Scattered Spider Evolves in 2025 with New Phishing Kit and Malware - 1

Image by DC Studio, from Freepik

Scattered Spider Evolves in 2025 with New Phishing Kit and Malware

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

The notorious hacking group Scattered Spider continues to pose a serious cybersecurity threat in 2025, despite multiple arrests in the past year.

In a rush? Here are the quick facts:

  • Spectre RAT malware updated for stealthy, long-term system access.
  • Group targets brands like Nike, T-Mobile, and Pure Storage.
  • Rentable subdomains and recycled domains complicate threat tracking.

The group uses sophisticated social engineering tactics but has evolved its methods by introducing new phishing kits, and an updated Spectre RAT malware to attack high-profile companies.

According to cybersecurity firm Silent Push , Scattered Spider remains actively engaged in attacks on major brands including Nike, T-Mobile, Louis Vuitton, and Vodafone. They’ve also expanded their targets to include cloud storage and marketing platforms such as Pure Storage and Klaviyo.

Since 2022, the group has been active and initially became known for breaking into companies such as Twilio and MGM Resorts. It did so by deceiving employees into giving away their login credentials and MFA codes via fake login portals.

Although several members, including the alleged leader Tyler Buchanan were arrested in 2024, the group has since come back to life, likely with new members and developers improving their tools and techniques, as explained by Silent Push.

One of the most notable evolutions this year is their adoption of Phishing Kit #5, now hosted on Cloudflare. Silent Push explains that the current version differs from earlier versions which redirected users to Rick Astley’s “Never Gonna Give You Up” as a joke because it operates more discreetly and is harder to detect.

In another troubling shift, the group has started leveraging publicly rentable subdomains—such as klv1.it[.]com—that mimic legitimate services. These subdomains, often tied to dynamic DNS providers, are harder to trace due to their lack of traditional domain registration.

Silent Push warns that organizations should consider blocking such domains at the network level to reduce exposure.

Additionally, Scattered Spider has been linked to the reacquisition of a domain once owned by Twitter/X: twitter-okta[.]com. While it remains uncertain whether the domain will be used in upcoming campaigns, it underscores the group’s persistence in exploiting overlooked or abandoned digital assets, says Silent Push.

The Scattered Spider group continues to evolve as a dangerous threat in 2024 because of their ability to adapt their infrastructure and malware while finding new attack vectors. The group’s ongoing evolution shows they have not completed their operations.

Organizations need to stay vigilant while tracking unusual behavior and maintain updated security measures to prevent attacks from this persistent cybercriminal organization.

New Malware Campaign Exploits SourceForge Projects to Steal Crypto & Spy on Users - 2

Image by Rawpixel.com, from Freepik

New Malware Campaign Exploits SourceForge Projects to Steal Crypto & Spy on Users

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

A new malware campaign is targeting users through SourceForge, a trusted site known for hosting open-source software projects.

In a rush? Here are the quick facts:

  • Victims download a fake installer containing a hidden cryptocurrency miner and ClipBanker.
  • Malware sends user data to attackers via Telegram API.
  • Attack chain includes VB scripts, PowerShell commands, and AutoIt interpreters.

Researchers from Kaspersky uncovered a scheme where attackers use a fake project to trick people into downloading malicious files disguised as office tools.

The fake project, called “officepackage,” looks harmless on the SourceForge page. Additionally, it copies its description from a real Microsoft Office add-ons project on GitHub . But the related officepackage.sourceforge.io domain points to a completely different website that lists fake office apps with “Download” buttons.

The researchers explain that the pages are indexed by search engines, so they look legitimate in search results. But instead of useful software, users are led through a confusing maze of download pages that ultimately install malware on their computers.

The downloaded file, named vinstaller.zip, contains hidden tools including a password-protected archive, and a Windows Installer that looks large and legitimate, but is actually stuffed with junk data to fool users. When launched, it runs a script in secret that downloads files from GitHub, extracts malicious components, and starts spying on the device.

One of the hidden scripts sends the victim’s device details to attackers through Telegram . This includes the computer’s IP address, username, antivirus software, and even the CPU name.

The malware does two main things: first, it installs a cryptocurrency miner that quietly uses the computer’s resources to generate digital money for the attackers.

Second, it installs a type of malware called ClipBanker, which waits for users to copy and paste cryptocurrency wallet addresses. When they do, it replaces the wallet address with one owned by the attacker, redirecting funds to them.

The malware uses several methods to stay on the system and automatically restart even after rebooting. It hides in system folders, adds special registry keys, creates fake Windows services, and even hijacks system update tools.

To stay safe, experts strongly advise downloading software only from official sources, as pirated or unofficial downloads always carry a higher risk of infection.