Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) and Mandiant have issued a warning that Scattered Spider, also known as UNC3944, is now actively targeting U.S. retail companies following a series of high-profile attacks on UK retailers like Harrods, Co-op, and Marks & Spencer.

Although no formal attribution has been made, GTIG researchers noted that the attackers are using similar tactics, techniques, and procedures in both regions. These include ransomware and extortion campaigns, leading investigators to suspect a continued evolution of the group’s operations.

Scattered Spider is known for sophisticated social engineering, including phishing, SIM swapping, and multi-factor authentication (MFA) bombing. The group originally targeted telecom providers but has since expanded into sectors with large support operations, such as gaming, hospitality, finance, and now retail. GTIG analysts also observed similarities between Scattered Spider and DragonForce ransomware operators—both previously linked to the defunct RansomHub platform—though definitive connections remain unconfirmed. Still, data leak site activity shows a noticeable increase in retail breaches, which account for 11% of posted leaks in 2025, up from previous years.

In response, the Retail & Hospitality ISAC—which includes major players like Costco, McDonald’s, and Lowe’s—is collaborating with Google to offer guidance and threat briefings. Experts, including Chad Cragle from Deepwatch, urge organizations to secure privileged accounts, deploy phishing-resistant MFA, and rigorously validate help desk requests to defend against this highly adaptive threat. As retailers remain lucrative targets due to their payment systems and uptime demands, cybersecurity leaders are advising immediate protocol reviews to prevent potential breaches.