InfoSecBulletin Cybersecurity for mankind
Mandiant, which is owned by Google, reports that the group behind the recent MGM Resorts hack is now targeting more victims and exploring new ways of making money.
This hacking group, known by various names such as UNC3944, 0ktapus, Scatter Swine, and Scattered Spider, has successfully infiltrated over 100 organizations, primarily in the United States and Canada. The group is known for their SMS phishing campaigns (also known as smishing), however, they have been actively developing their expertise and expanding their collection of tools. As a result, they are anticipated to soon start focusing on a wider range of industries.
EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State
First-ever AI-powered ‘MalTerminal’ Malware Uses OpenAI GPT-4 to Generate Code
Gmail Data exposes via ChatGPT Deep Research Agent dubbed “ShadowLeak Zero-Click” Flaw
Cyber attack disrupts several European airports: check-in and boarding systems affected
Hacker claim to breach Link3; 189,000 Users data up for sale
Check Point Hosts “Securing the Hyperconnected World in the AI Era” in Dhaka
Microsoft Confirms 900+ XSS Vulns Found in IT Services
Daily Security Update Dated : 15.09.2025
IBM QRadar SIEM Vuln Let Attackers Perform Unauthorized Actions
Major Australian Banks using Army of AI Bots to Scam Scammers
Additionally, Mandiant observed a significant change in the group’s tactics in mid-2023, as they began focusing on deploying ransomware, a potentially lucrative endeavor. In some attacks, the hackers used the ALPHV (BlackCat) ransomware. However, Mandiant believes that they may also utilize other types of ransomware and develop new ways to make more money in the future.
Since late 2021, the threat actor has been actively engaging in smishing in order to acquire legitimate employee credentials. They then proceed to contact the targeted organization’s help desk, posing as the employees, in order to obtain multi-factor authentication (MFA) codes or to reset account passwords.
The hacking group has been observed giving different types of verification information that the help desk asked for, such as personally identifiable information (PII), employee ID, and username.
UNC3944 uses phishing pages that appear legitimate. These pages often mimic service desk or single sign-on (SSO) interfaces. This technique makes the phishing attempts more convincing by using information obtained from the victim’s network access.
Since 2021, the group has used at least three phishing kits. These include EightBait, which can deploy AnyDesk to victims’ systems, as well as two phishing kits that were built using a targeted organization’s webpage. These two kits have few code changes between them.
The group not only engaged in smishing and social engineering, but they were also found to be utilizing a credential harvesting tool. They went to great lengths to meticulously search a victim’s internal systems, in order to discover valid login information. Additionally, they employed publicly available tools to harvest credentials from internal GitHub repositories, and took advantage of the open source tool MicroBurst to uncover Azure credentials and secrets.
Mandiant has determined that UNC3944 is utilizing information stealers to gather credentials, which include Ultraknot (also known as Meduza stealer), Vidar, and Atomic.
UNC3944 intrusions are characterized by their innovative, tenacious, and progressively successful attacks on victims’ cloud resources. This straAccording to Mandiant, tegy allows threat actors to gain a initial position for future actions, conduct network and directory reconnaissance, and access sensitive systems and data stores.
Mandiant found that UNC3944 used Microsoft Entra to access restricted resources and create virtual machines for unmonitored access. They also abused Azure Data Factory to steal data and used victims’ cloud environments to host malicious tools and move around.
UNC3944 is a rapidly evolving threat that constantly enhances its skills and tactics to successfully diversify its strategies for monetization. Mandiant notes that it is expected for these threat actors to continuously enhance their skills and utilize underground communities for assistance, in order to make their operations more effective.
