Enterprise & Cloud Credential Hijack
Features: Spearphishing, contractor impersonation, Snowflake credential targeting, DragonForce ransomware deployment
Delivery Method: Social engineering via IT help desk impersonation, remote access tools (AnyDesk), dark web credential purchases
Threat Actor: UNC3944 (aka Scattered Spider) — actively operational despite recent arrests
Verified Compromise Window: March 2025 – July 2025
PERSISTENT INFILTRATION
Scattered Spider — also tracked as UNC3944 — continues to execute precision social engineering attacks across critical sectors, shifting from phishing to deep impersonation campaigns targeting enterprise cloud storage, most notably Snowflake environments.
Despite multiple arrests of suspected affiliates in the UK earlier this month, the operation remains intact, adaptive, and increasingly compartmentalized. Their tactics mimic those of traditional nation-state playbooks: infiltration, persistence, internal reconnaissance, and exfiltration — all under the camouflage of insider behavior.
PRIMARY TARGET: SNOWFLAKE DATA ENVIRONMENTS
According to joint cybersecurity advisories issued by the FBI, CISA, NCSC-UK, CCCS-Canada, and ACSC-Australia, Scattered Spider has honed in on one of the weakest seams in enterprise cloud security — the human layer.
After initial access is gained, often through impersonation of IT help desk personnel, attackers search aggressively for Snowflake credentials, knowing that once inside, they can rapidly exfiltrate petabytes of customer data with minimal resistance.
Snowflake, while secure on its surface, relies on client-managed credentials and access control — which, when bypassed through human error or deception, leaves doors wide open.
SOCIAL ENGINEERING STACK
Scattered Spider is not brute-forcing systems.
They’re socially mapping the internal layout of companies by:
- Scraping employee directories from public B2B sites
- Buying stolen credentials on marketplaces like Russian Market
- Crafting phishing pages that impersonate company-branded help desks
- Calling IT teams directly — known as vishing — while impersonating internal personnel
- Using layered pretexts and psychological manipulation to bypass MFA and gain full access
They combine open-source intelligence (OSINT) with voice phishing, live chat impersonation, and help desk scripting to pull this off.
In several cases, employees with elevated access were specifically profiled and targeted — a trend that’s escalated in complexity throughout 2025.
TOOLS & MALWARE USED
After credential harvesting, Scattered Spider deploys the following tools:
- AnyDesk: For remote device control
- Custom malware payloads: Used to maintain persistence and stealth
- DragonForce ransomware: Deployed in several confirmed breaches as both a data destruction mechanism and monetization tool
The attackers also erase logs, modify endpoint behavior, and use legitimate internal tools to move laterally and escalate privileges — blending into existing workflows to remain hidden.
IMPACT SNAPSHOT — MAY TO JULY 2025
| Company | Sector | Impact |
|---|---|---|
| Victoria’s Secret | Retail | Stores halted operations; backend systems offline |
| Hawaiian Airlines | Aviation | Operational disruptions; safety alerts triggered |
| Aflac | Insurance | Attempted breach; customer data investigation ongoing |
| Undisclosed Healthcare Providers | Medical | Patient portal tampering suspected |
Although the arrests of four Scattered Spider members in early July in the U.K. briefly halted direct intrusions, the decentralized nature of the group allowed others to continue launching attacks using the same toolkit and social engineering infrastructure.
MODUS OPERANDI: INSIDE THE DECEPTION
The most effective technique Scattered Spider has deployed is credibility simulation:
“They’re not pretending to be hackers. They’re pretending to be you.”
By mimicking the tone, vocabulary, and urgency of internal employees — especially during staged “IT issues” — they lower the guard of tech support agents and help desk personnel.
Even advanced MFA protections are bypassed using this tactic. In one case, a help desk was convinced to “push approve” an MFA request after being told the employee was locked out during an outage. That push gave attackers full tunnel access — within minutes, Snowflake credentials were harvested and data was exfiltrated.
DEFENSIVE ACTIONS URGED BY TRJ:
⚠️ Do not let recent arrests lull your security posture.
UNC3944 remains active and may be operating under splinter cells or copycat offshoots using identical techniques.
Recommended Countermeasures:
- Zero-trust login alerts: Flag all logins from help desk reset paths, especially via phone or live chat
- Monitor for usage of AnyDesk or non-approved RMM software
- Alert on rapid access to Snowflake or cloud data storage buckets
- Implement MFA fatigue protections (limit push attempts)
- Train help desk teams on staged impersonation tactics
- Use behavioral analytics to flag anomalies in data access
STATEMENT FROM MANDIANT
While Google’s Mandiant (which tracks the group as UNC3944) stated on Tuesday that no new breaches have been confirmed since the arrests, CTO Charles Carmakal emphasized:
“It’s crucial that organizations don’t let their guard down entirely… similar tactics are now being deployed by unrelated actors.”
This mirrors TRJ’s own assessment:
Scattered Spider may be the face, but the infrastructure has metastasized.
FINAL VERDICT — TRJ BLACK SEAL
This isn’t just phishing.
This is human-centric cyber warfare, deployed across retail, aviation, and insurance, with precision targeting and psychologically tuned manipulation.
What’s most dangerous isn’t the code — it’s the convincing lie.
A call, an email, a voice that sounds just like yours.
That’s how the web spins.
And once you answer… they’re already inside.
Stay confirmed. TRJ will keep watching the web — so you don’t get caught in it.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
Thank you for another report on this problem. I agree that just because some arrests were made doesn’t mean it is time to relax. This would be the time to implement some of your recommended countermeasures (even though I don’t understand them all).
You’re welcome, Chris — arrests are only one chapter — not the end of the story. These threat groups operate like decentralized cells. Take out a few, and the next wave picks up the tools and keeps moving. That’s why this isn’t the time to relax… it’s the time to reinforce.
And I really appreciate what you said about the countermeasures. You don’t have to understand every technical layer — just knowing why they exist, and what they’re protecting against, is what counts. The core mission stays the same: close the loopholes before they become open doors.
Thanks again for reading, thinking critically, and staying engaged — especially when most just scroll past.
That’s how we turn awareness into armor. 😎
I appreciate that you know these subjects well enough to recommend technical things that can be done to close the loopholes, John.
Thank you for the helpful reply and I hope you have a great night!
You’re very welcome, Chris — and thank you. That really means a lot. I always try to make sure we’re not just exposing the problems, but offering real technical paths forward too. It’s not enough to highlight the flaws — we’ve got to be ready to patch the gaps, build smarter, and stay ahead of the next breach. And if we have an answer that could help, you can count on us to share it.
Thanks again, Chris — and I hope you have a great night! 😎