In mid-2025, the Google Threat Intelligence Group (GTIG) unveiled a significant cyber threat stemming from a highly coordinated campaign linked to a financially motivated hacking collective known as Scattered Spider, also referred to as 0ktapus and UNC3944. This group has a history of targeting major industries, including retail, airlines, and insurance, and has successfully breached notable entities such as M&S, Harrods, and Co-op.
Despite recent arrests and charges against several of its members in the United States and the United Kingdom—stemming from their attacks on MGM Resorts and other retailers—Scattered Spider continues to exhibit an active and expansive presence globally. Their latest campaign, as outlined by GTIG, involves targeting compromised Active Directory accounts to seize control of VMware vSphere environments, aiming to extract sensitive data and deploy ransomware directly from the hypervisor layer.
This method poses a unique risk as it can circumvent traditional security measures such as Endpoint Detection and Response (EDR), which typically lack visibility into crucial components like the ESXi hypervisor and vCenter Server Appliance (VCSA). GTIG details a five-phase methodology employed by UNC3944 to escalate from an initial foothold to comprehensive hypervisor control; the entry point often involves social engineering techniques over the phone. Attackers masquerade as regular employees, leveraging publicly available personal information to manipulate help desk agents into resetting Active Directory passwords.
Once inside, the attackers conduct internal reconnaissance to identify high-value targets, including vSphere administrators. Following this, they execute a more sophisticated impersonation tactic to gain access to privileged administrator accounts, effectively bypassing standard security protocols by exploiting deficiencies in help desk identity verification processes.
With compromised privileged Active Directory credentials, the attackers swiftly target the vCenter Server. This access grants them what is effectively “virtual physical access” to the VCSA. They take control of the system’s bootloader, achieving root access and enabling SSH, subsequently deploying a legitimate open-source tool named Teleport to establish a persistent, encrypted communication channel that evades most firewall protections.
This enhanced access grants them the capability to enable SSH on ESXi hosts, reset passwords, and launch an “offline attack” on critical virtual machines, such as Domain Controllers. By powering down target VMs and detaching their virtual disks to attach them to unmonitored orphaned VMs, attackers can harvest sensitive data such as the Active Directory database. This entire operation occurs at the hypervisor level, rendering it imperceptible to in-guest security solutions.
Prior to deploying ransomware, the attackers undermine recovery efforts by targeting backup infrastructure, deleting jobs and repositories necessary for restoration. Once the stage is set, they utilize their SSH access to push custom ransomware onto the ESXi hosts, forcibly shutting down VMs and encrypting files directly from the hypervisor.
The urgency and speed of UNC3944’s operations necessitate a reevaluation of defensive strategies, emphasizing infrastructure-focused protections over traditional EDR-centric threat hunting. Organizations must enhance their security posture by implementing robust identity verification processes, hardening VMware environments, ensuring backup integrity, and maintaining continual monitoring.
Given the advanced techniques employed by Scattered Spider, cybersecurity teams should remain vigilant. Training staff to recognize and respond to social engineering attempts, alongside establishing a challenge protocol for verifying caller identities, are essential steps to mitigate risks. The complex nature of these attacks illustrates the necessity for an agile and informed security framework, as the threat landscape evolves rapidly.
