![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![Ditching a Microsoft Job to Enter Startup Hell with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-Nintendo-Switch-2-Hands-On-Preview-Mario-Kart-World-Impressions-&-More!-00-10-30.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-xl.jpg)
![New iPad 11 (A16) On Sale for Just $277.78! [Lowest Price Ever]](https://www.iclarified.com/images/news/97273/97273/97273-640.jpg)
![Apple Foldable iPhone to Feature New Display Tech, 19% Thinner Panel [Rumor]](https://www.iclarified.com/images/news/97271/97271/97271-640.jpg)
Scattered Spider Malware Targeting Klaviyo, HubSpot, and Pure Storage Services
Cybersecurity experts have identified an escalating campaign by the notorious hacker collective Scattered Spider, which continues to evolve its sophisticated attack methods in 2025. The group, active since at least 2022, has shifted focus to target business services including Klaviyo, HubSpot, and Pure Storage, posing significant threats to organizations relying on these platforms. Using advanced […] The post Scattered Spider Malware Targeting Klaviyo, HubSpot, and Pure Storage Services appeared first on Cyber Security News.
Cybersecurity experts have identified an escalating campaign by the notorious hacker collective Scattered Spider, which continues to evolve its sophisticated attack methods in 2025.
The group, active since at least 2022, has shifted focus to target business services including Klaviyo, HubSpot, and Pure Storage, posing significant threats to organizations relying on these platforms.
Using advanced social engineering techniques, Scattered Spider has demonstrated remarkable persistence in circumventing security measures to obtain usernames, login credentials, and multi-factor authentication tokens.
The threat actor has expanded its target list significantly in recent months, with confirmed attacks against major brands including Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, Nike, Twitter/X, Tinder, T-Mobile, and several others.
Their tactics involve creating convincing phishing domains that mimic legitimate login portals, particularly focusing on Okta authentication pages used by these companies.
What makes these attacks particularly concerning is the group’s ability to rapidly register domains and deploy phishing infrastructure, often maintaining the malicious content for only brief periods between 5 to 30 minutes.
Silent Push analysts have tracked five distinct phishing kits used by Scattered Spider since 2023, noting significant evolutions in their deployment strategies.
“In early 2025, we observed the threat actor transitioning to new phishing kit variants while simultaneously deprecating legacy infrastructure,” researchers reported.
Their latest discovery involves the use of Dynamic DNS providers for domain registration, demonstrated by the domain “klv1.it[.]com” targeting Klaviyo’s custom link shortener service, which makes traditional brand protection regex searches less effective.
.webp)
Beyond phishing operations, Scattered Spider has incorporated sophisticated malware deployment into their attack chain.
When analyzing domains like “telnyx-cdn[.]com,” researchers discovered an updated version of Spectre RAT, a remote access trojan that provides persistent access to compromised systems. The malware undergoes continuous development, with recent versions showing more complex obfuscation techniques and expanded command capabilities.
Technical analysis of Spectre RAT reveals a sophisticated command and control infrastructure using HTTP-based communications with encoded parameters.
The malware employs an XOR-based string encoding algorithm to conceal its functionality, requiring specialized decoding tools for analysis.
When examining the malware’s initialization sequences, researchers identified multiple setup functions that prepare the compromised system for long-term access and data exfiltration.
# Spectre RAT String Decoder Sample
def decode_spectre_string(encoded_bytes):
result = bytearray()
for i in range(len(encoded_bytes)):
decoded_byte = encoded_bytes[i] & 0x0A # AND with 0x0A
decoded_byte ^= encoded_bytes[(i + 1) % len(encoded_bytes)] # XOR with next byte
result. Append(decoded_byte)
return resultThe malware’s communication protocol utilizes specific URI parameters to control infected systems, with commands ranging from file downloads and process termination to system reconnaissance.
Each command is tokenized using the “|” character and processed through a complex handler system. The command structure used by Spectre RAT, including specific parameters for various operations like uninstallation (Command 5) or adding additional C2 servers (Command 13).
Organizations using Klaviyo, HubSpot, or Pure Storage services should immediately review their security protocols and implement comprehensive monitoring for potential compromise indicators.
Security teams should be particularly vigilant for suspicious authentication attempts, unknown devices connecting to corporate networks, and unusual account activity patterns that might indicate successful credential theft through Scattered Spider’s increasingly sophisticated attack methods.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post Scattered Spider Malware Targeting Klaviyo, HubSpot, and Pure Storage Services appeared first on Cyber Security News.
