Full Report
Along with other telemetry, Windows GDID makes online activity more traceable
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
* **Actor Name:** Scattered Spider
* **Aliases:** UNC3944, Starfraud, Oktapus, Scatter Swine, Muddled Libra.
* **Known Associations:** Peter Stokes (alleged member arrested in Finland/extradited to the US). The group is known for its collaboration with ALPHV/BlackCat Ransomware-as-a-Service (RaaS) affiliates.
* **Identity Notes:** A loosely organized group often composed of younger, English-speaking individuals (Western-based), known for highly effective social engineering.
## Activity Summary
According to the July 2026 reporting and associated US Department of Justice (DOJ) filings:
* **Recent Legal Actions:** Peter Stokes was arrested and extradited in July 2026 following investigations into activity occurring between 2024 and 2025.
* **Campaign Scope:** The actor targeted over 100 corporate networks in the US, specializing in compromising employee accounts to exfiltrate or encrypt data for extortion.
* **Financial Impact:** US authorities estimate the group has obtained over $100 million in ransom payments.
## Tactics, Techniques & Procedures
* **Identity-Based Attacks:** Compromising employee accounts to gain initial access.
* **Social Engineering:** Historically known for sophisticated phishing, vishing (voice phishing), and SIM swapping.
* **Web Tunneling:** Use of **ngrok** to bypass network security barriers and maintain persistent access to internal compromised servers.
* **Anonymization:** Frequent use of VPN services, specifically **Tzulo**, to mask origin IPs.
* **Cloud/SaaS Integration:** Use of Microsoft ecosystem services for lateral movement or persistence.
* **Ransomware/Extortion:** Data exfiltration followed by threats of leak or encryption.
* **MITRE ATT&CK IDs (Inferred from TTPs):**
* T1566 (Phishing)
* T1572 (Protocol Tunneling)
* T1071.001 (Web Protocols)
* T1133 (External Remote Services)
## Targeting
* **Sectors:** Broad corporate targeting with a focus on high-revenue entities capable of paying large ransoms.
* **Geography:** Primarily United States (victims); actors identified in Estonia and Finland.
* **Victims:** Numerous US-based companies (over 100 corporate networks mentioned).
## Tools & Infrastructure
* **Malware/Utilities:**
* **ngrok:** Used for secure tunneling.
* **Infrastructure:**
* **Tzulo VPN:** Utilized for operational security.
* **Microsoft Windows GDID:** While not a "tool" for the actor, the Global Device Identifier (GDID) was the persistent, device-level identifier tracked by investigators.
* **Defanged Indicators:**
* hxxps[://]dashboard[.]ngrok[.]com/signup
* login[.]live[.]com (Microsoft Account service used for device provisioning)
## Implications
The investigation underscores the high traceability of modern OS telemetry. The Windows GDID provides a persistent "fingerprint" of an OS installation that survives typical IP rotations or VPN usage. For threat actors, this significantly increases the risk of attribution if they use the same physical or virtual machine to access both criminal infrastructure and personal services. For defenders and law enforcement, these persistent identifiers represent a critical pivot point for linking disparate cyberattack campaigns to a single physical device.
## Mitigations
* **Identity Security:** Implement robust Multi-Factor Authentication (MFA), moving away from SMS-based MFA to hardware keys (FIDO2) to prevent SIM swapping and vishing bypasses.
* **Tunneling Detection:** Monitor for and block unauthorized use of reverse tunneling tools like **ngrok** or Cloudflare Tunnel within the corporate environment.
* **Endpoint Telemetry:** Leverage EDR and XDR solutions to monitor for unusual registry modifications related to persistent device identifiers and service provisioning.
* **VPN Monitoring:** Alert on logins coming from known "anonymizer" VPN ranges like Tzulo.