Scattered Spider: The Attack Chain, Hard Lessons, and What Comes Next

April 2026

Scattered Spider is a financially motivated cybercrime collective responsible for some of the most disruptive attacks in recent British and American corporate history. The group (tracked under aliases including UNC3944 by Mandiant, Octo Tempest by Microsoft, and Muddled Libra by Palo Alto Networks Unit 42) has been attributed to ransomware attacks on MGM Resorts, Caesars Entertainment, Marks and Spencer, Co-op, Harrods, and Jaguar Land Rover. Estimated combined losses from UK incidents alone exceed £2 billion. What makes Scattered Spider worth studying is not the scale of damage but the consistency of method: the same six-phase playbook appears in almost every incident, regardless of sector or victim size.

This article breaks down that playbook phase by phase, maps each stage to the MITRE ATT&CK framework, and identifies the defensive actions that can interrupt the chain. A forward-looking section covers how the playbook is evolving as the group absorbs new capabilities and collaborators.

The Hard Lessons at a Glance

If you want the key findings before the full breakdown, these are the conclusions the incident record supports.

• Scattered Spider follows a consistent six-phase chain across every documented incident, from LinkedIn reconnaissance through to ESXi ransomware. That consistency is a defender's opportunity: each phase produces detectable signals, and catching any one of them stops what follows. At MGM, a single ten-minute helpdesk call gave attackers administrator access to the entire network. No exploit, no malware, no technical skill at the point of entry. A verified callback to a pre-registered number would have ended the attack rather than advancing it. The full chain, its detection signals, and where to interrupt it are the core of this article.
• According to sources cited by BleepingComputer, M&S's Active Directory database was stolen in February 2025. Ransomware did not deploy until April 24. Two months of detection opportunity went unused.
• The ransomware payload changes between campaigns: ALPHV/BlackCat became DragonForce, and DragonForce will become something else. Defenders who track by payload name should also track the group and the wider coalition, as the operators remain consistent even when the ransomware does not.
• JLR had no active cyber insurance when the £1.9 billion economic impact arrived. The UK government issued a £1.5 billion loan guarantee to prevent supplier insolvencies. Ciaran Martin, former head of the NCSC, described it as the most financially damaging cyber event in UK history.
• The July 2025 arrests paused the core Scattered Spider playbook. They did not disable the broader coalition, which pivoted to SaaS supply chain attacks affecting more than 200 organisations within months.
• When the Scattered Lapsus$ Hunters coalition publicly announced a withdrawal in September 2025, ReliaQuest observed activity in November and the Gainsight campaign ran that same month. The timing suggests the announcement served to reduce scrutiny rather than signal genuine cessation, though that inference is based on correlation rather than confirmed intent.
• Healthcare is the next likely target sector, based on a US Department of Health and Human Services threat profile specifically warning the sector, alongside 2026 assessments from Sophos and Trend Micro.

Who Are Scattered Spider?

The demographic profile is unusual for a cybercrime group. Members are predominantly native English speakers in their late teens and early twenties, based primarily in the United States and the United Kingdom (CISA/FBI Joint Advisory, 2023). Arrests have confirmed this repeatedly: a 17-year-old from the UK was arrested in connection with the MGM attack, and in July 2025, three teenagers and a 20-year-old were arrested over the M&S, Co-op, and Harrods incidents, with one suspect identified as a Latvian national (NCA, 2025).

The group does not build its own malware. It operates as a Ransomware-as-a-Service (RaaS) affiliate, selecting payloads from cybercrime marketplaces: ALPHV/BlackCat for the 2023 casino attacks, DragonForce for M&S and Co-op in 2025. This distinction matters for defenders. Attributing an attack based solely on the ransomware payload leads to the wrong actor. The operators behind the intrusion and the ransomware developers are different entities, and tracking by payload name produces false stability across campaigns where the operators remain constant.

In August 2025, a coalition operating under the name Scattered Lapsus$ Hunters emerged publicly, with a Telegram channel appearing on August 8 claiming to bring together members and brands from Scattered Spider, Lapsus$, and ShinyHunters. Trustwave SpiderLabs, whose November 2025 analysis is the most detailed assessment of the group, characterises it as a brand alliance rather than a formal merger: actors using the legacy names collaboratively, or impersonating them, to project a unified public front. The JLR attack in August 2025 was claimed by this coalition. The wider ecosystem all three groups operate within is known as "The Com," a loosely affiliated online community linked to social engineering, SIM swapping, and physical-world crimes.

The Attack Chain at a Glance

The table below maps all six phases for readers who want a quick orientation before the full breakdown. Each phase is covered in depth in the sections that follow.

Subscribe to CyberDesserts for monthly threat landscape reports and incident analysis as new attacks develop.

The Six-Phase Attack Chain

Phase 1: Reconnaissance

The attack begins before any system is touched. Using LinkedIn, corporate websites, and social media, Scattered Spider maps the target organisation's structure in detail: helpdesk staff, identity administrators, senior IT contacts, their managers, and their reporting lines (CISA, 2023). This external phase leaves no log trace inside the target environment. By the time an attacker picks up the phone, the employee being impersonated has already been selected, their professional history verified, and their manager identified from public sources.

The same stealth continues once they are inside. Internal Active Directory reconnaissance, using native Windows tooling that blends with normal administrative traffic, can enumerate accounts, group memberships, and privilege structures without triggering an alert if logging and anomaly detection are not specifically configured to catch it. The information required to pass a helpdesk identity check is almost entirely public before the attack begins; the information required to move laterally once inside is almost entirely available from AD without a single alert, unless the environment is hardened to surface it.

Mapped to T1591 (Gather Victim Org Information) and T1087 (Account Discovery). The external defensive lever is upstream of technical controls: audit what your public LinkedIn presence and job postings reveal about your IT org structure. Internally, ensure AD enumeration activity is logged and baselined. Bulk LDAP queries, domain controller reconnaissance, and unusual use of tools such as BloodHound or native net commands from non-administrative endpoints should produce alerts, not silence.

Phase 2: Initial Access

This is where Scattered Spider's core advantage lies. The primary methods are vishing (voice phishing) against IT helpdesk staff, MFA fatigue bombing, and SIM swapping (CISA/FBI, 2023). Rather than exploiting a technical vulnerability, they exploit the human on the other end of the helpdesk phone.

The MGM breach is the clearest documented example. Attackers identified a target employee via LinkedIn, called the MGM helpdesk impersonating that employee, and received sufficient access in ten minutes, with credentials reset and MFA disabled before anyone flagged the call as suspicious. The ten-minute figure comes from ALPHV/BlackCat's own published account of the attack, posted September 14, 2023, and corroborated by Wall Street Journal reporting.

MFA fatigue takes a different approach: the attacker triggers repeated authentication push notifications to a legitimate user's device until the user approves one to stop the alerts. A follow-up call impersonating IT support often instructs the user to approve a "test" notification, closing the loop. SIM swapping redirects the victim's phone number to an attacker-controlled SIM, intercepting any SMS-based authentication codes before they reach the legitimate user.

The JLR attack introduced a significant variation. The group reportedly exploited CVE-2025-31324, a CVSS 10.0 unauthenticated remote code execution vulnerability in SAP NetWeaver Visual Composer, rather than relying on social engineering. The attribution comes from the threat actor's own Telegram claims, corroborated by security researcher analysis. Kevin Beaumont noted publicly that Tata's infrastructure showed multiple SAP NetWeaver instances exposed directly to the internet (The Stack, 2025). Helpdesk hardening and application patching are separate problems that both need solving. In large enterprises with constantly expanding application estates, unpatched internet-facing systems are common rather than exceptional, and as JLR demonstrates, they offer an equally viable entry point.

Mapped to T1566.004 (Spearphishing Voice), T1621 (MFA Request Generation), and T1190 (Exploit Public-Facing Application). Phishing-resistant MFA (FIDO2/WebAuthn) cannot be fatigue-bombed or helpdesk-bypassed in the same way push notifications can. Any helpdesk-initiated account change involving MFA reset or new device registration should require an out-of-band callback to a pre-registered number, not the number provided by the caller. Critical-severity CVEs on internet-facing systems need to be treated as operational emergencies: CVE-2025-31324 had a patch available before JLR was compromised.

Social engineering is not limited to phone calls. For a technical look at how attackers have evolved the technique to trick users into executing malicious commands directly, see the ClickFix social engineering breakdown.

Phase 3: Identity Infrastructure Targeting

Once inside, the group moves immediately to the identity layer, targeting the directory, the SSO platform, or both, because compromising either grants access to every application integrated with it.

Documented techniques include stealing the NTDS.dit file (the Windows Active Directory database containing all domain account hashes) for offline cracking; compromising Okta tenants to access every SSO-connected application; and adding rogue identity providers to Azure AD/Entra ID, which allows the attacker to authenticate as any user in the tenant without a valid password (CISA, 2023). The M&S investigation found that NTDS.dit was stolen as early as February 2025, according to sources cited by BleepingComputer, approximately two months before DragonForce ransomware deployed on April 24.

Credential harvesting does not begin at the directory. In earlier campaign stages and in related incidents like the HELLCAT breach of JLR's Jira environment in March 2025, infostealer malware was used to harvest credentials from endpoints before they were used to access enterprise systems. The infostealer guide covers how that layer of the credential chain works and what defenders can do about it.

This is the phase where defenders most often have a detection window and miss it. A secretsdump or DCSync operation against a domain controller is a high-signal event that should trigger an immediate alert in any EDR or SIEM with appropriate rules in place. That detection gap is worth testing proactively.

Mapped to T1003.003 (OS Credential Dumping: NTDS), T1556.006 (Modify Authentication Process: MFA), and T1484.002 (Add Federated Identity Provider). Alert on DCSync behaviour. Monitor for new MFA device registrations on privileged accounts. A federated identity provider does not self-configure: any entry in your SSO tenant that cannot be traced to a change ticket is a confirmed compromise, and should be treated as one rather than logged for review.

Phase 4: Persistence and Dwell

Scattered Spider does not rush. After securing identity-level access, the group establishes redundant persistence before moving toward impact.

Observed techniques include installing six or more legitimate Remote Monitoring and Management tools (AnyDesk, ScreenConnect, TeamViewer, Splashtop) to maintain access if one is removed; enrolling attacker-controlled MFA devices on compromised accounts; creating new user accounts in the directory; and deploying Tailscale VPN for covert connectivity (CISA, 2023). One of the more striking documented behaviours is monitoring of internal Slack and Microsoft Teams channels for incident response communications, in some cases joining IR calls directly to track defensive actions in real time.

The dwell periods across documented attacks are not incidental. M&S: approximately two months. MGM: multiple days between intrusion and ransomware deployment. The extended presence is deliberate, providing time to map the environment, exfiltrate data for double extortion, and position the ransomware payload for maximum coverage before it runs.

Mapped to T1219 (Remote Access Software), T1078 (Valid Accounts), T1136 (Create Account), T1114 (Email Collection). Baseline and audit approved RMM tools in your environment; any unapproved installation should trigger an alert. Treat a new administrator account appearing in Active Directory without a corresponding change ticket as a high-priority incident, not a routine anomaly.

Phase 5: Ransomware Deployment

The final destructive phase targets virtualised infrastructure rather than individual workstations. In both the MGM attack (ALPHV/BlackCat) and the M&S attack (DragonForce), ransomware was deployed specifically against VMware ESXi hypervisors (BleepingComputer, 2025). Encrypting a hypervisor takes every virtual machine it hosts offline simultaneously, maximising disruption from a single operation.

The ransomware payload itself is interchangeable. After law enforcement disrupted ALPHV/BlackCat in late 2024, affiliated operators migrated to DragonForce and RansomHub. The operators and their TTPs remained consistent. Only the payload changed. This is why defenders and threat intelligence teams should track behavioural signatures across the full six phases rather than anchoring attribution to the ransomware binary.

Exfiltration precedes encryption. Data moves to attacker-controlled infrastructure, often legitimate cloud services including MEGA.nz, before the ransomware runs. This establishes the double extortion position: pay for decryption, or the data appears on the DragonLeaks dark web site.

The JLR attack illustrates the downstream scale of ransomware against critical manufacturing infrastructure. The Cyber Monitoring Centre classified it as a Category 3 systemic event: widespread economic disruption without parallel compromise across multiple victims. Mapped to T1486 (Data Encrypted for Impact), T1567.002 (Exfiltration to Cloud Account), and T1657 (Extortion). VMware ESXi management interfaces should not be accessible from the general IT network, and virtualisation infrastructure access should require a separate privileged identity that is not reachable through the standard admin credential chain. Pre-encryption indicators are short but real: mass SMB connections, shadow copy deletion via vssadmin, and event log clearing all give a response window measured in minutes. For a technical breakdown of how ransomware groups gain initial footholds through firewall and VPN vulnerabilities before reaching this stage, see ransomware via firewall and VPN exploitation.

Phase 6: Extortion and Pressure

Scattered Spider treats extortion as a public performance as much as a financial negotiation. After the JLR attack, a group representative briefed the BBC directly via Telegram, sharing screenshots of internal JLR systems (BBC, 2025). After M&S, the group engaged media before official attribution was made. After MGM, they filed a complaint with the US Securities and Exchange Commission against the victim for allegedly failing to disclose the incident, adding regulatory pressure to the ransom negotiation (CISA, 2023).

The public pressure component serves several purposes at once. It makes organisational silence harder to sustain. It discourages negotiations from stalling. It builds reputation within the cybercrime underground and attracts new affiliates and collaborators.

Incident response plans that account for this need a media and regulatory communications stream running in parallel with the technical response. The attacker should be assumed to be briefing journalists at the same time internal negotiations are happening. Pre-drafting regulatory disclosure templates for the ICO, NCSC, and sector-specific bodies before an incident occurs is considerably easier than drafting them under breach conditions.

Mapped to T1657 (Extortion) and T1491 (Defacement / Public Disclosure).

After the Arrests: The Current Picture

The July 10, 2025 UK arrests produced a confirmed and measurable pause. Mandiant stated publicly it had not observed any new intrusions directly attributable to UNC3944 after May 2025. Charles Carmakal, CTO at Mandiant Consulting, told Infosecurity Magazine the arrests had "spooked" other members. Halcyon's research director Anthony Freed confirmed the group had "gone quiet." That pause is real, and it applies specifically to the core Scattered Spider social engineering playbook. Actors operating under the Scattered Lapsus$ Hunters banner, primarily through ShinyHunters, continued running campaigns regardless.

While the helpdesk calls stopped, the coalition executed two major supply chain campaigns through the second half of 2025. In August, Salesloft's Drift chatbot was compromised via OAuth token theft, giving attackers downstream access to approximately 700 organisations that had connected Drift to their Salesforce environments. In October and November, the same approach targeted Gainsight, a customer success platform integrated with Salesforce: Google's Threat Intelligence Group confirmed more than 200 Salesforce instances were potentially affected (Austin Larsen, GTIG, TechCrunch, November 2025). Named claimed victims included Atlassian, DocuSign, GitLab, LinkedIn, SonicWall, Thomson Reuters, and Verizon. CrowdStrike separately confirmed that a terminated employee had passed internal screenshots to the group.

This is a structural evolution in the attack model. Instead of one helpdesk call yielding one victim, one compromised OAuth token in a widely-used SaaS integration yields hundreds of downstream victims simultaneously. The technical mechanics of this model, and what defenders should do about it, will be covered in a dedicated follow-up article.

In September 2025, Scattered Lapsus$ Hunters announced a temporary withdrawal from illicit activities on BreachForums, citing law enforcement pressure. ReliaQuest observed coalition activity in November, the same month the Gainsight campaign ran. The timing is notable, though whether the announcement was a deliberate tactic or coincidental cannot be confirmed from open sources alone.

The FBI seized BreachForums in October 2025. Scattered Lapsus$ Hunters rebuilt its Telegram presence. IT Pro documented the group's channels being taken down at least twelve times through 2025, with each rebuilt within hours. Disruption has not deterred the coalition. It has amplified the spectacle component, which is itself part of the pressure model.

The Playbook Is Evolving: What Comes Next

The playbook is no longer a single six-phase chain. It is branching into two distinct models running in parallel.

The original model (social engineering to infrastructure) paused after the July 2025 arrests but has not been retired. The group's decentralised structure means different operators can resume it without the arrested individuals. Mandiant notes that similar collectives, including UNC6040, are already running comparable TTPs.

The emerging model (SaaS supply chain, driven primarily by ShinyHunters within the coalition) targets third-party integrations rather than individual organisations directly. The Salesloft and Gainsight campaigns are the proof of concept. This attack surface and its defensive implications will be covered separately.

Several trends are worth monitoring into 2026:

Coalition formation and franchising. The collective operating as Scattered Lapsus$ Hunters claims a division of labour across the groups whose brands it appropriates: Scattered Spider for social engineering and initial access, Lapsus$ for extortion amplification and public pressure, ShinyHunters for large-scale data harvesting and dark web sales (Trustwave SpiderLabs, November 2025). Whether that structure reflects actual membership or brand impersonation, Scattered Lapsus$ Hunters has publicly solicited other threat actors to leverage its name in their own campaigns, a shift from criminal collective to criminal franchise that extends the playbook's reach without requiring core members to execute every attack.

Sector rotation into healthcare. The US Department of Health and Human Services Healthcare Cybersecurity Coordination Center published a Scattered Spider threat profile specifically warning the healthcare sector. Sophos and Trend Micro 2026 assessments both identify healthcare as the next likely concentrated campaign target. Healthcare carries the same characteristics that made retail and insurance attractive: outsourced helpdesk functions, heavy SaaS reliance, and significant financial leverage from operational disruption.

TTP evolution: on-premises identity first. Microsoft's July 2025 advisory noted a reversal of the group's prior pattern. Earlier campaigns used cloud identity privileges to reach on-premises systems. Recent activity compromises on-premises Active Directory infrastructure first, then pivots to cloud environments (Microsoft, 2025). Defenders who have hardened Entra ID and Okta while treating on-premises AD as a secondary concern should reorder that priority.

ShinySpider ransomware. The coalition has claimed development of a proprietary ransomware referred to as ShinySpider or ShinySp1d3r, which would move the group away from paying a share to RaaS providers. The claim is unverified, but the direction is consistent with how the group has vertically integrated every other capability.

What Defenders Should Prioritise

The Scattered Spider case record produces one observation that most threat coverage passes over: the attack chain is consistent, and the defensive failures that allow it to complete are equally consistent. The same six phases appear across MGM, M&S, Co-op, Harrods, and JLR. Different sectors, different ransomware payloads, different years. The same control gaps present each time. That consistency is the most useful output from this body of incidents.

Track the operators, not the payload name. The ransomware binary is interchangeable. ALPHV/BlackCat became DragonForce; DragonForce will become something else. Defenders who anchor attribution to the payload name will record three separate threat actors where there is one consistent operator set. Behavioural signatures across the six phases persist across every payload change. Track those.

Interrupt the chain at Phase 2 or Phase 3. Every documented attack that reached Phase 5 did so because it was not caught at Phase 2 (initial access) or Phase 3 (identity targeting). A single successful helpdesk impersonation opens the identity layer. NTDS.dit theft opens the entire domain. Neither event requires advanced detection capability; both produce high-signal events in standard tooling if the rules exist and are tested. At M&S, NTDS.dit was stolen in February 2025. Ransomware deployed in April. Two months of detection opportunity went unused.

Phishing-resistant MFA closes the Phase 2 social engineering window. Push notification MFA is the specific control Scattered Spider exploits via fatigue attacks and helpdesk manipulation. FIDO2 hardware keys or passkeys cannot be fatigue-bombed or helpdesk-bypassed in the same way. Privileged accounts should be the first migration target. Any helpdesk request involving account recovery, MFA reset, or new device registration should require an out-of-band callback to a pre-registered number before any change is made.

DCSync detection closes the Phase 3 window. A DCSync or secretsdump operation against a domain controller should produce an immediate high-priority alert. If it does not, run a detection coverage check before assuming the control is in place. Audit federated identity providers in your SSO tenant on a schedule; any unrecognised entry is a confirmed compromise, not an anomaly to investigate.

ESXi segmentation removes the Phase 5 lever. A single compromised admin credential should not be sufficient to encrypt every virtual machine in an estate simultaneously. VMware management interfaces should require a separate privileged identity that is not reachable through the standard admin credential chain.

Patch latency is now an initial access risk, not just a vulnerability management metric. The JLR case demonstrates that the coalition will exploit unpatched public-facing applications when the social engineering route has been hardened. CVE-2025-31324 had a patch available before JLR was compromised. In large organisations the problem is not knowing the patch exists; it is the change management cycles that delay deployment. Critical-severity, internet-facing vulnerabilities need to be treated as operational emergencies.

Public de-escalation signals deserve scrutiny. The Scattered Lapsus$ Hunters coalition announced a temporary withdrawal in September 2025. ReliaQuest observed activity in November. The Gainsight campaign ran that same month. Whether the timing was deliberate cannot be confirmed from open sources, but the pattern is consistent: a public pause followed by continued activity. Organisations in sectors that have been publicly warned, healthcare in particular, should not stand down on the basis of a group claiming to pause.

Insurance is a board governance matter. The JLR case made the consequence visible at national scale. Reports indicate JLR did not have active cyber insurance at the time of the August 2025 attack, having failed to finalise coverage with its broker. Ciaran Martin, former head of the NCSC and chair of the Cyber Monitoring Centre's technical committee, described the JLR incident as the single most financially damaging cyber event ever to hit the UK. Without active cover, JLR faced the full £1.9 billion economic impact without an insurer's incident response resources, ransomware negotiation support, or business interruption payments. The UK government issued a £1.5 billion loan guarantee to prevent supplier insolvencies across a chain of 5,000 businesses. Verifying that cyber insurance is active, correctly scoped to current infrastructure, and tested against the actual incident response plan is a board accountability item, not an IT checkbox.

For supply chain context on how this attack model fits the broader trajectory of third-party risk, the supply chain security retrospective covers how Gartner's 2021 predictions mapped to what actually happened by 2025. If your team is building detection coverage against the TTPs documented here, the Threat Actor Tools Guide covers the tooling defenders encounter in live incidents.

Subscribe to CyberDesserts for monthly threat landscape reports, career coverage, and incident analysis as new attacks develop.

References and Sources

1. CISA / FBI. (2023). Scattered Spider: Joint Cybersecurity Advisory AA23-320A. Cybersecurity and Infrastructure Security Agency.
2. Mandiant / Google Cloud. (2025). Post-arrest assessment of UNC3944 activity. Charles Carmakal, CTO Mandiant Consulting. Via Cybersecurity Dive, July 2025.
3. BleepingComputer. (2025). Marks and Spencer breach linked to Scattered Spider ransomware attack. Sergiu Gatlan.
4. National Crime Agency. (2025). Arrest statement, July 2025. UK law enforcement joint operation.
5. Cyber Monitoring Centre. (2025). M&S and Co-op attacks classified as single combined cyber event: £270m--£440m impact estimate.
6. CNBC. (2025, October). Jaguar Land Rover cyberattack holds ominous lesson for British businesses. CMC £1.9bn economic damage estimate.
7. Wikipedia / multiple sources. (2025). Jaguar Land Rover cyberattack. CVE-2025-31324 attribution, production shutdown timeline.
8. CISA / FBI / NCSC / ASD. (2025, July). Updated Scattered Spider advisory. Sector expansion warning: insurance, aviation.
9. The Stack. (2025, September). Jaguar Land Rover rocked by security incident. Kevin Beaumont commentary on SAP NetWeaver exposure.
10. Infosecurity Magazine. (2025, September). Scattered Spider-linked group claims JLR cyber-attack.
11. Irish Information Security Forum (IISF). (2025). JLR Cyber Attack: UK's Costliest Digital Disruption? CMC Category 3 classification, insurance gap, government loan guarantee.
12. Ciaran Martin, former NCSC CEO, Chair of CMC Technical Committee. (2025). Commentary on JLR as most financially damaging cyber event in UK history. Via IISF/CMC reporting.
13. Microsoft. (2025, July 16). Threat intelligence report on Octo Tempest / Scattered Spider TTP evolution: on-premises infrastructure targeting preceding cloud pivot.
14. CrowdStrike. (2025, July 2). Scattered Spider Escalates Attacks Across Industries. Q2 2025 sector targeting: insurance, retail, aviation.
15. CSO Online / multiple sources. (2025, July). Qantas, Hawaiian Airlines, WestJet incidents attributed to Scattered Spider via third-party SaaS contact centre platforms.
16. ALPHV/BlackCat. (2023, September 14). Setting the Record Straight. Group's own published account of the MGM intrusion, including ten-minute call duration. Via vx-underground.
17. Infosecurity Magazine. (2025, September). Cybercriminals "Spooked" After Scattered Spider Arrests. Carmakal and Freed commentary on post-arrest activity pause.
18. TechCrunch / Google GTIG. (2025, November). Google says hackers stole data from 200 companies following Gainsight breach. Austin Larsen, principal analyst, Google Threat Intelligence Group.
19. Trustwave SpiderLabs. (2025, November). Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brand. Coalition structure analysis, division of labour across component groups.
20. IT Pro. (2026, January). Scattered Spider evolved massively in 2025 -- here's what to expect in 2026. Sophos and Trend Micro 2026 outlook assessments.
21. FINRA Cybersecurity Alert. (2025, November). Salesforce-Gainsight security incident advisory. OAuth token compromise timeline: October 23--November 19, 2025.