New Extortion Groups Mimic Scattered Spider Tactics in Ongoing Cyberattacks

Two new financially motivated threat groups, tracked as Cordial Spider and Snarky Spider, are actively targeting organizations across multiple critical infrastructure sectors in the U.S. with rapid data theft and extortion attacks, according to CrowdStrike.

The attackers, which CrowdStrike revealed in a report published Thursday, have been using voice-phishing and social engineering tactics to infiltrate victims’ identity platforms and SaaS environments since at least October 2025. The report was shared exclusively with CyberScoop prior to its public release.

Targeted Sectors and Tactics

Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, stated that the subgroups, composed primarily of native English speakers, are focusing on U.S.-based organizations in the following sectors:

• Academic
• Aviation
• Retail
• Hospitality
• Automotive
• Financial services
• Legal
• Technology

Meyers described these groups as a “new wave of ecrime threat actors” closely aligned with Scattered Spider and linked to other subsets of The Com, including SLSH and ShinyHunters.

Attack Methodology and Challenges

Because these attacks target identity systems and can expose data across multiple connected services beyond the initial breach point, determining the full scope of victims remains difficult, CrowdStrike noted.

CrowdStrike’s warning follows recent research from Palo Alto Networks’ Unit 42 and the Retail Hospitality Information Sharing and Analysis Center, which detailed Cordial Spider’s attacks on organizations in the retail and hospitality industries, among others.

Phishing and Initial Access

Cordial Spider and Snarky Spider have deployed lures via voice calls, text messages, and emails, directing employees to phishing pages disguised as legitimate single sign-on (SSO) or identity provider portals. These pages capture credentials, session keys, or tokens, depending on the workflow, providing attackers an entry point into systems.

Once inside, attackers exploit this access to remove and establish multi-factor authentication (MFA) devices, then delete emails and other alerts that could warn organizations of malicious activity.

Distinct Tactics and Tools

While the data theft and extortion campaigns share similarities, CrowdStrike emphasized that the tactics, techniques, and procedures (TTPs) for each subgroup are distinct. Variations include:

• Hours of operation
• Different phishing domain providers
• Preferred operating systems
• Data leak sites
• Tools or devices used to register for MFA

As of Wednesday, the domain for BlackFile, Cordial Spider’s data-leak site, was offline, according to Meyers.

Extortion Demands and Harassment Tactics

CrowdStrike did not provide a range for the groups’ extortion demands, but Unit 42 previously reported that Cordial Spider—also tracked as CL-CRI-1116 and UNC6671—typically demands seven-figure ransoms.

Victims who refuse to pay have faced additional harassment, including DDoS attacks. Snarky Spider has escalated its tactics further by engaging in swatting of employees at targeted organizations, Meyers added.

Evasion Techniques

To avoid detection, Cordial and Snarky Spider utilize residential proxy networks, including:

• Mullvad
• Oxylabs
• NetNut
• 9Proxy
• Infatica
• NSOCKS

These networks, which rely on IP addresses assigned to real home users, can serve legitimate purposes but are frequently exploited by unethical or criminal operators to blend malicious traffic with normal activity.