Cybersecurity researchers are issuing a stark warning about two sophisticated cybercrime groups, Cordial Spider and Snarky Spider, who are conducting rapid, high-impact attacks primarily within Software as a Service (SaaS) environments, leaving minimal digital footprints. These threat actors are leveraging voice phishing (vishing) and other advanced social engineering tactics to compromise accounts and exfiltrate sensitive data.
Both groups have been actively engaged in data theft and extortion campaigns since at least October 2025. Cordial Spider, also known by various identifiers like BlackFile and UNC6671, and Snarky Spider, identified as O-UNC-025 and UNC6661, have demonstrated striking operational similarities. Snarky Spider is believed to be a native English-speaking operation with ties to the e-crime ecosystem known as The Com.
Vishing and SaaS Exploitation Drive Rapid Attacks
The modus operandi of these threat actors is particularly concerning due to its speed and stealth. According to CrowdStrike’s Counter Adversary Operations, adversaries frequently employ vishing to direct targeted users toward malicious, Single Sign-On (SSO)-themed adversary-in-the-middle (AiTM) pages. Through these deceptive sites, they capture authentication data, allowing them to pivot directly into SSO-integrated SaaS applications.
This strategy of operating almost exclusively within trusted SaaS environments is designed to minimize their presence and significantly accelerate the time it takes to cause damage. The combination of high speed, precise targeting, and a focus solely on SaaS platforms presents considerable detection and visibility challenges for cybersecurity defenders.
Mandiant, a Google-owned cybersecurity firm, highlighted in a January 2026 report that these attack clusters represent an escalation in threat activity. Their tactics align with extortion-themed attacks previously attributed to the ShinyHunters group, involving impersonating IT staff during calls to trick victims into revealing their credentials and multi-factor authentication (MFA) codes via phishing pages.
Palo Alto Networks Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) recently assessed with moderate confidence that the attackers associated with CL-CRI-1116 (a designation for Cordial Spider activity) are also likely linked to The Com. Their intrusions predominantly utilize “living-off-the-land” (LotL) techniques, a method of using legitimate system tools for malicious purposes, and leverage residential proxies to mask their geographical origins and evade basic IP-based security filters.
Key Attack Stages and Tactics
Researchers Lee Clark, Matt Brady, and Cuong Dinh noted that CL-CRI-1116 activity has been actively targeting the retail and hospitality sectors since February 2026. These intrusions specifically combine vishing attacks, where threat actors impersonate IT help desk personnel, with malicious phishing login sites to steal user credentials.
A critical step in the attackers’ playbook involves bypassing MFA during initial compromises. They register a new device to maintain access, often removing existing devices first. Following this, the threat actors actively work to suppress automated email notifications related to unauthorized device registrations. They achieve this by configuring inbox rules that automatically delete such messages, thereby delaying or preventing detection.
The subsequent phase involves escalating privileges by targeting high-privileged accounts. This is often accomplished through further social engineering, including scraping internal employee directories. Once elevated access is secured, the adversaries gain entry into target SaaS environments. They then search for high-value files and business-critical reports within platforms such as Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce.
The ultimate goal is the exfiltration of this identified data to infrastructure controlled by the threat actors. CrowdStrike elaborates that in many observed cases, the compromised credentials grant access to an organization’s identity provider (IdP). This single point of entry allows adversaries to transverse multiple SaaS applications within the victim’s ecosystem using just one authenticated session, effectively abusing the trust relationships between the IdP and its connected services.
The ongoing threat posed by Cordial Spider and Snarky Spider underscores the evolving landscape of cybercrime, emphasizing the critical need for enhanced security measures focused on SaaS environments and robust detection capabilities. Organizations should remain vigilant for signs of vishing scams and ensure their identity and access management strategies are resilient against sophisticated social engineering and account compromise tactics.