Silent Push researchers have identified that the notorious hacker collective Scattered Spider, also known as UNC3944 or Octo Tempest, continues to actively target prominent services in 2025, including Klaviyo, HubSpot, and Pure Storage.
This group, active since at least 2022, has built a reputation for executing sophisticated social engineering attacks to harvest usernames, login credentials, and multi-factor authentication (MFA) tokens.
Their latest campaigns demonstrate an alarming evolution in tactics, techniques, and procedures (TTPs), with updated phishing kits and a new variant of the Spectre RAT (Remote Access Trojan) designed for persistent access to compromised systems.
.png
)
Sophisticated Phishing and RAT Campaigns
Silent Push’s analysis reveals Scattered Spider’s focus on major brands and software vendors, with 2025 targets encompassing high-profile names like Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Nike, T-Mobile, and Vodafone, alongside specialized platforms like Klaviyo and Pure Storage.
Their phishing operations have become more elusive, leveraging dynamic DNS vendors for subdomains such as klv1.it[.]com, which mimics Klaviyo’s SMS marketing features.
This shift to publicly rentable subdomains complicates traditional tracking methods, as these lack conventional domain registration fingerprints, making detection challenging even for advanced security tools.
Silent Push notes that such infrastructure choices, combined with hosting on privacy-focused providers like Njalla, Virtuo, and Cloudflare, indicate a deliberate move toward operational stealth.
A significant discovery in Silent Push’s research is the updated Spectre RAT, which features advanced obfuscation, a sophisticated crypter, and support for both 32-bit and 64-bit Intel architectures.
This malware enables data exfiltration, command execution, and system reconnaissance while employing XOR-based string encoding and dynamic command-and-control (C2) server configurations to evade detection.
Hardcoded C2 servers act as decoys, used only once to fetch dynamic server lists, further obscuring the threat actor’s infrastructure.
Silent Push has responded by releasing publicly available code for a Spectre RAT String Decoder and C2 Emulator on GitHub, empowering defenders to analyze and mitigate this threat through simulated environments or operational takeovers.
Silent Push Uncovers New Tactics
Scattered Spider’s phishing kits, tracked across five unique versions since 2023, also showcase adaptability.
The latest, Phishing Kit #5, detected in 2025 and hosted on Cloudflare, incorporates multiple brand templates within a single site, targeting entities like T-Mobile, Tinder, and Nike.
Legacy kits impersonate Okta login portals with short-lived domains active for mere minutes to hours, often using keywords like “okta,” “sso,” or “vpn” in URLs.
This rapid deployment and abandonment strategy, paired with bulk domain registrations targeting specific sectors such as financial, retail, and telecommunications, underscores the group’s calculated approach to maximizing impact while minimizing exposure.
To aid in defense, Silent Push offers Indicators of Future Attack (IOFA) feeds for enterprise clients, alongside a free Community Edition platform for threat hunting.
Their research also highlights Scattered Spider’s historical infrastructure preferences, including registrars like NiceNIC and ASNs such as Cloudflare (AS13335) and DigitalOcean (AS14061).
Indicators of Compromise (IOCs)
Below is a sample list of Indicators of Compromise (IOCs) associated with Scattered Spider’s campaigns, providing critical data for cybersecurity teams to bolster their defenses against this persistent and evolving threat.
| Indicator | Type |
|---|---|
| klv1.it[.]com | Domain |
| corp-hubspot[.]com | Domain |
| pure-okta[.]com | Domain |
| twitter-okta[.]com | Domain |
| sso-instacart[.]com | Domain |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
