Two financially motivated threat groups, Cordial Spider and Snarky Spider, are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to a report released Thursday by cybersecurity firm CrowdStrike. These groups, affiliated with the larger “The Com” threat family, have been observed using voice-phishing and social engineering to gain initial access since at least October 2025. The attacks focus on compromising identity platforms and subsequently traversing Software as a Service (SaaS) environments.
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, stated that these subgroups, comprised of native English speakers, primarily target U.S.-based organizations. Affected sectors include academia, aviation, retail, hospitality, automotive, financial services, legal, and technology. The report highlights that these attackers are closely aligned with the threat group Scattered Spider and share links with other subsets of The Com, such as SLSH and ShinyHunters. The broad impact of these e-crime threat actors is difficult to quantify due to the nature of identity system compromises, which can expose data across various interconnected services.
Cordial Spider and Snarky Spider’s Attack Methodology
Cordial Spider and Snarky Spider employ voice calls, text messages, and emails as initial lures to direct employees towards phishing pages. These pages are designed to impersonate legitimate single sign-on (SSO) portals or primary identity providers of the targeted organizations. Upon successful credential capture, attackers gain an entry point into victim systems.
Following initial access, the threat actors exploit these footholds to achieve widespread access across the victim’s entire SaaS ecosystem. A critical step involves removing and establishing multi-factor authentication (MFA) devices under their control. Additionally, they often delete emails and other alerts that could otherwise notify organizations of malicious activity, effectively obscuring their presence.
Distinctive Tactics and Extortion Demands
While the overall objective of data theft for extortion campaigns is similar, CrowdStrike notes distinct differences in the tactics, techniques, and procedures (TTPs) employed by each subgroup. These variances include operational hours, preferred phishing domain providers, operating system preferences, the use of specific data leak sites, and the tools used for MFA registration.
For instance, the data-leak site associated with Cordial Spider, known as BlackFile, was offline as of Wednesday, according to Meyers. While specific extortion demand figures were not provided by CrowdStrike, previous research from Palo Alto Networks’ Unit 42 indicated that Cordial Spider’s demands typically fall in the seven-figure range. In some cases, victims who refuse to pay extortion demands have faced subsequent distributed denial-of-service (DDoS) attacks.
Snarky Spider has been observed employing more aggressive follow-on harassment tactics, including swatting incidents directed at employees of victim organizations. To evade detection, both Cordial and Snarky Spider leverage residential proxy networks, such as Mullvad, Oxylabs, NetNut, and others. These networks utilize IP addresses assigned to real home users, allowing attackers to blend in with normal network traffic and circumvent IP-based security measures.
Impact and Future Outlook
Although Cordial and Snarky Spider have not yet reached the level of impact or technical sophistication demonstrated by Scattered Spider, they share significant commonalities and objectives. Meyers described them as a “new generation of Scattered Spider,” adopting many of their techniques. However, the report indicates a perceived lesser degree of technical expertise compared to their more established affiliate.
The ongoing activities of these e-crime threat actors highlight the persistent threat to critical infrastructure sectors. Organizations are advised to strengthen their identity defenses, implement robust security awareness training programs, and maintain vigilant monitoring for unusual activity. The dynamic nature of these threat groups means that their TTPs and targets may continue to evolve, requiring continuous adaptation of defensive strategies. Further analysis from cybersecurity firms is expected as more information about these ongoing campaigns emerges.