Recent cybersecurity intelligence has uncovered the operations of two malicious groups identified as Cordial Spider and Snarky Spider. These groups are reportedly engaged in rapid, high-impact cyberattacks, predominantly targeting Software as a Service (SaaS) platforms while minimizing their digital footprints.
The Cordial Spider group, also known by aliases such as BlackFile and CL-CRI-1116, alongside Snarky Spider (O-UNC-025), have been linked to aggressive data theft and extortion activities. Both factions have been active at least since October 2025, exploiting vulnerabilities within SaaS ecosystems, which poses significant risks to organizations relying on such services. Snarky Spider is noted for being a native English-speaking team, with connections to the notorious cybercrime network known as The Com.
According to a report from CrowdStrike, the attackers often employ voice phishing (vishing) techniques to lure victims into providing sensitive authentication information. This is typically executed through fraudulent single sign-on (SSO) themed webpages that act as adversary-in-the-middle (AiTM) traps. Once access is gained, these actors can infiltrate various SSO-integrated SaaS applications, raising severe security concerns for affected businesses.
This trend reflects a broader industry shift, with both groups utilizing sophisticated methods that complicate detection efforts. Their attacks are characterized by high speed and precision, and the exclusive focus on trusted SaaS environments allows them to operate with reduced visibility and an increased risk of successful exploitation. As articulated in recent analyses, this operational model effectively circumvents traditional security measures, complicating incident response and mitigation efforts.
A report released by Mandiant in January 2026 emphasized that the tactics employed by these groups align closely with those utilized by the ShinyHunters, known for their extortion-driven cyber activities. By impersonating IT personnel during phone calls, these hackers are able to deceive users into divulging their credentials and MFA codes, thus facilitating unauthorized system access.
In evaluations conducted by Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center, there is a moderate confidence level that the CL-CRI-1116 group is linked to The Com and predominantly employs living-off-the-land (LotL) tactics. These tactics include utilizing residential proxies, which help obfuscate their geographical locations while bypassing conventional IP reputation filters.
Attacks orchestrated by these groups frequently involve registering new devices to evade MFA protections and maintaining access to compromised accounts. They do so by removing existing registered devices and configuring inbox rules to suppress automated alerts regarding unauthorized device registrations. This level of operational cunning allows them to maintain prolonged access to targeted accounts without detection.
Subsequent phases of their operations typically involve extensive social engineering efforts aimed at high-privileged accounts, often through the harvesting of internal employee directories. With elevated access, these threatening entities can infiltrate critical SaaS environments, targeting sensitive data stored within platforms like Google Workspace, Microsoft SharePoint, and Salesforce, ultimately exfiltrating valuable business information.
CrowdStrike’s assessment highlights that the compromised credentials often grant access to an organization’s identity provider (IdP), creating a single point of entry to multiple SaaS applications. This exploitation of trust within identity infrastructure allows attackers to navigate across a victim’s entire SaaS landscape through a single authenticated session, emphasizing the critical importance of robust identity management and monitoring protocols for organizations leveraging SaaS solutions.