Scattered Spider Related Domain Names

    Published: 2025-07-31. Last Updated: 2025-07-31 17:56:10 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    This week, CISA updated its advisory on Scattered Spider. Scattered Spider is a threat actor using social engineering tricks to access target networks. The techniques used by Scattered Spider replicate those used by other successful actors, such as Lapsus$. Social engineering does not require a lot of technical tools; creativity is key, and defenses have a hard time keeping up with the techniques used by these threat actors.

    For this diary, I want to "zoom in" on one update noted in this week's CISA report. CISA noted that Scattered Spider is using the following domain name patterns:

    targetsname-cms[.]com
    targetsname-helpdesk[.]com
    oktalogin-targetcompany[.]com

    Using our "recent domain" API, we can run a quick check on some of these. Let's start by getting the latest (yesterday's) domains:

    curl -o recent.json 'https://isc.sans.edu/api/recentdomains/?json'

    How many entries do we have so far?

    % jq length recent.json
    117782

    This is low, but not all domain names have been processed yet. Now we will look for the patterns from the CISA report. I first checked "oktalogin", which I figured was the most specific text, but I found nothing. Next, I checked "helpdesk" (I omitted the .com as I figured they may use different TLDs depending on the target):

    % jq '.[] | select(.domainname | contains ("helpdesk")) | .domainname' recent.json
    "360aihelpdesk.com"
    "ai360helpdesk.com"
    "helpdesk-academy.net"
    "helpdesk-direct.online"
    "helpdesk-guardprotect.com"
    "helpdesk-software-29.online"
    "helpdesk-truist.com"

    "helpdeskmaintenanceinc.online"
    "helpdeskmicrosoft.com"

    We got a few nice domain names here. I highlighted them in red and bold above. Truist appears to be an obvious target. Looking for other domains that contain the word "Truist":

    % jq '.[] | select(.domainname | contains ("truist")) | .domainname' recent.json
    "altruistonline.shop"
    "cdn-truist.com" 
    "helpdesk-truist.com"

    The first one (altruistonline.shop) is likely unrelated. But cdn-truist.com could be interesting. They do not resolve to an IP address. However, the "cdn-" pattern was not in the report, so it may be a new pattern used by Scattered Spiders or similar gangs.

    A couple of lessons learned: 

    • You should monitor for your brand name being used to register new URLs. You can use commercial services, our API as shown above, or what I consider the "secret weapon": TLS transparency logs. Facebook has a nice free one that includes common variations and IDN lookalikes.
    • Do not take reports, like CISA's, too literally. They are well-researched, but that comes at the cost of being outdated. Threat actors will also change their MOU after a high-profile report is released. Look for the basic patterns, not the exact strings.

    Note the fact that "Truist" is in the list may indicate that they are a target, but does not show that they fell victim to an attack. I do not see any evidence that the domain names have been used so far.

     

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    0 comment(s)
    ISC Stormcast For Thursday, July 31st, 2025 https://isc.sans.edu/podcastdetail/9550

      Comments


      Diary Archives