A sophisticated hacking group known as UNC3944 has expanded its operations from the UK to target U.S.-based companies, according to new research released by Google Cloud’s Mandiant team.
UNC3944, which also aligns with the group publicly referred to as Scattered Spider, is known for using aggressive social engineering tactics. The group often interacts directly with victims and targets organizations with large help desk and outsourced IT functions.
Originally focused on SIM swap attacks in the telecom sector, the group pivoted to ransomware and extortion-based data theft in early 2023.
Retailers Increasingly Targeted
Recent reports, including from the BBC, show that DragonForce ransomware—linked to UNC3944—was used in attempts to breach multiple UK retail companies. Google’s data indicates that retail businesses are increasingly at risk, now accounting for about 11.4% of data leak victims in 2025, compared to 8.5% in 2024.
Retailers are often targeted due to their large stores of personal and financial data, and their vulnerability to ransomware that can halt financial operations.
UNC3944 primarily focuses on English-speaking countries such as the United States, United Kingdom, Canada, and Australia. Recent campaigns have also reached Singapore and India.
Group Tactics and Detection Methods
UNC3944’s main tactic involves advanced social engineering. They send fake IT messages via SMS, asking employees to install malicious software under the guise of compliance issues. They also impersonate users in calls to help desks, trying to reset passwords or change multi-factor authentication (MFA) settings.
They frequently use “MFA fatigue” attacks, flooding users with approval requests until they accept one. The group also exploits platforms like Microsoft Teams to impersonate internal IT staff and manipulate users into sharing credentials or approving access requests.
Sample Detection Query for Microsoft Teams
Google SecOps recommends the following detection query to spot impersonation attempts on Microsoft Teams:
metadata.vendor_name = "Microsoft"
metadata.product_name = "Office 365"
metadata.product_event_type = "ChatCreated"
security_result.detection_fields["ParticipantInfo"] = "true"
(
principal.user.userid = /help/ OR
principal.user.email_addresses = /help/ OR
about.user.user_display_name = /help/
)
Security Recommendations
Experts advise implementing stronger identity verification steps, such as on-camera ID checks or challenge-response questions before making security changes. Removing SMS and email as authentication methods and adopting phishing-resistant MFA options like FIDO2 security keys can also reduce risk.
Although UNC3944 saw a drop in activity following law enforcement actions in 2024, the group’s ties to a larger network of cybercriminals may help it recover quickly.
With UNC3944’s shift toward U.S. targets, organizations are urged to bolster their defenses against social engineering threats and protect their help desk procedures from manipulation.
