Log In
Sign Up

Beyond Scattered Spider

by | Jul 8, 2025 | Cybersecurity Threats, Data Exfiltration, Ephemeral Messaging, Scattered Spider, Vishing | 0 comments

Beyond Scattered Spider Blog Featured Image. Photo by Erik Karits on Unsplash

Emerging Threat Groups Targeting North American Enterprises

The name Scattered Spider has become shorthand for a particular brand of chaos: high-profile ransomware, deep social engineering, and sprawling supply chain infiltration (if you haven't read our report on how to defend against Scattered Spider, I'd do it now!). But while headlines have focused on this single group, other adversaries have continued to operate in parallel. In many cases, they are quieter, more patient, and equally devastating.

Among the most active are ALPHV (also known as BlackCat), FIN7, and Volt Typhoon. These threat actors differ in motive and method. Some are financially driven. Others serve the interests of foreign states. All of them, however, have evolved beyond simple exploits or opportunistic ransomware. Their operations are increasingly deliberate, prolonged, and aimed at organizations that support the functioning of broader industries: managed service providers (MSPs), financial institutions, insurance networks, and mortgage firms.

While Scattered Spider continues to draw headlines, it is no longer operating in isolation. The threat landscape has widened, and the methods have changed. What follows is a closer look at three groups whose influence is growing, less through brute force, and more through the quiet erosion of organizational trust.

The Next Wave of Threat Actors

ALPHV/BlackCat has been called the most sophisticated ransomware group currently in operation. It emerged as a successor to the DarkSide and BlackMatter gangs, drawing from their tactics but expanding them. BlackCat operates a ransomware-as-a-service model, offering its code to affiliates and splitting the proceeds. The group has been credited with attacks on everything from healthcare systems to legal firms, yet its most troubling feature is adaptability. In some cases, BlackCat uses stolen credentials to access remote services. In others, it deploys custom ransomware strains designed to disable backups and accelerate ransom demands.

BlackCat’s targets often hold sensitive third-party data: MSPs, cloud storage providers, and firms that support compliance-sensitive industries. The logic is clear. By striking infrastructure that others rely on, attackers increase the leverage of each breach. Even partial access can create cascading consequences.

This marks a shift from brute-force intrusion toward manipulation of workflows.

FIN7 has operated under a variety of aliases for nearly a decade, including Carbanak and Navigator Group. Once known for targeting point-of-sale systems and stealing credit card data, FIN7 has expanded its reach and grown more brazen in its methods. Security researchers have observed the group adopting the appearance of legitimate companies, complete with fake websites, business filings, and job postings. In one campaign, FIN7 mailed USB devices to employees at U.S. businesses, often disguised as promotional gifts. Once connected, the devices executed malware that provided remote access to internal systems.

More concerning is FIN7’s understanding of business operations. The group often tailors its approach based on the structure of the target organization, focusing on financial teams, procurement staff, or third-party administrators. This marks a shift from brute-force intrusion toward manipulation of workflows. FIN7 no longer just breaches systems. It breaches processes.

Volt Typhoon is different in almost every respect. Believed to be affiliated with Chinese state interests, the group has been linked to espionage campaigns targeting U.S. critical infrastructure. Unlike ransomware operators, Volt Typhoon does not leave ransom notes or encrypt files. It avoids detection by using tools already present in the victim’s environment, a method known as living-off-the-land (LOTL). Rather than relying on malicious code, it uses native system functions such as PowerShell, WMI, and command-line utilities.

The group’s known targets include telecommunications providers, transportation companies, and water utilities. However, many of the organizations identified are not direct targets of strategic value. They are service providers, vendors, or technology partners. Volt Typhoon appears to be laying groundwork for future disruption, embedding itself into networks that support broader national operations.

These groups vary in their goals and affiliations. But they all point toward a critical shift in the cyber threat landscape. The most valuable asset is no longer just data. It is access to trusted systems, and the ability to impersonate the people who operate them.

Tactics That Prioritize Trust Over Code

A defining characteristic of these newer attacks is their focus on trust-based exploitation. Rather than defeating encryption or bypassing firewalls, many intrusions begin with impersonation. A convincing phone call, a spoofed email, or a fraudulent vendor profile can be more effective than a zero-day exploit.

This has particular implications for MSPs and financial organizations. These entities operate within tightly regulated ecosystems, where identity is often confirmed through informal signals: a familiar name, a known extension, a recognizable email domain. When attackers compromise these signals, they do not raise alarms. They blend in.

In several incidents involving BlackCat and FIN7, the initial compromise came from inside communication channels. Phishing emails embedded in ongoing conversations, fake support messages sent through helpdesk portals, or fraudulent password reset requests were among the first signs of intrusion. By the time technical controls were triggered, attackers had already escalated privileges or exfiltrated sensitive records.

This evolution underscores a critical gap in most security strategies: the assumption that danger comes from outside, and that technical barriers are sufficient to contain it.

Meanwhile, state-aligned actors like Volt Typhoon focus less on immediate gain and more on durability. Their goal is not disruption, but presence. They avoid malware not because it is ineffective, but because it is noticeable. By mimicking legitimate behavior and avoiding direct modification of system files, they build persistence that can last months. During that time, they observe processes, map access points, and identify moments of vulnerability.

This evolution underscores a critical gap in most security strategies: the assumption that danger comes from outside, and that technical barriers are sufficient to contain it. In reality, the attack surface now includes conversations, approvals, and routine requests. The breach does not always involve a virus. Sometimes, it begins with a favor.

Protecting the Human Layer

As threat actors become more adept at imitating trusted behaviors, organizations must rethink where risk begins. The shift from technical to social attack vectors does not render traditional defenses useless, but it does expose their limits. Endpoint detection cannot confirm who is speaking on a call. Firewalls do not distinguish between a real approval and a spoofed one. Compliance policies do not verify identity in real time.

The challenge is not just one of technology, but of verification. In environments where data flows quickly between systems, vendors, and individuals, organizations need safeguards that protect not only information, but the context in which it is shared.

Solutions like Traceless reflect this shift: not just securing information, but shaping the way it moves through human workflows.

This is where identity-verified, ephemeral communication becomes essential. Across sectors facing strict regulatory scrutiny and frequent targeting by social engineering groups, some teams are turning to tools that limit exposure by design, platforms that verify identity before delivery, restrict access to intended recipients, and leave no retrievable copy behind. Solutions like Traceless reflect this shift: not just securing information, but shaping the way it moves through human workflows. For institutions entrusted with financial data, personal records, or client assets, these ephemeral processes help reduce the long tail of breach exposure traditional tools often leave behind.

The future of cybersecurity will not be won solely at the firewall. It will be decided in inboxes, chat windows, phone calls, and shared folders. The adversaries are already there. The question is whether the defenders will follow.

If you want to keep your organization safe, check out Traceless in action! Book a call HERE