{"id":57629,"date":"2024-11-08T14:57:14","date_gmt":"2024-11-08T14:57:14","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/"},"modified":"2024-11-08T14:57:14","modified_gmt":"2024-11-08T14:57:14","slug":"scattered-spider-blackcat-claw-their-way-back-from-criminal-underground","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/","title":{"rendered":"Scattered Spider, BlackCat claw their way back from criminal underground"},"content":{"rendered":"<p>Two high-profile criminal gangs, Scattered Spider and BlackCat\/ALPHV, seemed to disappear into the darkness like their namesakes following a series of splashy digital heists last year, after which there were arrests and website seizures.<\/p>\n<p>Over the last couple months, however, both have reemerged \u2013 with new reported intrusions and a possible rebrand.<\/p>\n<p>In October, security firm ReliaQuest responded to a digital break-in at a manufacturing firm that it <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.reliaquest.com\/blog\/scattered-spider-x-ransomhub-a-new-partnership\/\">attributed<\/a> with &#8220;high confidence&#8221; to <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/09\/15\/scattered_spider_snares_100_victims\/\" rel=\"noopener\">Scattered Spider<\/a>.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>This indicates that, despite law enforcement&#8217;s <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/11\/17\/fbi_scattered_spider_action\/\" rel=\"noopener\">best efforts<\/a> \u2013 including <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/06\/17\/scattered_spider_arrest\/\" rel=\"noopener\">arresting<\/a> a 22-year-old Brit suspected to be the gang&#8217;s kingpin in June and a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.justice.gov\/usao-mdfl\/pr\/palm-coast-man-arrested-wire-fraud-and-aggravated-identity-theft-charges\">19-year-old<\/a> Florida man in January \u2013 the loose-knit group of teens and early-20s males hasn&#8217;t gone away.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>The manufacturing-sector intrusion began with two social engineering attacks on the victim&#8217;s help desk. Social engineering has been the gang&#8217;s preferred method of entry \u2013&nbsp;and one that has paid off for this group of native English speakers behind the massive <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/09\/01\/okta_scattered_spider\/\" rel=\"noopener\">SIM-swapping attack against Okta<\/a> and the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/12\/28\/casino_ransomware_attacks\/\" rel=\"noopener\">Las Vegas casinos digital heists<\/a> last year.<\/p>\n<p>Within six hours of calling the help desk, the miscreants began encrypting the organization&#8217;s systems, we&#8217;re told.&nbsp;<\/p>\n<h3 class=\"crosshead\">New encryptor, who dat?<\/h3>\n<p>This time, however, they used a RansomHub encryptor to lock the environment. That&#8217;s notable because the group previously&nbsp;was an affiliate for the BlackCat\/ALPHV crew. That group also scattered after collecting a <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/04\/30\/unitedhealth_ceo_ransom\/\" rel=\"noopener\">$22 million ransom<\/a> from the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/03\/08\/change_healthcare_restores_first_system\/\" rel=\"noopener\">Change Healthcare attack<\/a> and&nbsp; pulling an <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/03\/08\/change_healthcare_restores_first_system\/\" rel=\"noopener\">exit scam<\/a>.<\/p>\n<p>&#8220;This event demonstrates that despite arrests this year, members of The Com are still actively targeting organizations,&#8221; Hayden Evans, cyber threat intelligence analyst at ReliaQuest, told <em>The Register<\/em>.&nbsp;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Scattered Spider is believed to be part of a larger cyber criminal community dubbed &#8220;The Com.&#8221;&nbsp;<\/p>\n<p>&#8220;This persistence is likely due to the group&#8217;s decentralized nature and indicates that these attacks will continue to take advantage of vulnerable organizations unless significant law enforcement disruption occurs,&#8221; Evans continued, adding that orgs should implement &#8220;stringent&#8221; help desk policies and technical controls to protect against Scattered Spider attacks.&nbsp;<\/p>\n<p>In addition to using RansomHub malware instead of BlackCat, the gang has adopted other new tactics that defenders need to be aware of.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;A lot of the social engineering for initial access and SharePoint discovery events have been associated with the group in the <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.reliaquest.com\/blog\/scattered-spider-attack-analysis-account-compromise\/\">past<\/a>,&#8221; Evans noted. &#8220;But some of the newer events involve a greater degree of defensive evasion and a new Microsoft Teams method which hasn&#8217;t been seen before.&#8221;<\/p>\n<p>Scattered Spider used both of these in the attack that ReliaQuest responded to last month.<\/p>\n<p>First, the gang used the organization&#8217;s ESXi environment to create a virtual machine and maintain persistence, move laterally through the environment, dump credentials and steal data. It also disguised the criminals&#8217; activity and hid the attack until after they&#8217;d locked up the victim&#8217;s systems.<\/p>\n<p>Then, they demanded a ransom via a Microsoft Teams message.<\/p>\n<h3 class=\"crosshead\">Seeking: English-speaking callers<\/h3>\n<p>Scattered Spider \u2013 and other groups that increasingly use social engineering tactics \u2013 are progressively looking to hire native English speakers for specialized &#8220;caller&#8221; jobs, according to Lookout VP David Richardson.<\/p>\n<p>During an attack, &#8220;a caller may be hanging out on a screen-share with someone who might be somewhere else, and while the caller is executing the IT help-desk script to extract credentials the more tech-savvy individual in the criminal operation is stealing and encrypting the victim&#8217;s data,&#8221; Richardson told <em>The Register<\/em>.&nbsp;<\/p>\n<p>In one incident that his team responded to, Richardson said an employee received a phone call shortly after seeing a text message alerting them of unauthorized activity on a company account (this wasn&#8217;t true) and saying their account had been locked (also not true).<\/p>\n<p>After a 30-minute phone call during which the employee didn&#8217;t fall for the social engineering attack, the criminal &#8220;congratulated&#8221; the employee on passing a &#8220;social engineering test,&#8221; in the hopes that the employee wouldn&#8217;t even think to report the suspicious activity.<\/p>\n<blockquote class=\"pullquote\" readability=\"6\">\n<p>Attackers don&#8217;t hack in, they log in<\/p>\n<\/blockquote>\n<p>&#8220;Most of these campaigns are starting through SMS blasts to groups and phone calls,&#8221; Richardson noted. &#8220;They&#8217;ve going after employees&#8217; mobile devices to launch these attacks, to get in the door.&#8221;<\/p>\n<p>And they still adhere to the old classic \u2013 they are logging in, not breaking in.<\/p>\n<p>&#8220;The main takeaway for defenders is the ongoing sentiment: Attackers don&#8217;t hack in, they log in,&#8221; Evans said. &#8220;Essentially, attackers aim for the path of least resistance that has a higher chance of success \u2013 such as by obtaining credentials through info-stealer logs or, as in this case, by targeting the help desk to reset credentials and bypass MFA.&#8221;<\/p>\n<p>Lookout VP David Richardson echoed this, and also noted that most of Scattered Spider&#8217;s affiliates log in through legitimate means.<\/p>\n<p>&#8220;People need to know that these kinds of attacks are happening and that just because an American calls you up, or you receive a text message, does not mean that this thing is legitimate,&#8221; he told <em>The Register<\/em>. &#8220;As a good employee, you should confirm this through multiple channels.&#8221;<\/p>\n<p>Richardson suggests reaching out to the person initiating the communication via an internal chat tool and looking them up on your company&#8217;s org chart to make sure they do exist.&nbsp;<\/p>\n<h3 class=\"crosshead\">BlackCat&#8217;s 9 lives<\/h3>\n<p>In December 2023, an FBI-led operation <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/12\/19\/blackcat_domain_seizure\" rel=\"noopener\">seized<\/a> BlackCat\/ALPHV&#8217;s website \u2013 shutting down the gang&#8217;s dark web presence \u2013 and released a decryptor tool.<\/p>\n<p>This famously didn&#8217;t stop the criminals from roaring back into action a few months later with the Change Healthcare ransomware infection, which <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/02\/22\/change_healthcare_outage\/\" rel=\"noopener\">crippled<\/a> American pharmacies and compromised about <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/10\/27\/senator_domain_registrars_russia_disinfo\/\" rel=\"noopener\">100 million people&#8217;s<\/a> sensitive information \u2013 making it the largest healthcare data breach in US history.<\/p>\n<p>And after parent company United Health&#8217;s CEO made the difficult decision to pay the extortionists, BlackCat disappeared.&nbsp;<\/p>\n<p>Dark-web chatter over subsequent months has suggested that some affiliates joined RansomHub.<\/p>\n<p>Then in September researchers began noting &#8220;striking similarities&#8221; between BlackCat and Cicada3301 ransomware, which has claimed at least 39 victims since it was spotted in June.<\/p>\n<p>In addition to being written in Rust, like BlackCat, Cicada&#8217;s malware shared many other similarities with the other data-encrypting and deleting code, which were <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/09\/04\/cicada_ransomware_blackcat_links\/\" rel=\"noopener\">detailed<\/a> by Israeli endpoint security outfit Morphisec.<\/p>\n<p>Last month, threat hunters at Group-IB revealed that they had successfully <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.group-ib.com\/blog\/cicada3301\/\">infiltrated<\/a> the Cicada3301 ransomware affiliate panel. The ransomware crew primarily attacks companies in the US and UK, and has published stolen data from 24 of these between June and October.&nbsp;<\/p>\n<p>In their deep dive into the group&#8217;s inner workings and ransomware variants, they also saw connections between BlackCat and Cicada, according to Sharmine Low, a Group-IB malware analyst.<\/p>\n<p>&#8220;These two software programs exhibit significant similarities,&#8221; Low told <em>The Register<\/em>. &#8220;Notably, they use identical commands for inhibiting system recovery, shutting down virtual machines and killing processes for smoother execution. Additionally, both include a legitimate PsExec executable embedded within the Windows variant, while their naming conventions differ by only one word. Cicada3301 uses <code>RECOVER-[encrypted_extension]-DATA.txt<\/code> while BlackCat uses <code>RECOVER-[encrypted_extension]-FILES.txt<\/code>.&#8221;<\/p>\n<p>At the time of writing, Cicada had posted new victims on its leak site as recently as October 24.<\/p>\n<h3 class=\"crosshead\">&#8216;You can&#8217;t let your guard down&#8217;<\/h3>\n<p>&#8220;The main thing is: you can&#8217;t let your guard down,&#8221; ExtraHop senior technical manager Jamie Moles told <em>The Register<\/em>. &#8220;The simple fact of the matter is that ransomware gangs have been with us for a while now, and the big issue that we have is that technology and geography have made their life easy and have offered them a huge amount of protection.&#8221;<\/p>\n<p>Specifically the rise of cryptocurrency, which, by its decentralized and distributed nature, makes it much easier for criminal groups to hide the money trail and makes it more difficult for law enforcement to track.<\/p>\n<p>Plus, Moles added, &#8220;the geography part of it is that most of the ransomware operators who are a big deal in the industry operate out of what you might call a modern day Axis of Evil \u2013 which is North Korea, China and Russia\/Ukraine.&#8221;<\/p>\n<p>He warned: &#8220;Anybody who&#8217;s a potential target&#8221; should take note of these ransomware gangs&#8217; resurgence along with the newer, emerging groups.<\/p>\n<p>The first question that companies should ask themselves when it comes to protecting their IT environments is: &#8220;How would you protect yourself if you had an unlimited budget,&#8221; Moles suggested. &#8220;Start there, and then work your way down to where your actual budget sits.&#8221;<\/p>\n<p>It&#8217;s worth noting that most breaches get in via email \u2013 Moles put the percentage at between 95 and 98. &#8220;So you&#8217;ve got to have the best email filtering possible,&#8221; he opined.<\/p>\n<p>&#8220;You also want to have the best training for your users to make sure they understand the threats and the risks,&#8221; Moles noted, adding that other vital pieces include endpoint security, to give orgs a chance of catching malicious code running on the endpoints, along with network traffic monitoring to hunt for any suspicious activity on the network.<\/p>\n<p>&#8220;These ransomware operators \u2013 whether it&#8217;s Scattered Spider through RansomHub or this new Cicada ransomware group \u2013 are inherently opportunistic,&#8221; Evans observed. &#8220;A large majority of the time the tactics of these groups overlap. It&#8217;s super important for defenders to identify these common TTPs and common tools of these groups and have detection, mitigations in place.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2024\/11\/08\/scattered_spider_blackcat_return\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We all know by now that monsters never die, right? Two high-profile criminal gangs, Scattered Spider and BlackCat\/ALPHV, seemed to disappear into the darkness like their namesakes following a series of splashy digital heists last year, after which there were arrests and website seizures.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-57629","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Scattered Spider, BlackCat claw their way back from criminal underground 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Scattered Spider, BlackCat claw their way back from criminal underground 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-08T14:57:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Scattered Spider, BlackCat claw their way back from criminal underground\",\"datePublished\":\"2024-11-08T14:57:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/\"},\"wordCount\":1551,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/\",\"name\":\"Scattered Spider, BlackCat claw their way back from criminal underground 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-11-08T14:57:14+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Scattered Spider, BlackCat claw their way back from criminal underground\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Scattered Spider, BlackCat claw their way back from criminal underground 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/","og_locale":"en_US","og_type":"article","og_title":"Scattered Spider, BlackCat claw their way back from criminal underground 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-11-08T14:57:14+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Scattered Spider, BlackCat claw their way back from criminal underground","datePublished":"2024-11-08T14:57:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/"},"wordCount":1551,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/","url":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/","name":"Scattered Spider, BlackCat claw their way back from criminal underground 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-11-08T14:57:14+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zy53tkZ5YbOpfcgDwtXi2QAAAZI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/scattered-spider-blackcat-claw-their-way-back-from-criminal-underground\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Scattered Spider, BlackCat claw their way back from criminal underground"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57629"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57629\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}