Threat actor · all actors
Scattered SpiderG1015 unknown
aka Scattered Spider, Roasted 0ktapus, Octo Tempest, Storm-0875, UNC3944
Last updated: 2026-07-03
About this actor
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023) [Scattered Spider](https://attack.mitre.org/groups/G1015) relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022) [Scattered Spider](https://attack.mitre.org/groups/G1015) had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1003T1003.003T1006T1016T1018T1021T1021.001T1021.004T1021.007T1041T1059T1059.001T1059.004T1068T1069T1069.002T1070T1070.008T1074T1078T1078.004T1082T1083T1087T1087.002T1090T1098T1098.003T1105T1114T1114.003T1133T1136T1204T1213T1213.003T1213.005T1217T1219T1219.002T1484T1484.002T1486T1490T1530T1538T1539T1543T1543.002T1552T1552.001T1552.004T1553T1553.002T1555T1555.005T1556T1556.006T1556.009T1564T1564.008T1567T1567.002T1572T1578T1578.002T1580T1583T1583.001T1585T1585.001T1588T1588.001T1588.002T1589T1598T1598.003T1598.004T1621T1657T1684T1684.001T1685
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 51 / 83 | 61% |
AC-3 | 45 / 83 | 54% |
AC-6 | 44 / 83 | 53% |
CM-6 | 44 / 83 | 53% |
AC-2 | 42 / 83 | 51% |
CM-2 | 38 / 83 | 46% |
IA-2 | 36 / 83 | 43% |
AC-5 | 31 / 83 | 37% |
CA-7 | 30 / 83 | 36% |
CM-7 | 29 / 83 | 35% |
SI-7 | 29 / 83 | 35% |
CM-5 | 27 / 83 | 33% |
AC-4 | 26 / 83 | 31% |
SI-3 | 24 / 83 | 29% |
IA-5 | 22 / 83 | 27% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
Similar actors
Similar TTPs
- LAPSUS$ 0.32
- VOID MANTICORE 0.28
- C0027 0.28
- Storm-0501 0.27
- SolarWinds Compromise 0.26
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00