The cybercrime subculture referred to as "The Com" emerged around 2018 as a loose collective of predominantly English-speaking actors from Canada, the United States, and the United Kingdom. What began as a scene focused on SIM swapping and cryptocurrency theft has evolved into a broader ecosystem encompassing various forms of extortion campaigns, corporate ransomware operations, and sophisticated social engineering attacks. This transformation coincided with cryptocurrency's dramatic price surge, which fundamentally shifted underground culture toward high-stakes, profit-driven enterprises.
Unlike traditional technically-focused adversaries, Com-affiliated actors demonstrate a willingness to blend aggressive social engineering – including threats of physical violence – with extensive abuse of legitimate enterprise tools and intimate knowledge of corporate help desk procedures and cloud infrastructure. Some groups within this wider ecosystem have expanded into ransomware operations, while others have specialized in different forms of targeted harassment and extortion.
In the first of two blog posts, we'll explore common tactics, techniques, and procedures (TTPs) used by actors within and adjacent to this subculture. While cluster names like Scattered Spider, UNC3944, and Octo Tempest are widely discussed, we won't focus on those distinctions. Instead, we aim to raise awareness of the need for constructing layers of security across your business to combat this “sophisticated” tradecraft.
Credit: UnknownBinary
Scattered Spider also isn't the only group excelling in hybrid IT environments, and this name technically only represents CrowdStrike’s activity cluster – though it’s used by numerous others. Using the term “Scattered Spider Adjacent” would be more accurate in many reported cases. Regardless, once actors of this variety gain access to an environment, they can expand compromise almost unchecked, making proactive prevention crucial.
If learning more about the history and inner workings of The Com is of interest to you, we’d highly recommend watching this presentation by Allison Nixon and Ben Coon of Unit 221B, whose expertise on the subject is globally unmatched:
The potential progression of an intrusion is illustrated very effectively in this infographic from Palo Alto's Unit 42:
Source: Unit 42
Operations begin with extensive reconnaissance:
Strategic focus historically involved targeting business process outsourcing firms and telecommunications organisations as intermediary attack vectors. BPO providers handle IT services and data processing for multiple clients, while telecommunications firms control infrastructure necessary for SIM swapping. Compromising these intermediaries provides trusted access to multiple client networks through established business relationships. Recent targeting has shifted toward multiple targets within common industry verticals, expanding into aviation, insurance, retail, hospitality, and financial industries.
Social engineering is a cornerstone of these intrusions, with advanced manipulation skills demonstrated through elaborate vishing campaigns and impersonation of staff. While SMS-based initial contact was historically common – with messages claiming urgent action is required (security updates, expiring accounts, or suspicious logins) and directing victims to phishing sites – it has become less prevalent as organisations moved away from SMS. Help desk social engineering has instead emerged as the primary initial access vector.
Source: Unit 42
When SMS campaigns are carried out, phishing sites are frequently hosted on typosquatted domains incorporating keywords like "sso," "vpn," or "okta" combined with the target organisation's name. Recent campaigns introduced subdomains (sso.c0mpany[.]com) in addition to the hyphenated format (company-sso[.]com) that has become a recognised signature.
Phishing campaigns employ proxy frameworks like Evilginx, which automate adversary-in-the-middle attacks to capture credentials and authentication tokens, mitigating most multi-factor authentication challenge types. The resulting sites are convincing clones that closely or perfectly mimic the target login pages with valid SSL certificates and familiar URLs. Pages typically maintain short operational lifespans of several days or hours. Infrastructure can leverage content delivery networks like Cloudflare, blocking automated scanners and adding legitimacy through familiar user experience.
As mentioned, direct help desk contact has become a predominant initial access vector, aiming to convince staff to reset account passwords or modify multi-factor authentication settings. Having assembled employee dossiers, callers come prepared with personal and employment information sufficient to navigate verification questions. Elaborate scenarios involving urgent business needs or personal circumstances are created and used to coerce the recipient. Callers demonstrate intimate knowledge of internal processes, technical jargon, and recent IT tickets or system changes.
Manipulation extends beyond impersonation, expressing frustration, and creating urgency and rapport building, while also demonstrating persistence in wearing down natural defences through lengthy conversations. When standard social engineering approaches fail, intimidation tactics can emerge. Employees have received threatening messages containing home addresses, family names, and explicit threats of violence.
Once inside a network:
In cloud environments, they demonstrate advanced tradecraft beyond initial access. AWS Systems Manager Inventory may be activated for discovery and lateral movement, unauthorised EC2 instances created, and Azure VM Access Extensions used for password resets and virtual machine modifications. Third-party services like FiveTran extract high-value service databases including Salesforce and Zendesk using legitimate API connectors.
Advanced understanding of modern identity providers is shown, particularly Entra ID and AD FS. After gaining administrative access, golden SAML attacks are implemented by adding rogue identity providers to federation trusts. Using tools like AADInternals, new domains are configured or existing federation settings modified to generate valid authentication tokens for any user, including claims for satisfied MFA requirements. Conditional access policies are modified to exclude their access from MFA requirements or add their IP ranges to trusted locations.
Capability extends beyond Microsoft systems. In Okta environments, the Org2Org functionality - commonly used for mergers and acquisitions - has been abused to establish trust relationships with attacker-controlled tenants. This enables them to impersonate any desired user account within the target organisation, effectively bypassing normal authentication controls.
While privileged access can be obtained through social engineering, access is also expanded through traditional technical means:
Rather than pursuing immediate technical objectives, significant time is invested in understanding target operations, identifying valuable data, and mapping business processes. Automated discovery tools including ADRecon, BloodHound, and PingCastle map Active Directory relationships and identify privilege escalation paths. Network scanning with Advanced IP Scanner and Angry IP Scanner identifies services of interest. However, it has also been observed that the pace at which they move towards objectives is accelerating.
Reconnaissance also extends beyond standard network and domain enumeration:
Awareness of operational security is maintained throughout an intrusion, actively evading detection with tactics beginning immediately after initial access. A frequently observed technique involves directly compromising security tools. Using privileged credentials, EDR consoles, SIEM platforms, and antivirus management systems are accessed, with detection rules modified, alerts suppressed, and exclusions created. Alert queues are cleared and these platforms leveraged to deploy malicious tooling while removing security products.
Email security is another focus area. Mail flow rules are created to intercept security alerts, password reset notifications, and incident response communications, forwarding messages to attacker-controlled addresses while deleting them from target inboxes.
Commercial VPN services are used to obscure their geographic location and blend in with common traffic, rotating between providers including Mullvad, ExpressVPN, NordVPN, Ultrasurf, Easy VPN, and ZenMate. They also employ rotating residential proxy services that route traffic through legitimate home connections, making their authentication attempts appear as normal user behaviour rather than suspicious.
Somewhat audaciously, they have joined incident response calls to monitor defensive actions and adapt their intrusion techniques based on the insights they gather directly from responders.
Data theft operations reveal clear financial motivations and business understanding. Information monetisable through extortion is systematically identified and exfiltrated. Targets include customer databases, financial records, strategic plans, source code repositories, and email archives. Multiple exfiltration methods are employed:
Database access is facilitated through native tools like Azure SQL Query Editor, DBeaver, MongoDB Compass, S3 Browser, and specialised platforms like Cerebrata and FiveTran for enterprise data connectors. Legitimate backup solutions such as Veeam, AFI Backup, and CommVault are registered to expedite exfiltration of SharePoint document libraries and other repositories.
The shift to ransomware operations marked a significant capability and objective escalation. Initially affiliated with ALPHV/BlackCat starting in mid-2023, the group has since worked with multiple ransomware-as-a-service operations including RansomHub and DragonForce. Deployment also targets virtualisation infrastructure, with capability for VMware ESXi. Virtual machine encryption affects numerous systems simultaneously while complicating recovery efforts, maximising organisational disruption.
Defending against modern threats requires deep understanding of the threat landscape and the ability to respond as quickly as our adversaries. Our Managed Detection and Response service is built on an intelligence-driven foundation that provides continuous monitoring and security engineering to detect emerging intrusion methods and build lasting mitigations against them.
If you'd like to better understand how to we can help you to defend your business, please reach out to us to book a call.
The following posts have been instrumental in helping us to form this blog series, and we’d encourage you to show them your support: