- Two cybercrime groups, Cordial Spider and Snarky Spider, are conducting rapid, high-impact data theft and extortion campaigns primarily within trusted SaaS environments.
- The attackers use voice phishing (vishing) to trick users into visiting malicious SSO-themed pages, stealing authentication data to pivot directly into cloud applications.
- These intrusions, active since at least October 2025, present significant detection challenges as they leave minimal footprints and leverage living-off-the-land techniques.
- Once inside, the groups target high-privileged accounts and exfiltrate valuable data from platforms like Google Workspace and Salesforce to infrastructure under their control.
- Mandiant research links the clusters’ tactics to extortion-themed attacks previously associated with the ShinyHunters group.
Cybersecurity firms CrowdStrike and Mandiant warned in May 2026 of two sophisticated cybercrime groups, Cordial Spider and Snarky Spider, executing swift and stealthy attacks within corporate software environments. These adversaries, active since at least October 2025, specialize in high-speed data theft and extortion by impersonating IT help desk personnel. According to a CrowdStrike report, they use voice phishing to direct targets to adversary-in-the-middle pages that capture login credentials.
Consequently, they bypass multi-factor authentication by registering new devices and deleting automated security alerts from victim inboxes. “By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact,” the researchers noted. This method provides a single point of entry into an organization’s entire suite of cloud applications through the identity provider.
Meanwhile, a January 2026 report from Google-owned Mandiant revealed these clusters represent an expansion of threat activity consistent with the ShinyHunters group. As recently as last week, Palo Alto Networks Unit 42 and the RH-ISAC assessed with moderate confidence that the actors behind CL-CRI-1116 are likely associated with the e-crime ecosystem known as The Com. The groups primarily rely on living-off-the-land techniques and use residential proxies to hide their locations.
After initial access, the threat actors pivot by scraping internal directories to find and compromise high-privileged accounts. They then hunt for business-critical files in platforms like Microsoft SharePoint and HubSpot before exfiltrating the data. This combination of speed, precision, and SaaS-only activity creates significant visibility challenges for security teams trying to defend their organizations.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
