Full Report
CrowdStrike says The Com-affiliated threat groups are using voice phishing and fake SSO pages to break into SaaS environments and steal data fast for extortion. The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Cordial Spider & Snarky Spider
## Attribution & Identity
* **Actor Names:** Cordial Spider, Snarky Spider.
* **Affiliations:** Closely aligned with **Scattered Spider** (often described as the "next generation" of the group) and members of the broader **"The Com"** ecosystem.
* **Associated Groups:** Linked to subgroups SLSH and ShinyHunters.
* **Other Aliases:**
* **Cordial Spider:** CL-CRI-1116, UNC6671 (tracked by Mandiant/Unit 42).
* **Identity Notes:** Composed of native English-speaking actors.
## Activity Summary
Since at least October 2025, these groups have been "speedrunning" the Scattered Spider playbook, focusing on rapid data theft and high-pressure extortion. They specialize in compromising identity platforms and traversing SaaS environments. While they currently lack the full technical sophistication of Scattered Spider, they are highly persistent and aggressive, utilizing social engineering to breach large enterprises.
## Tactics, Techniques & Procedures
* **Initial Access:** Voice phishing (vishing), SMS phishing (smishing), and email lures targeting employees.
* **Phishing Infrastructure:** Use of fake Single Sign-On (SSO) pages and identity provider clones to capture credentials, session keys, or MFA tokens.
* **Identity Manipulation:** Removing existing MFA devices and registering new, attacker-controlled devices to maintain persistence.
* **Defense Evasion:**
* Use of residential proxy networks to blend into legitimate traffic and bypass IP-based geofencing/reputation filters.
* Deletion of emails and internal security alerts to mask unauthorized activity.
* **Extortion/Pressure:**
* Mass data exfiltration from SaaS environments.
* DDoS attacks against victims who refuse to pay.
* **Snarky Spider specific:** "Swatting" (calling in fake emergency threats) against victim organization employees.
* **MITRE ATT&CK IDs:**
* T1566.002 (Spearphishing Link)
* T1566.003 (Spearphishing Voice/Vishing)
* T1556 (Modify Authentication Process - MFA manipulation)
* T1090.003 (Proxy: Multi-hop Proxy/Residential Proxies)
* T1491 (Defacement/Exfiltration for Extortion)
## Targeting
* **Sectors:** Academic, Aviation, Retail, Hospitality, Automotive, Financial Services, Legal, and Technology.
* **Geography:** Primarily United States-based organizations.
* **Victims:** Large-scale organizations across critical infrastructure sectors.
## Tools & Infrastructure
* **Residential Proxy Networks:** Used to mask origins; specifically Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS.
* **Data Leak Sites:**
* **BlackFile** (Associated with Cordial Spider; hxxp[://]blackfile[.]onion - currently reported offline).
* **Infrastructure:** Various phishing domain providers (notable for variances between the two subgroups).
## Implications
These groups represent a democratization of high-impact social engineering. By mimicking the Scattered Spider playbook, they demonstrate that even less technically "sophisticated" actors can achieve devastating results by focusing on the "human element" and identity systems. The shift toward aggressive physical harassment (swatting) indicates an escalation in the "The Com"’s willingness to use violent or dangerous real-world tactics to compel payment.
## Mitigations
* **Phishing-Resistant MFA:** Transition from SMS/Push-based MFA to FIDO2-compliant hardware security keys (e.g., YubiKeys) to prevent session/token theft via phishing.
* **Identity Monitoring:** Implement strict logging and alerting for the registration of new MFA devices or changes to administrative identity roles.
* **Proxy Blocking:** Monitor for and restrict traffic from known residential proxy providers (Mullvad, Oxylabs, etc.) if they are not required for legitimate business operations.
* **Security Awareness:** Targeted training for IT help desk and high-value employees regarding vishing and social engineering tactics utilized by native English speakers.
* **SaaS Governance:** Audit and limit third-party app permissions within SaaS environments to prevent lateral movement after an initial identity breach.