The notorious cybercriminal group Scattered Spider has significantly evolved its tactics in 2025, deploying new ransomware variants and social engineering techniques. Security experts are warning these strategies could harm healthcare organizations relying on identity management systems and third-party IT providers. A joint advisory from CISA, FBI, and international partners reveals the group now uses DragonForce ransomware to target VMware ESXi servers while exploiting help desk vulnerabilities through advanced voice phishing campaigns, which is concerning for organizations that rely on these technologies for critical patient care operations.
On July 29, 2025, CISA, FBI, and international cybersecurity agencies issued an updated advisory detailing Scattered Spider's escalating activities across multiple sectors. The group, also known as UNC3944, Octo Tempest, and Muddled Libra, has shifted from pure data extortion to deploying DragonForce ransomware against VMware ESXi servers, which many healthcare organizations use to run electronic health records and critical medical systems.
Recent FBI investigations revealed the group has broadened its targets to include aviation, insurance, and retail sectors, with attacks on major organizations including airlines, insurance providers, and UK retailers like Marks & Spencer. The group's members, mostly young adults from the US and UK, use sophisticated social engineering to impersonate employees and manipulate IT help desks into resetting passwords and bypassing multi-factor authentication.
What makes Scattered Spider dangerous for healthcare is their mastery of "living off the land" tactics, using legitimate IT tools, and exploiting human trust rather than technical vulnerabilities. The group has been observed joining victim organizations' Microsoft Teams and Slack channels during active incidents, monitoring incident response calls in real-time to adapt their attacks.
Their phishing infrastructure has evolved significantly in 2025, shifting from hyphenated domains (like "sso-company.com") to subdomain-based keywords and publicly rentable subdomains that are harder to detect. They're using commercial attacker-in-the-middle toolkits like Evilginx to bypass MFA, and pre-populating victim information in phishing pages to make them appear more legitimate.
Healthcare organizations face risk from Scattered Spider's tactics for several reasons. First, hospitals rely on VMware virtualization for running EHR systems, PACS imaging, and other life-critical applications, exactly the infrastructure Scattered Spider targets with DragonForce ransomware. Second, healthcare IT departments often use the same help desk processes and identity management systems (like Okta) that the group exploits through social engineering.
The group's focus on managed service providers (MSPs) and IT contractors presents a nightmare scenario for healthcare. Many hospitals outsource IT functions to third parties, creating a "one-to-many" attack vector where compromising a single MSP could grant access to dozens of healthcare facilities. The discovery that Scattered Spider infiltrated UK retailers through compromised Tata Consultancy Services accounts demonstrates how third-party risk can cascade across entire sectors.
Google's Threat Intelligence Group warned, "Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization's most critical systems and data. The method is highly effective as it generates few traditional indicators of compromise and bypasses security tools like endpoint detection and response."
CISA and FBI stated in their joint advisory, "Scattered Spider actors continue to impersonate company employees or IT/helpdesk staff, deploying sophisticated social engineering methods such as phishing, push bombing, and SIM swap attacks to gain credentials, install remote access tools, and bypass multi-factor authentication."
The advisory emphasizes implementing phishing-resistant MFA across all systems, particularly for privileged accounts with access to virtualization infrastructure. Organizations are urged to adopt risk-based authentication that dynamically adjusts requirements based on user behavior and location, and to conduct regular social engineering assessments of help desk staff.
DragonForce is a ransomware variant now being deployed by Scattered Spider that specifically targets VMware ESXi servers. It encrypts virtual machines at the hypervisor level, bypassing traditional endpoint security tools and potentially crippling entire virtualized environments that run critical applications.
Managed Service Providers have "one-to-many" access, meaning compromising a single MSP can provide access to multiple client networks. Since many healthcare organizations outsource IT functions, a breach at an MSP could cascade to dozens of hospitals, clinics, and health systems simultaneously.
Living off the land (LOTL) refers to using legitimate system tools and software for malicious purposes. Scattered Spider uses tools like TeamViewer, AnyDesk, and PowerShell that are already present in most environments, making their activities harder to detect since they don't introduce traditional malware signatures.