Scattered Spider Evolves in 2025 with New Phishing Kit and Malware

The notorious hacking group Scattered Spider continues to pose a serious cybersecurity threat in 2025, despite multiple arrests in the past year.

The group uses sophisticated social engineering tactics but has evolved its methods by introducing new phishing kits, and an updated Spectre RAT malware to attack high-profile companies.

According to cybersecurity firm Silent Push, Scattered Spider remains actively engaged in attacks on major brands including Nike, T-Mobile, Louis Vuitton, and Vodafone. They’ve also expanded their targets to include cloud storage and marketing platforms such as Pure Storage and Klaviyo.

Since 2022, the group has been active and initially became known for breaking into companies such as Twilio and MGM Resorts. It did so by deceiving employees into giving away their login credentials and MFA codes via fake login portals.

Although several members, including the alleged leader Tyler Buchanan were arrested in 2024, the group has since come back to life, likely with new members and developers improving their tools and techniques, as explained by Silent Push.

One of the most notable evolutions this year is their adoption of Phishing Kit #5, now hosted on Cloudflare. Silent Push explains that the current version differs from earlier versions which redirected users to Rick Astley’s “Never Gonna Give You Up” as a joke because it operates more discreetly and is harder to detect.

In another troubling shift, the group has started leveraging publicly rentable subdomains—such as klv1.it[.]com—that mimic legitimate services. These subdomains, often tied to dynamic DNS providers, are harder to trace due to their lack of traditional domain registration.

Silent Push warns that organizations should consider blocking such domains at the network level to reduce exposure.

Additionally, Scattered Spider has been linked to the reacquisition of a domain once owned by Twitter/X: twitter-okta[.]com. While it remains uncertain whether the domain will be used in upcoming campaigns, it underscores the group’s persistence in exploiting overlooked or abandoned digital assets, says Silent Push.

The Scattered Spider group continues to evolve as a dangerous threat in 2024 because of their ability to adapt their infrastructure and malware while finding new attack vectors. The group’s ongoing evolution shows they have not completed their operations.

Organizations need to stay vigilant while tracking unusual behavior and maintain updated security measures to prevent attacks from this persistent cybercriminal organization.