Déjà Vu with Scattered Spider: Are Your SaaS Doors Still Unlocked?

Description

LUCR-3 better known as Scattered Spider has surged back in 2025, pivoting its social-engineering playbook from last year’s casino breaches to fresh waves against the insurance, retail and aviation sectors. Within a single June week, LUCR-3 struck several insurers, disrupting airline back-office systems, and a spring ransomware campaign devastated big-box retailers.

Still leveraging push-fatigue MFA bombing, SIM-swapping and help-desk impersonation, LUCR-3 now systematically abuses third-party IT providers to fan out across IaaS, SaaS and PaaS estates living off the land in cloud logs to stay invisible until ransom day. Permiso’s P0 Labs has been monitoring LUCR-3’s activities for over two years, documenting their evolving tactics, techniques, and procedures (TTPs). This session will delve into LUCR-3’s latest strategies and provide actionable insights for cloud defenders to detect and mitigate such threats effectively.

Attendees will gain an understanding of many of Scattered Spider’s notable TTPs, with a specific technical focus on those targeting the SaaS and IaaS layers. While Scattered Spiders’ TTPs range widely, their persistence and focus is anything but scattered.

Andi Ahmeti

Andi Ahmeti is a Threat Researcher on Permiso Security’s P0 Labs team with 3 years of experience in offensive security and threat hunting. He now is focused on hunting through product telemetry to identify evil and building tools to enrich extensive collection of cloud focused data.

He is the author of an open-source threat detection tool called CloudGrappler and co-author of the Cloud Console Cartographer defensive visibility framework. He has presented at numerous conferences around the world including Black Hat Asia, Black Hat Europe, Black Hat MEA, FIRSTCON24, x33fcon, BSides Prishtina, BSides NYC, BSides Tirana

Mr. Ahmeti obtained a Bachelor of Science in Computer Engineering from the University of Prishtina Faculty of Computer and Electrical Engineering (2023).

 

Abian Morina

Abian Morina is a Threat Researcher on Permiso Security’s P0 Labs team. He began hacking by modifying video games, a curiosity that evolved into a cybersecurity career. As a senior member of the Kosova Cyber Team, he proudly represents his country on the international stage at the European Cybersecurity Challenge. He also contributes to the community through public speaking and open-source tooling.

Mr.Morina holds a Bachelor’s in Computer Science and now is pursuing a Master’s in Cybersecurity.