Back to Intelligence

Scattered Spider Arrest, ADT Breach, and CISA OT Guidance: Defender's Analysis

SA
Security Arsenal Team
May 2, 2026
6 min read

This week’s headlines bring a mix of significant threat disruption and critical defensive guidance. The arrest of a key Scattered Spider (aka 0ktapus) affiliate marks a win for international law enforcement, yet the group’s tactics remain a potent threat to identity-centric environments. Meanwhile, the ADT data leak highlights the risks of third-party access panels, and CISA’s new guidance on Zero Trust for Operational Technology (OT) mandates a hard look at cross-domain security. For SOC leaders, these events converge on a single imperative: identity is the new perimeter, and trust must be verified continuously.

Introduction

The cybersecurity landscape is shifting from purely technical exploits to identity-based compromises. The arrest of a Scattered Spider member, tied to massive social engineering and SIM-swapping campaigns, is a tactical victory but does not eliminate the threat group's playbook. Simultaneously, the exposure of customer data via ADT’s support portal demonstrates how attackers bypass technical controls by targeting human-assisted verification processes. Finally, CISA’s push for Zero Trust in OT signals the end of air-gapped security by obscurity. Defenders must move beyond perimeter firewalls to enforce strict identity verification and least privilege across IT and OT environments.

Technical Analysis

Threat Actor: Scattered Spider (0ktapus)

Scattered Spider represents a sophisticated subset of cybercrime focused heavily on initial access via social engineering and identity theft.

  • Attack Vector: The group specializes in extensive adversary-in-the-middle (AiTM) phishing, vishing (voice phishing), and MFA bombing campaigns. They target help desks to bypass multifactor authentication.
  • Persistence & Lateral Movement: Unlike traditional malware droppers, Scattered Spider heavily relies on "Living off the Land" (LotL) techniques and legitimate Remote Monitoring and Management (RMM) tools. Once they obtain valid credentials, they frequently deploy commercial tools like AnyDesk, ScreenConnect (ConnectWise), and SuperOps to blend in with normal administrative traffic.
  • Affected Platforms: Primarily cloud identity providers (Okta, Microsoft Entra ID), VPNs, and telecom providers.
  • Exploitation Status: Active. While the arrest disrupts specific operations, the commoditized nature of their TTPs means copycats and associates will continue these attacks.

Incident: ADT Data Leak

Recent reports indicate a data leak affecting ADT, a major physical security provider.

  • Attack Mechanism: The breach involved unauthorized access to customer order information and alarm system data. The vector highlights a common vulnerability: customer support portals.
  • Risk: Attackers leverage leaked data (email addresses, phone numbers) to craft highly convincing vishing attacks, pretending to be support staff to trick users into granting access to physical security systems or IT assets.

Detection & Response

Given the reliance of Scattered Spider on legitimate RMM tools and identity manipulation, detection requires focusing on the context of process execution rather than just the binary itself.

SIGMA Rules

Detects the execution of common RMM tools (AnyDesk, ScreenConnect, SuperOps) from suspicious parent processes (e.g., browser, cmd, powershell) which suggests web-download or script-based initialization rather than a standard admin install.

YAML
---
title: Suspicious RMM Tool Execution - Scattered Spider TTPs
id: 8a4c2e12-9f5d-4b3c-8a1d-9e4f5a6b7c8d
status: experimental
description: Detects execution of common RMM tools (AnyDesk, SuperOps, ScreenConnect) spawned by suspicious parent processes like browsers or shells, indicative of web-based initial access.
references:
  - https://www.crowdstrike.com/blog/scattered-spider-advisory/
author: Security Arsenal
date: 2025/04/06
tags:
  - attack.command_and_control
  - attack.t1219
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\anydesk.exe'
      - '\superops.exe'
      - '\screenconnect.windowsclient.exe'
      - '\connectwisecontrol.exe'
  selection_parent:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
      - '\powershell.exe'
      - '\cmd.exe'
  filter_legit_install:
    ParentImage|contains:
      - '\Temp\'
      - '\Program Files\'
  condition: selection_img and selection_parent and not filter_legit_install
falsepositives:
  - Legitimate administrative remote support activities
level: high
---
title: Potential MFA Bombing - High Volume Failed Auths
id: 1b2d3e45-6f78-9a0b-1c2d-3e4f5a6b7c8d
status: experimental
description: Detects a high volume of failed MFA attempts for a single user account within a short time window, indicative of MFA bombing (prompts flooding).
references:
  - https://attack.mitre.org/techniques/T1111/
author: Security Arsenal
date: 2025/04/06
tags:
  - attack.credential_access
  - attack.t1111
logsource:
  product: azure
  service: signinlogs
detection:
  selection:
    ResultDescription|contains: 'MFA'
    Status: 'Failure'
  timeframe: 5m
  condition: selection | count() > 10
falsepositives:
  - User struggling with token hardware issues
  - Application configuration errors
level: medium

KQL (Microsoft Sentinel)

Hunts for rare instances of RMM software execution or network connections associated with Scattered Spider.

KQL — Microsoft Sentinel / Defender
// Hunt for rare RMM process executions
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('anydesk.exe', 'superops.exe', 'screenconnect.windowsclient.exe', 'remotebg.exe')
| join kind=leftanti (
    DeviceProcessEvents
    | where Timestamp > ago(30d)
    | summarize by SHA256, FileName
) on SHA256
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, SHA256
| order by Timestamp desc

Velociraptor VQL

Hunt for installed RMM binaries that may have been dropped by Scattered Spider or similar groups.

VQL — Velociraptor
-- Hunt for RMM binaries in user directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='C:/Users/*/AppData/Local/**/*anydesk*.exe')
UNION
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='C:/Users/*/AppData/Local/**/*superops*.exe')
UNION
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='C:/Users/*/AppData/Local/**/*screenconnect*.exe')

Remediation Script (PowerShell)

This script audits the presence of specific high-risk RMM tools that are frequently abused by threat actors and generates a report for SOC review.

PowerShell
<#
.SYNOPSIS
    Audit RMM Tools Commonly Abused by Threat Actors.
.DESCRIPTION
    Scans user profiles and program files for instances of AnyDesk, SuperOps, and ScreenConnect.
    Returns a list of non-compliant or unexpected installations.
#>

$RMMProcesses = @("anydesk", "superops", "screenconnect", "connectwisecontrol")
$FoundItems = @()

# Check running processes
Get-Process | Where-Object { $RMMProcesses -contains $_.Name.ToLower() } | ForEach-Object {
    $FoundItems += [PSCustomObject]@{
        Type       = "Running Process"
        Name       = $_.ProcessName
        Path       = $_.Path
        StartTime  = $_.StartTime
    }
}

# Check common installation directories
$PathsToScan = @(
    "C:\Program Files\",
    "C:\Program Files (x86)\",
    "C:\Users\"
)

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue -Filter "*.exe" | Where-Object {
            $RMMProcesses -contains $_.BaseName.ToLower()
        } | ForEach-Object {
            $FoundItems += [PSCustomObject]@{
                Type      = "File System"
                Name      = $_.Name
                Path      = $_.FullName
                StartTime = $_.LastWriteTime
            }
        }
    }
}

if ($FoundItems.Count -eq 0) {
    Write-Host "[+] No known high-risk RMM tools detected." -ForegroundColor Green
} else {
    Write-Host "[!] Potential RMM tool usage detected:" -ForegroundColor Red
    $FoundItems | Format-Table -AutoSize
}

Remediation

Immediate Actions:

  1. Identity Hygiene: For organizations using Okta or Entra ID, enforce Phish-Resistant MFA (FIDO2/WebAuthn) immediately. Scattered Spider excels at bypassing SMS and TOTP codes via social engineering.
  2. RMM Allowlisting: Block the execution of unsigned RMM tools or restrict usage of specific tools (AnyDesk, ScreenConnect) to a dedicated jump-box using AppLocker or Windows Defender Application Control (WDAC).
  3. User Verification: Review help desk workflows. Implement out-of-band verification for any request to reset MFA or change phone numbers. The ADT leak proves that attackers will call the help desk pretending to be the CEO.

Strategic Guidance: 4. OT Zero Trust: Implement CISA’s guidance by segmenting OT networks. Ensure that any remote access into OT environments (required for vendors like ADT or integrators) goes through a secure, single-sign-on (SSO) proxy with session monitoring, not a direct VPN tunnel.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringscattered-spideradt-breachcisa-otzero-trust

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action