The hacker group Scattered Spider has been carrying out aggressive campaigns targeting U.S. companies. In recent attacks, the group has employed sophisticated social engineering techniques to gain access to internal systems of American businesses, enabling them to compromise VMware vCenter Server Appliances (vCSA) and deploy ransomware directly from the hypervisor.

A recent report published by Google Threat Intelligence Group (GTIG) provided more details on Scattered Spider — also known as UNC3944, 0ktapus, and Octo Tempest — and its methodology. The researchers explained that members of the gang typically begin by calling IT help centers and using advanced social engineering tactics to bypass security protocols.

“The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs,” wrote Google’s Threat Intelligence Team. “Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization’s most critical systems and data.”

Scattered Spider has consistently used this methodology in operations targeting the retail sector — the group has also been linked to the major cyberattacks affecting retail companies in the United Kingdom, such as Marks & Spencer and Co-op — and has since expanded to transportation and airline organizations. Earlier this month, the FBI recently warned about the international hacking group’s operations within the aviation industry.

The hackers use a living-off-the-land (LoTL) approach — leveraging existing systems and tools within the company’s network — to manipulate infrastructure. By gaining control of Active Directory, they can access the VMware vSphere environment, where they exfiltrate data and deploy ransomware from the hypervisor.

“This method is highly effective as it generates few traditional indicators of compromise (IoCs) and bypasses security tools like endpoint detection and response (EDR), which often have limited or no visibility into the ESXi hypervisor and vCenter Server Appliance (VCSA),” added Google.

GTIG also shared detailed insights into the anatomy of Scattered Spider’s attacks, along with recommendations and strategies to help organizations prevent future intrusions.