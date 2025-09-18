Despite claims of retirement, the Scattered Spider hacking group, linked to ShinyHunters, has shifted its focus to the financial sector, targeting a US bank in a recent intrusion.

Spreadsheets don't change their stripes. Cybercrime collectives tend to follow a pattern, shifting focus and tools as the opportunity arises, and the Scattered Spider hacking group, linked to ShinyHunters, is no exception. Despite recent claims of retirement from the group, ReliaQuest, a cybersecurity firm, has observed Scattered Spider shifting its focus to the financial sector .

This shift is marked by an increase in domains potentially linked to the group that are targeted at the finance industry. ReliaQuest also identified a recent targeted intrusion against a US banking organization. In this incident, Scattered Spider used social engineering to compromise an executive's account and then reset their password via Microsoft Entra ID (formerly Azure Active Directory) self-service password reset. This access point allowed the group to delve into sensitive IT and security documents and laterally move through the bank's Citrix environment and VPN.Utilizing tactics similar to past intrusions, Scattered Spider also escalated their privileges by resetting a Veeam service account password, assigning themselves Azure Global Administrator permissions, and relocating virtual machines within the bank's network to evade detection. Further evidence suggests Scattered Spider attempted data exfiltration from Snowflake, AWS, and other repositories, highlighting their intent to steal sensitive information. Despite claims of retirement, Scattered Spider's tactics, techniques, and indicators of compromise (TTPs and IOCs) continue to surface, revealing the group's ongoing activity and evolution.ReliaQuest emphasizes that the threat remains active and that focusing on prevention is more critical than solely monitoring the comings and goings of specific criminal groups. The nature of cybercrime is opportunistic, and if one group departs, another will readily fill the void, underscoring the need for persistent and proactive security measures





