Cordial Spider and Snarky Spider drive SaaS extortion via vishing and AiTM phishing
CrowdStrike reported that two financially motivated threat groups tied to The Com — Cordial Spider and Snarky Spider — are carrying out rapid data-theft and extortion campaigns against U.S.-based organizations across critical infrastructure and enterprise sectors, including aviation, retail, hospitality, financial services, legal, technology, automotive, and academia. The actors are closely aligned with the Scattered Spider playbook and have used voice phishing, text messages, email, and other social-engineering tactics since at least October 2025 to compromise identity platforms, steal credentials, session keys, and tokens, and pivot through victims’ SaaS environments. Ransom demands have reportedly reached seven figures, and some victims have also faced DDoS attacks or swatting.
The intrusions rely on adversary-in-the-middle phishing pages that mimic legitimate single sign-on and identity-provider portals, enabling access to services such as SharePoint, HubSpot, and Google Workspace while largely bypassing traditional endpoint defenses. After gaining access, the attackers register their own MFA devices or emulators, disable or suppress alerts through inbox rules and email deletion, and move quickly to search for sensitive data and exfiltrate it, in some cases within an hour of initial access. Researchers said the groups differ in tradecraft — including operating hours, phishing infrastructure, leak sites, and MFA-registration methods — while both use commercial VPNs and residential proxy networks such as Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS to blend into normal traffic and evade detection.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers report Pink extortion group targeting Microsoft 365 data
Reporting based on Palo Alto Networks Unit 42 and Gurucul described a cybercrime group called Pink, believed linked to the broader Com network, using vishing and credential-harvesting domains to access Microsoft 365 environments. The group was said to exfiltrate data from OneDrive and SharePoint with legitimate tools and extort victims using compromised internal accounts.
Researchers detail tradecraft used in the extortion campaigns
Researchers reported that the groups targeted primarily U.S.-based organizations across critical infrastructure and enterprise sectors, using adversary-in-the-middle phishing pages, MFA device registration, alert suppression, residential proxies, and rapid data exfiltration. Reporting also highlighted differences between the two crews' operating methods, including device preferences, phishing infrastructure, and harassment tactics such as DDoS attacks or swatting in some cases.
Cordial Spider and Snarky Spider begin SaaS extortion intrusions
Since at least October 2025, CrowdStrike and other researchers tracked The Com-affiliated groups Cordial Spider and Snarky Spider conducting rapid data theft and extortion campaigns. The actors used vishing, phishing pages, and social engineering to compromise identity platforms, steal credentials or session tokens, and pivot through victims' SaaS environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
New Pink cybercrime group targets corporate data using vishing and cloud theft | brief | SC Media
scworld.com
Open sourceAttackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace
cybersecuritynews.com
Open source2 threat groups linked to The Com target critical infrastructure with data theft | brief | SC Media
scworld.com
Open sourceTwo new extortion crews are speedrunning the Scattered Spider playbook | CyberScoop
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
BlackFile Extortion Gang Hits Retail and Hospitality With Vishing-Led Data Theft
**BlackFile**, a financially motivated extortion group likely tied to **The Com** and overlapping with activity tracked by CrowdStrike as **Cordial Spider**, has targeted retail and hospitality organizations with voice-phishing campaigns that impersonate corporate IT help desks. Researchers at Palo Alto Networks Unit 42 and RH-ISAC said the group has been active since at least February 2026, using spoofed phone numbers and fake corporate single sign-on pages to trick employees into surrendering credentials and one-time passcodes. After gaining access, the attackers register their own devices to bypass MFA, escalate privileges into administrative and executive accounts, and steal data from platforms including **Salesforce** and **SharePoint** through legitimate API and download functions. The stolen information is moved to attacker-controlled infrastructure, posted on a dark web leak site, and used to support **seven-figure ransom demands** sent from compromised employee accounts or Gmail; in some cases, the group has also used **swatting** against employees and executives to intensify pressure on victims.
Apr 28, 2026
HC3 Warns Healthcare Sector on Scattered Spider Social Engineering Threat
The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (**HC3**) warned that **Scattered Spider** is actively targeting healthcare and other industries with sophisticated social engineering, including help-desk impersonation, phishing, MFA fatigue, SIM swapping, and AI-assisted lures. The financially motivated group—also tracked as **Octo Tempest**, **UNC3944**, **0ktapus**, and **Muddled Libra**—has built a reputation for using native English-speaking operators to trick employees and IT staff into resetting passwords, enrolling attacker-controlled MFA devices, and granting remote access. Federal guidance says the actors often abuse trusted tools and cloud services after initial access, making intrusions harder to distinguish from legitimate activity. U.S. agencies and private-sector researchers have linked Scattered Spider to data theft, extortion, and collaboration with **ALPHV/BlackCat** ransomware operations, with victims spanning hospitality, gaming, retail, technology, and now heightened concern for healthcare organizations. Microsoft and the FBI/CISA have described the group as unusually dangerous because it combines persuasive phone-based deception with credential theft, reconnaissance, privilege escalation, mailbox manipulation, and deployment of ransomware on Windows, Linux, and **VMware ESXi** environments. Authorities have also tied the group to major incidents including attacks on MGM Resorts and Caesars, while UK investigators later examined whether Scattered Spider was connected to disruptive cyberattacks against retailers.
May 25, 2026
Silent Ransom Group Uses Fake IT Calls and Office Visits to Steal Law Firm Data
The **Silent Ransom Group** — also tracked as **UNC3753**, **Luna Moth**, and **Chatty Spider** — has been targeting U.S. law firms and other professional, financial, insurance, and healthcare organizations with data-theft extortion campaigns that rely on social engineering instead of file encryption. FBI alerts and Google Mandiant reporting say the actors send invoice-themed phishing emails and follow up with voice calls impersonating internal IT or help desk staff, persuading employees to join screen-sharing sessions or install legitimate remote management tools such as AnyDesk, Zoho Assist, Bomgar, Splashtop, Syncro, Atera, and SuperOps. Once inside, the group rapidly searches document repositories and cloud stores for legal files, tax records, financial data, PII, and other sensitive material, then exfiltrates it with tools including WinSCP, hidden or renamed Rclone, Google Drive, Microsoft OneDrive, or victim-controlled file-sharing channels. Authorities said the campaign has escalated beyond remote access attempts to **in-person intrusions**, with imposters arriving at offices posing as technicians and connecting USB drives or external disks to steal data when remote social engineering fails. Mandiant said dozens of U.S. organizations were targeted between January and May, and in some cases the intrusion, theft, and extortion cycle was completed within a single business day, with ransom demands sent shortly after access ended. Researchers and the FBI linked the operation to the post-Conti cybercrime ecosystem and noted that its abuse of legitimate tools leaves few forensic artifacts, while Resecurity reported fast-flux infrastructure supporting leak sites including `business-data-leaks[.]com` and `ep6pheij[.]com`. The FBI and Google urged organizations to verify anyone claiming to be IT staff, restrict unauthorized remote management and VDI access, harden USB and removable-media controls, deploy phishing-resistant MFA, and closely monitor sensitive document systems.
Jun 17, 2026