Spiders don’t change their stripes. Despite gang members’ recent retirement claims, Scattered Spider hasn’t exited the cybercrime business and instead has shifted focus to the financial sector, with a recent digital intrusion at a US bank.
In an update to an earlier threat intelligence report about ShinyHunters’ string of Salesforce-related heists, along with that crime crew’s collab with Scattered Spider, ReliaQuest researchers said that their recently uncovered evidence suggests that Scattered Spider didn’t “go dark” after all.
“In our original investigation posted on August 12, 2025, ReliaQuest predicted that the Scattered Spider hacking collective, linked to ShinyHunters, would soon shift their focus to the financial sector,” the infosec analysts wrote.
“ReliaQuest has now observed this targeting in action, marked by an increase in domains potentially linked to the group focusing on the finance sector, as well as a recently identified targeted intrusion against a US banking organization,” the Monday update continued.
The criminals gained initial access in their usual manner – social engineering an executive’s account and resetting the password via Microsoft Entra ID (formerly Azure Active Directory) self-service password reset.
Then they used this access to snoop through sensitive IT and security documents and move laterally through the bank’s Citrix environment and VPN. As they have done in other intrusions, Scattered Spider also compromised VMware ESXi infrastructure to dump employee credentials and further infiltrate the financial org’s network.
“To escalate privileges, the attacker reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection,” ReliaQuest added. “Evidence also points to attempted data exfiltration from Snowflake, AWS, and other repositories, underscoring their intent to extract sensitive information.”
Plus, this bank break-in happened after Scattered Spider and other ransomware slingers said they were getting out of the business. “Despite these claims, their TTPs and IOCs are still surfacing, showing that the threat remains active and evolving,” the threat hunters noted.
Of course, they wouldn’t be the first group to pull an exit scam – remember ALPHV/BlackCat after the Change Healthcare attack last year? And Scattered Spider seemingly took a break from its criminal operations for a stint following its high-profile casino heists in 2023, which put a huge target on these criminals’ collective backs and led to the arrests of at least seven of its members.
Plus, as Rex Booth, chief information security officer at identity-focused security shop SailPoint, told The Register, “ultimately, whether one group of criminals retires or not doesn’t really matter to the victims.”
“Ransomware and digital crime are opportunity driven, and if one gang steps aside, a new one will eagerly take their place,” Booth said. “We need to focus on prevention more than personalities.” ®