The hacker group known as Scattered Spider is conducting an aggressive campaign against virtualized environments, directly targeting VMware ESXi hypervisors used by companies in key sectors such as retail, aviation, transportation, and insurance in the United States.
According to Google’s Threat Intelligence Group (GTIG), these attackers don’t rely on technical vulnerabilities or sophisticated exploits. Instead, they continue using what they do best: precise, well-executed social engineering that allows them to bypass even the most advanced security systems. In other words, they’re walking through the front door... because someone unknowingly opens it for them.
How does Scattered Spider’s attack work?
It all starts with what seems like an innocent phone call: an attacker poses as an employee and contacts the technical support or help desk team. The goal is clear: to convince the IT agent to reset the Active Directory password of the supposed user. If they succeed, they gain the initial access they need to infiltrate the network.
Once inside, Scattered Spider moves with precision. They begin scanning network devices for internal documentation that can help them identify high-value targets, such as domain administrator names, VMware vSphere configurations, or security groups with elevated permissions over the virtual environment.
And they don’t stop there. At the same time, they search for privileged access management (PAM) tools, where many companies store sensitive data. These platforms may contain credentials or critical information that facilitate access to key network assets.
"Armed with the name of a specific and high-value administrator, they make additional calls to the help desk. This time, they impersonate the privileged user and request a password reset, allowing them to take control of a privileged account." – Google Threat Intelligence Group
From Social Engineering to Total Control: How Scattered Spider Advances
After gaining initial access, Scattered Spider doesn’t waste any time. Their next move is to target the VMware vCenter Server Appliance (vCSA), a critical virtual machine that allows the management of the entire VMware vSphere environment, including the ESXi hypervisors that control virtual machines (VMs) on physical servers.
Having access to vCSA is like holding the keys to a castle. With this control, attackers can enable SSH connections on ESXi hosts, reset root passwords, and essentially do whatever they want within the virtual environment.
One of the most advanced attacks they carry out at this stage is known as “disk swapping.” How does it work? They power down a virtual machine that acts as a domain controller, detach its virtual disk, and then attach it to another VM they’ve already compromised. From there, they copy critical data, such as the NTDS.dit file, which contains the Active Directory database with all domain accounts and passwords. Once they’ve taken what they need, they reconnect the disk to the original machine and power it back on, as if nothing had happened.
This level of access also allows them to manage the entire virtual infrastructure. They can modify, delete, or even hide backup machines, eliminate scheduled backup jobs, snapshots, and even recovery repositories. Essentially, they can leave a company with no way to recover unless it pays.
In the final stage of the attack, Scattered Spider uses the SSH access they previously enabled to upload and install ransomware files. Their goal: to encrypt all virtual machine-related files stored in the environment’s datastores.
According to researchers from Google’s Threat Intelligence Group (GTIG), Scattered Spider’s approach follows a well-defined five-stage model that allows them to escalate from simple user access to full control of the hypervisor. It’s a meticulous attack, planned and executed with surgical precision.
Scattered Spider Attack Chain (Source: Google)
Read more: New Koske Malware on Linux Hides in Panda Images
Scattered Spider Doesn’t Need Exploits to Take Over Your Network
A full Scattered Spider attack—from initial access to data theft and ransomware deployment—can unfold within hours. They don’t need to exploit technical vulnerabilities. Their specialty is social engineering: simple but highly effective methods that allow them to escalate privileges quickly and take full control of VMware environments without triggering traditional alarms.
According to Google’s Threat Intelligence Group (GTIG), the group achieves “an unprecedented level of control over virtualized environments,” enabling them to bypass many of the conventional security measures in place on guest virtual machines.
And while attacks on ESXi hypervisors are not new (recall the high-profile MGM Resorts case in 2023, also linked to this group), the alarming trend is that more ransomware groups are starting to replicate this tactic. GTIG warns this trend is likely to grow.
Why Do Attackers Target VMware?
One reason VMware has become such an attractive target is that, in many organizations, their virtualized infrastructure is not fully understood or adequately protected. Often, it falls outside the security team’s radar, making it an easy target.
How to Protect Against Attacks Like Scattered Spider’s
To help organizations mitigate this type of threat, Google has published a technical guide with practical recommendations to detect and stop these attacks before it’s too late. These actions can be summarized in three key pillars:
1. Harden Your VMware vSphere and ESXi Environment
-
Enable
execInstalledOnlyto limit the execution of unknown binaries. -
Encrypt sensitive virtual machines.
-
Disable SSH access and prevent ESXi hosts from joining Active Directory directly.
-
Remove orphaned virtual machines and enforce strict access policies with multi-factor authentication (MFA).
-
Continuously monitor configuration changes.
2. Protect Critical Assets with Isolation and Strong MFA
-
Implement phishing-resistant MFA for key systems like VPNs, Active Directory, and vCenter.
-
Isolate level-0 assets (such as domain controllers, backups, and PAM tools).
-
Consider using independent cloud identity providers to reduce reliance on AD in compromised environments.
3. Strengthen Your Monitoring and Response Capabilities
-
Centralize logs in a SIEM platform and configure alerts to detect:
-
Changes in administrative groups
-
Suspicious logins to vCenter
-
SSH being enabled on hosts
-
-
Implement immutable, isolated backups (e.g., with solutions like TecnetProtect Backup) and frequently test recovery procedures—especially for incidents that compromise the hypervisor layer.
Who Is Scattered Spider and Why Are They Still Active?
Also known as UNC3944, Octo Tempest, or 0ktapus, Scattered Spider is a financially motivated threat group. What makes them especially dangerous is their mastery of social engineering—they can convincingly impersonate real employees, mimicking not only the language but even the accent of their target company. This skill has enabled them to bypass internal controls and access protected environments without relying on sophisticated malware.
In recent months, they have ramped up their operations, targeting major UK retailers, airlines, transportation companies, and insurers.
Although UK authorities (such as the UK’s National Crime Agency, NCA) recently arrested four suspected members of the group, malicious activity has not stopped. In fact, other groups appear to be adopting their methods, suggesting that Scattered Spider is not just an isolated entity but part of a growing trend among ransomware actors.
Read more: Most Active Ransomware Groups in June 2025: Qilin Tops the List
Conclusion: Don’t Underestimate Your Virtual Infrastructure
Scattered Spider’s attacks are a stark reminder: securing virtual infrastructure is just as critical as securing traditional software or hardware. The combination of social engineering, poorly managed access, and weak configurations creates a perfect storm that can leave any company defenseless.
Fortunately, all is not lost. With proactive controls, effective monitoring, and a well-defined security strategy, organizations can detect these threats in time and minimize their impact.
A key part of that strategy is having secure, immutable backup solutions designed for virtual environments. Tools like TecnetProtect Backup offer a combination of ransomware protection, automated backups, and fast recovery—even in the face of hypervisor-level attacks.
Remember: failing to protect your VMware environment is like leaving the back door open. And today, that’s all a group like Scattered Spider needs.
