A cybercrime group known as Scattered Spider has revealed that their “retirement” was anything but permanent. New intelligence shows they have penetrated a US bank in a recent digital intrusion, confirming predictions that they would refocus on financial targets. Internal systems, executive accounts, and financial infrastructure were all compromised in what appears to be a deliberate escalation in their tactics.
India to Honour Top CISOs from Police, Law Enforcement, and Defence Forces
The attack began with social engineering directed at an executive, enabling them to reset passwords via a self-service account. With this foothold, they moved sideways across the bank’s network using systems such as VPN and Citrix, gaining access to sensitive IT and security documentation. They also breached VMware ESXi infrastructure, which allowed them to harvest employee credentials and further their expansion inside the organization’s networks.
Privilege Escalation and Data Access
After establishing access, the attackers elevated privileges by taking over administrative service accounts— notably resetting credentials for backup and service systems, and assigning Global Administrator permissions. They relocated critical virtual machines and accessed data stores spread across platforms like Snowflake and AWS. This movement indicates that their intent was not just disruption but a significant data theft or extortion opportunity.
Persistence Despite “Retirement” Claims
Earlier this year, Scattered Spider had made statements that they would cease operations, following pressure and exposure from law enforcement and security communities. But their methods, tools, and indicators of compromise show continuity—it seems the gang has not stopped but only shifted targets. Their resurgence points to how resilient and adaptive these cybercrime groups are; even when they talk about ending, they often just regroup or lie low, only to return stronger.