Threat Intelligence Brief: Scattered Spider Campaigns and Domain Abuse Trends Detected by Doppel Vision

Overview

Following the FBI’s recent warning on Social Media about Scattered Spider’s use of social engineering and keyword-driven deception, Doppel conducted a focused review of domain detections using known attacker patterns and keyword indicators linked to the group and similar threat actors. By analyzing keyword trends noted by the FBI and reported in media outlets, Doppel has identified a network of parked domains and subdomains that align with the tactics, techniques, and procedures (TTPs) employed by Scattered Spider.

Our investigation focused on critical infrastructure clients, with the highest volume of keyword specific domain detections amongst the aviation and oil and gas sectors. Doppel discovered that several parked domains and subdomains matched the detailed patterns associated with Scattered Spider's operations. These findings underscore the group's strategic use of domain infrastructure to facilitate their cyberattacks.

Background

Scattered Spider is known for its sophisticated social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access to internal company networks. Their methods frequently involve bypassing multi-factor authentication (MFA), for example by convincing help desk services to add unauthorized MFA devices to compromised accounts. The group's activities have expanded to target various sectors, including aviation, insurance, and now, critical infrastructure.

This blog analyzes the most targeted domain keywords detected by Doppel over the past three months and provides a defense-in-depth perspective for defenders to proactively neutralize these threats.

Recent Domain Targeting Trends

Between March 30, 2025 and June 30, 2025, Doppel observed a sustained uptick in malicious domain activity mimicking enterprise infrastructure and authentication services, aligning closely with techniques attributed to the threat actor Scattered Spider. Known for sophisticated social engineering, SIM swapping, and phishing campaigns targeting identity and access management (IAM) systems, Scattered Spider has increasingly exploited lookalike domains to impersonate corporate portals and MFA services.

Doppel Vision’s telemetry highlights domain spoofing activity across several key themes associated with internal access, support services, and IAM platforms. Below are the most frequently detected and actioned domain keywords across all industries.

These patterns reflect an evolving threat landscape where impersonating remote access portals (vpn, connect) and IAM providers (okta, sso) is central to the attacker’s social engineering strategy — a hallmark of Scattered Spider’s operations.

Campaign Linkages: Scattered Spider TTPs

Scattered Spider has demonstrated persistent interest in targeting industries with large distributed workforces and reliance on federated identity systems. According to recent FBI alerts, their playbook includes:

• SIM swapping for MFA interception
  
  
• Phishing domains spoofing enterprise portals
  
  
• Use of legit remote management tools post-access
  
  
• BlackCat/ALPHV ransomware deployment as a final-stage payload
  
  

Doppel’s detection data reveals overlapping domain activity consistent with these tactics — especially across ‘support’, ‘vpn’, ‘okta’, and ‘helpdesk’ keywords.

Why It Matters: Defending Against TTPs, Not Just Actors

Although Doppel's findings align with known Scattered Spider campaigns, domain impersonation is a tactic shared across multiple threat actors. Monitoring these trends enables organizations to defend not just against specific groups, but against the broader techniques they exploit.

Defenders must think in terms of:

• Brand attack surface: How easy is it to spoof your login infrastructure?
• Employee training gaps: Are employees equipped to recognize spoofed domains?
• Detection strategy: Are your systems ingesting domain intelligence in time to act?

Forecast: What’s Coming Next

Based on current trends and industry threat intelligence:

1. More niche keyword abuse: Watch for low-volume impersonations (e.g., ‘duo’, ‘rsa’, ‘schedule’) designed to bypass keyword filters.
   
   
2. Cloud service impersonation: Expect increased domain abuse involving platforms like Azure, Google Cloud, and AWS login portals.
   
   
3. Improved obfuscation: Attackers may blend keywords (‘corp-vpn-login’, ‘support-okta-help’) to avoid detection.
   
   
4. Ransomware delivery via fake IT tools: Scattered Spider and affiliates may target employees to download what appear to be trusted remote access or support tools. These downloads are often hosted on newly registered domains using keywords associated with IT functions—such as support, refresh, remote, or update—and may be cloaked under subdomains that imitate trusted services (e.g., vpn-secure.companyname[.]com or itdesk-refresh[.]org).

How Doppel Helps Defend Against These Campaigns

Doppel’s domain monitoring and takedown infrastructure provides multiple layers of proactive defense:

AI-Powered Domain Detection

• Real-time scanning and classification of domain registrations.
• Prioritization of domains using threat actor TTP heuristics.

Automated Takedown & Mitigation

• Integration with registrars to action domains impersonating customer brands.
• Fast-lane escalation of critical impersonations, especially those related to IAM (e.g., ‘okta’, ‘vpn’, ‘connect’).

Doppel will continue to monitor domain abuse trends and share any further insights.

With AI powered social engineering attacks on the rise, it’s increasingly important for businesses to protect themselves against a potential breach. Learn more about how Doppel is securing brands, executives and consumers against social engineering threats here.