DeepSec 2025 Talk: Déjà Vu with Scattered Spider: Are Your SaaS Doors Still Unlocked? – Andi Ahmeti & Abian Morina
LUCR-3 better known as Scattered Spider has surged back in 2025, pivoting its social-engineering playbook from last year’s casino breaches to fresh waves against the insurance, retail and aviation sectors. Within a single June week, LUCR-3 struck several insurers, disrupting airline back-office systems, and a spring ransomware campaign devastated big-box retailers.
Still leveraging push-fatigue MFA bombing, SIM-swapping and help-desk impersonation, LUCR-3 now systematically abuses third-party IT providers to fan out across IaaS, SaaS and PaaS estates living off the land in cloud logs to stay invisible until ransom day. Permiso’s P0 Labs has been monitoring LUCR-3’s activities for over two years, documenting their evolving tactics, techniques, and procedures (TTPs). This session will delve into LUCR-3’s latest strategies and provide actionable insights for cloud defenders to detect and mitigate such threats effectively.
Andi Ahmeti is a Threat Researcher on Permiso Security’s P0 Labs team with 3 years of experience in offensive security and threat hunting. He now is focused on hunting through product telemetry to identify evil and building tools to enrich extensive collection of cloud focused data. He is the author of an open-source threat detection tool called CloudGrappler and co-author of the Cloud Console Cartographer defensive visibility framework. He has presented at numerous conferences around the world including Black Hat Asia, Black Hat Europe, Black Hat MEA, FIRSTCON24, x33fcon, BSides Prishtina, BSides NYC, BSides Tirana. Andi obtained a Bachelor of Science in Computer Engineering from the University of Prishtina Faculty of Computer and Electrical Engineering (2023).
Abian Morina is a Threat Researcher on Permiso Security’s P0 Labs team, specializing in cloud security, detection engineering, threat hunting, and incident response. His cybersecurity journey began with hacking and modifying video games, a passion that grew into a professional career. He represents the Kosova Cyber Team as a senior member, proudly competing on the international stage at the European Cybersecurity Challenge (ECSC) against top talent across Europe.
Abian actively shares his expertise through public speaking and technical writing. He has presented research at major conferences, including SANS DFIR Summit, Blue Team Con, Black Hat SecTor, Black Hat MEA, and Black Hat Europe, and contributes in-depth analysis to Permiso Security’s P0 Labs blog and other security publications, releasing open-source tools and detection strategies to help defenders worldwide. He holds a Bachelor’s degree in Computer Science and is currently pursuing a Master’s in Cybersecurity, further expanding his knowledge of cloud infrastructure, adversary tradecraft, and advanced detection techniques.