Home > Commentaries and Analyses
75 views 6 secs 0 comments

Defending Against UNC3944/Scattered Spider: Cybercrime Hardening Guidance from the Frontlines – Mandiant

In Commentaries and Analyses, Data Breach News, Malware Ransomware
May 08, 2025

Background

UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to ransomware and data theft extortion in early 2023, they impacted organizations in a broader range of industries. Since then, we have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024. Notably, UNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased attention by news media….

A high-level overview of UNC3944 tactics, techniques and procedures (TTPs) are noted in the following figure:

Read more of this guidance from Mandiant.

Related Post
FBI IC3, Verizon DBIR, Google M-Trends reports are out—here are key takeaways
FBI IC3, Verizon DBIR, Google M-Trends reports are out—here are key takeaways
April, 2025
The Sophos Annual Threat Report: Cybercrime on Main Street 2025
The Sophos Annual Threat Report: Cybercrime on Main Street 2025
April, 2025
BakerHostetler launches 2025 Data Security Incident Response Report
BakerHostetler launches 2025 Data Security Incident Response Report
April, 2025
China-linked APT Silk Typhoon targets IT Supply Chain
China-linked APT Silk Typhoon targets IT Supply Chain
March, 2025