Emerging ThreatsMalware & Ransomware

New Extortion Crews Mimic Scattered Spider Tactics in Rapid Attacks

Analyst 207||Source: CyberScoop
New Extortion Crews Mimic Scattered Spider Tactics in Rapid Attacks

“They’ve kind of taken their playbook and they’re using a lot of their techniques,” Adam Meyers of CrowdStrike said, “but we haven’t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider.”

Cordial Spider and Snarky Spider: new, fast-moving extortion crews tied to The Com

CrowdStrike says two financially motivated groups it tracks as Cordial Spider and Snarky Spider are conducting rapid data-theft-for-extortion campaigns and are closely aligned with Scattered Spider and other subsets of The Com, including SLSH and ShinyHunters. The company reports the subgroups consist of native English speakers and have been active since at least October 2025, primarily targeting U.S.-based organizations across academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.

Tactics: voice-phishing, social engineering and identity-platform compromise

Researchers say Cordial Spider and Snarky Spider use voice-phishing (vishing), text messages and emails to steer employees to phishing sites that mimic their employer’s single sign-on page or primary identity provider. Those bogus pages are designed to capture credentials, session keys or tokens depending on the target workflow, giving the attackers an initial foothold into a victim’s SaaS ecosystem.

  • Attackers exploit those initial credentials to move laterally across connected SaaS services and to manipulate authentication controls.
  • The groups remove and set up multi-factor authentication (MFA) devices and delete emails and alert messages that would otherwise warn organizations of suspicious activity, CrowdStrike said.
  • Because the attacks start in identity platforms and reach into many connected services, CrowdStrike warned it can be difficult to determine the full list of affected victims.

Tools and infrastructure: residential proxies, differing playbooks, and leak sites

CrowdStrike noted technical distinctions between Cordial Spider and Snarky Spider even as their goals and broad techniques overlap. Variances the firm observed include hours of operation, chosen phishing domain providers, preferred operating systems, data-leak sites and the specific tools or devices used to register MFA.

Both groups make use of residential proxy networks to evade IP-based detection and blend with normal traffic. CrowdStrike identified Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS as proxy providers used by the actors. The report added that residential proxy networks can serve legitimate purposes, but that unethical or criminal operators are abusing them to support botnets, cybercrime campaigns and other malicious activity.

The domain for BlackFile, identified as Cordial Spider’s data-leak site, “was offline as of Wednesday,” Adam Meyers said.

Follow-on harassment: DDoS, and more aggressive tactics from Snarky Spider

CrowdStrike declined to provide a range for the groups’ extortion demands. Palo Alto Networks’ Unit 42, cited by the report, previously characterized Cordial Spider’s extortion levels as typically in the seven-figure range. Some victims who declined to pay extortion demands have been hit with distributed denial-of-service attacks; Meyers said Snarky Spider has also employed more aggressive harassment tactics, including swatting of victim organizations’ employees.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: monitor identity platforms and SSO flows closely for unexpected MFA device changes, session token captures and evidence of deleted email alerts — the report highlights those exact behaviors as post-compromise activity.
  • Policymakers and regulators: the research calls attention to the abuse of residential proxy networks and to data-leak infrastructure; both are concrete areas regulators and oversight bodies may need to track given how the actors blend with legitimate traffic.
  • Affected enterprises and procurement leaders: sector-specific targeting—academic, aviation, retail, hospitality, automotive, financial services, legal and technology—suggests organizations that rely heavily on SaaS identity chains should reassess how phishing-resistant their authentication and alerting mechanisms are, as the groups focus on identity systems to reach broad swaths of connected services.

CrowdStrike frames Cordial Spider and Snarky Spider as a “new generation of Scattered Spider” that has adopted many of the earlier crew’s techniques while not yet matching its technical sophistication. Because the compromises begin in identity providers and can propagate across SaaS ecosystems, researchers say the true scope of impacted victims remains difficult to enumerate. Meanwhile, the offline status of BlackFile and Unit 42’s prior estimate of seven-figure extortion demands underscore how quickly these extortion operations can evolve and the financial stakes involved.

Original reporting: CyberScoop — CrowdStrike: Cordial Spider and Snarky Spider extortion attacks

Emerging ThreatsNation-State ActorsRansomwareScattered SpiderData ExtortionCordial SpiderExtortion CrewsThe ComSnarky SpiderFinancially Motivated Threats
Related Intelligence

Continue Reading

Software development workstation with laptop, coding tools, and notes in a brightly-lit neutral environment.

Malicious npm Packages Deliver Windows RAT via PostCSS Tooling

Beware of malicious npm packages masquerading as popular tools like PostCSS - researchers have uncovered three fake packages that have racked up over 1,000 downloads and deliver a sneaky Windows remote access trojan. These lookalike packages, published just over a month ago, have been cleverly designed to fly under the radar.

Analyst 207
Two handcuffed teenagers sit somberly in a courtroom with a judge's bench and law enforcement officer in the background.

Scattered Spider Teens Plead Guilty to TfL Cyberattack

Two British teenagers, Thalha Jubair and Owen Flowers, have pleaded guilty to infiltrating Transport for London's systems, causing a £29m hit and disrupting public services in a stark reminder that cybercrime has very real-world consequences. The breach, which occurred in late August 2024, highlights the significant impact of cyberattacks on everyday life.

Analyst 207
Modern briefing room with podium and large window, suggesting a technological focus.

Five Eyes Agencies Warn of AI-Driven Cyber Threat Surge

The Five Eyes cybersecurity agencies are sounding the alarm: AI-driven cyber threats are no longer a future threat, but a present danger that businesses and governments must tackle urgently. Frontier AI will revolutionize the threat landscape in months, not years, and malicious actors are already seizing the advantage.

Analyst 207
Smartphone with WhatsApp conversation on screen sits on cluttered desk near open file folder, with cityscape in background.

WhatsApp Targeted in VBScript Campaign Installing ManageEngine RMM Tool

Malicious actors are using WhatsApp to trick victims into downloading and executing a Visual Basic Script (VBScript) file, disguised as a business or financial document, which ultimately installs a legitimate Remote Monitoring and Management (RMM) tool. The campaign has been detected in multiple countries worldwide, with Malaysia being the hardest hit.

Analyst 207