Full Report
Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and
Analysis Summary
# Threat Actor: Cordial Spider & Snarky Spider
## Attribution & Identity
The article identifies two distinct but operationally similar cybercrime clusters:
* **Cordial Spider:** Also known as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671.
* **Snarky Spider:** Also known as O-UNC-025 and UNC6661.
* **Associations:** Both groups are assessed to be native English-speaking crews with ties to the e-crime ecosystem known as "**The Com**." Their tactics align closely with those of the **ShinyHunters** group.
## Activity Summary
Active since at least October 2025, these groups specialize in "rapid, high-impact" extortion attacks. Unlike traditional ransomware actors that deploy locker malware on endpoints, these clusters operate almost exclusively within SaaS environments. Recent activity (February 2026 – May 2026) involves high-speed data theft and vishing-led credential harvesting.
## Tactics, Techniques & Procedures
* **Initial Access:** Voice phishing (vishing) impersonating IT help desk personnel to lure users to malicious sites.
* **Adversary-in-the-Middle (AiTM):** Use of SSO-themed phishing pages to capture real-time authentication data and MFA codes.
* **MFA Bypass:** Registering new attacker-controlled devices to the victim's account while simultaneously removing legitimate devices.
* **Persistence & Defense Evasion:**
* Configuration of inbox rules to automatically delete/suppress security notifications regarding new device registrations.
* Utilization of residential proxies to bypass geolocation and IP-reputation filters.
* Extensive use of Living-off-the-Land (LotL) techniques within SaaS applications.
* **Privilege Escalation:** Scraping internal employee directories to identify and target high-privileged accounts (e.g., IT admins) via further social engineering.
* **Lateral Movement:** Exploiting the trust relationship between Identity Providers (IdP) and connected SaaS apps to move across the entire ecosystem with a single session.
## Targeting
* **Sectors:** Retail and Hospitality focused (specifically noted for CL-CRI-1116).
* **Geography:** Global (implied by the use of residential proxies and English-speaking nature).
* **Victims:** Not named individually, but targets are organizations heavily reliant on centralized SSO/IdP (Okta, Azure AD, etc.) and SaaS suites.
## Tools & Infrastructure
* **Malware families:** None specified; the actors favor legitimate SaaS tools and Living-of-the-Land (LotL) techniques.
* **Infrastructure:**
* SSO-themed phishing domains (e.g., `sso-login[.]example[.]com` - *conceptual*).
* Residential proxy networks.
* Targeted SaaS Platforms: Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce.
## Implications
These groups represent a shift toward "SaaS-native" extortion. By avoiding traditional endpoint compromises and operating entirely within trusted cloud environments, they minimize their forensic footprint and bypass traditional antivirus/EDR solutions. The speed of their operations—from initial vishing call to full data exfiltration—leaves organizations with a very narrow window for detection and response.
## Mitigations
* **FIDO2/Hardware Keys:** Move away from SMS or App-based OTP/push notifications toward phish-resistant MFA (FIDO2/WebAuthn).
* **IdP Monitoring:** Implement strict logging and alerting for new device registrations and the deletion of existing devices within the Identity Provider.
* **Email Security:** Monitor for the creation of suspicious inbox rules (e.g., "Delete" rules containing keywords like "security," "MFA," or "device").
* **Security Awareness:** Conduct vishing-specific training, emphasizing that IT help desks will never ask for an MFA code over the phone or direct users to non-standard login URLs.
* **SaaS Log Auditing:** Regularly audit SaaS environment logs for unusual data access patterns or bulk downloads from unexpected IP ranges (especially residential proxies).