In mid-2025, the Scattered Spider group intensified attacks using SMS phishing, social engineering, and hybrid on-prem/cloud intrusions targeting financial extortion. They gain access via impersonation, deploy tools like Mimikatz, and use persistent ADFS backdoors and ransomware on VMware ESX. Microsoft flagged their evolving TTPs and mapped detection across Defender XDR.