campaigns.

By studying these techniques in detail, organizations can better anticipate and defend against future attacks, minimizing the risks posed by one of today’s most persistent and adaptive threat actors.