The financial toll from identity-based attacks has reached staggering proportions across nine critical sectors of the U.S. economy. Organizations in academic, aviation, retail, hospitality, automotive, financial services, legal, and technology industries now face extortion demands routinely reaching seven figures from two emerging threat groups that have weaponized the most effective elements of Scattered Spider's social engineering arsenal. (Source: Cyberscoop)
These attacks matter because identity platforms serve as the master keys to modern business operations. When attackers compromise single sign-on systems or primary identity providers, they gain access not just to one application but to entire SaaS ecosystems - email, cloud storage, customer databases, financial systems, and intellectual property repositories. The cascading nature of these breaches means a single successful voice-phishing call can expose data across dozens of connected services.
The timeline reveals rapid escalation. Since October 2025, Cordial Spider and Snarky Spider have refined their approach, moving from opportunistic attacks to systematic campaigns targeting specific industries. The groups emerged as distinct entities affiliated with The Com, inheriting operational knowledge from established crews like SLSH and ShinyHunters while developing their own specialized techniques.
What makes the Scattered Spider playbook so devastatingly effective is its exploitation of human trust combined with technical evasion. Native English speakers conduct voice-phishing attacks that sound legitimate because they understand cultural nuances and corporate communication patterns. They direct employees to phishing pages that perfectly mimic legitimate single sign-on portals, capturing not just passwords but session keys and authentication tokens that bypass traditional security controls.
The proxy network abuse represents a fundamental challenge to conventional security monitoring. By routing attacks through residential proxy services including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS, these groups make their traffic appear to originate from legitimate home users. Your security tools see what looks like an employee logging in from a residential IP address, not a suspicious data center or foreign location.
Once inside, the attackers demonstrate methodical persistence. They remove existing multi-factor authentication devices and register their own, ensuring continued access even if passwords change. They delete security alerts and warning emails before administrators can see them. This systematic approach to maintaining access while suppressing detection gives them time to map networks, identify valuable data, and prepare extortion packages.
The economic exposure spans far beyond direct extortion payments. Aviation companies face operational disruptions that cascade through flight schedules. Retail and hospitality organizations risk exposure of customer payment data during peak seasons. Financial services firms confront regulatory penalties for data breaches. Academic institutions must notify thousands of students and staff about compromised personal information. Legal firms face ethical obligations when client confidential data is exposed.
Key Insight: Academic institutions must notify thousands of students and staff about compromised personal information.
Perhaps most concerning is the escalation pattern when victims refuse payment. DDoS attacks disrupt business operations, while Snarky Spider has crossed into physical intimidation through swatting attacks against employees. This progression from digital extortion to real-world harassment represents a dangerous evolution in cybercriminal tactics that puts personnel safety at risk alongside data security.
The Attack Chain: From Proxy Networks to Extortion Demands
The attack progression begins with native English-speaking operators leveraging voice calls, text messages, and emails to direct employees toward carefully crafted phishing pages. These pages mimic legitimate single sign-on portals or primary identity providers, capturing credentials, session keys, or tokens depending on the authentication workflow. This initial compromise provides the foundation for systematic SaaS environment infiltration.
Once credentials are harvested, attackers immediately establish persistence through multi-factor authentication manipulation. They remove existing MFA devices registered to legitimate users and register their own authentication methods. This critical step ensures continued access even if passwords are reset. Simultaneously, they delete email alerts and security notifications that would otherwise warn IT teams of suspicious authentication events.
Key Insight: Once credentials are harvested, attackers immediately establish persistence through multi-factor authentication manipulation.
The residential proxy infrastructure plays a crucial role in maintaining operational security throughout the attack. Services like Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS route malicious traffic through IP addresses assigned to real home users. This technique allows attackers to blend seamlessly with normal employee traffic patterns, defeating geographic-based access controls and IP reputation filters. Each authentication attempt appears to originate from residential broadband connections rather than suspicious data center IPs or known VPN exit nodes.
Lateral movement occurs entirely within the compromised identity platform ecosystem. Rather than exploiting network vulnerabilities or deploying malware, attackers traverse connected SaaS applications using legitimate authentication tokens. Each connected service - from cloud storage to collaboration platforms - becomes accessible through the compromised identity provider. This approach leaves minimal forensic artifacts since all actions appear as authorized user activity.
Data exfiltration follows established access patterns to avoid triggering data loss prevention systems. Attackers download sensitive information through the same channels employees use daily, maintaining normal bandwidth patterns and file access sequences. The use of residential proxies ensures even large data transfers appear distributed across multiple legitimate user sessions rather than concentrated suspicious activity.
The extortion phase reveals operational differences between the two groups. Cordial Spider operates BlackFile as their primary data leak site, though the domain went offline as of Wednesday. Their demands typically reach seven figures, according to Unit 42 tracking them as CL-CRI-1116 and UNC6671. When victims refuse payment, Cordial Spider launches distributed denial-of-service attacks against victim infrastructure.
Snarky Spider employs more aggressive psychological pressure tactics. Beyond traditional data leak threats, they orchestrate swatting incidents targeting employees of victim organizations. This escalation represents a dangerous shift from purely digital extortion to physical harassment, significantly raising the stakes for targeted organizations.
The groups maintain distinct operational signatures despite their shared tactics. Differences in operating hours suggest geographic distribution or deliberate scheduling to avoid pattern recognition. Each group uses different phishing domain providers and preferred operating systems, creating unique fingerprints for attribution. Their MFA registration tools and devices also vary, providing additional detection opportunities for security teams monitoring authentication logs.
This streamlined attack chain demonstrates how identity-focused compromises bypass traditional security controls. Without deploying malware or exploiting software vulnerabilities, these groups achieve complete SaaS environment access, data theft, and extortion capabilities through social engineering and identity platform abuse alone.
SaaS Attack Chain Progression
Attribution and Threat Actor Profiles: CL-CRI-1116, Cordial Spider, and the Scattered Spider Ecosystem
The complex web of threat actors operating within The Com ecosystem reveals a sophisticated criminal hierarchy where different groups share tactics while maintaining distinct operational identities. Understanding these relationships proves critical for organizations negotiating ransom demands or assessing the likelihood of data publication following an attack.
Cordial Spider, tracked under multiple aliases including CL-CRI-1116 and UNC6671, represents the more established of the two new groups. Their operational hours suggest a structured approach to targeting victims, and they maintain BlackFile as their dedicated data-leak site - though the domain went offline as of Wednesday. Unit 42's research indicates this group consistently demands ransoms in the seven-figure range, positioning them as a significant financial threat to targeted organizations.
Snarky Spider operates with notably different characteristics despite sharing the same fundamental playbook. Where Cordial Spider relies on DDoS attacks against non-paying victims, Snarky Spider escalates to physical harassment through swatting attacks against employees. This willingness to cross from digital to physical threats marks a dangerous evolution in extortion tactics that security teams must factor into their incident response planning.
The distinction between these groups extends to their technical infrastructure choices. Each maintains separate phishing domain providers and demonstrates preferences for different operating systems when conducting operations. Their selection of multi-factor authentication registration tools and devices also differs, creating unique fingerprints that incident responders can use to identify which group has compromised their environment.
Both groups maintain connections to The Com, a broader criminal collective that includes established players like SLSH and ShinyHunters. This affiliation provides access to shared resources and intelligence while allowing individual groups to maintain operational independence. The relationship mirrors traditional organized crime structures where different crews operate under a larger umbrella organization.
The connection to Scattered Spider represents more of a mentorship or inspiration model than direct collaboration. Adam Meyers from CrowdStrike describes these groups as "the new generation of Scattered Spider," adopting their techniques without demonstrating the same level of technical sophistication. This suggests these actors studied Scattered Spider's successful campaigns and extracted the most effective elements for their own operations.
Attribution matters significantly when responding to these attacks. Organizations facing Cordial Spider can expect professional, business-like negotiations focused on financial gain. Their consistent seven-figure demands and reliance on data publication threats follow predictable patterns. Snarky Spider's willingness to engage in swatting indicates a more aggressive, potentially unstable actor where traditional negotiation strategies may prove less effective.
The native English-speaking composition of both groups enables them to conduct convincing voice-phishing attacks against U.S.-based targets. This linguistic advantage, combined with their understanding of American business culture and practices, makes their social engineering particularly effective against employees unfamiliar with these sophisticated impersonation techniques.
While neither group has achieved Scattered Spider's technical capabilities, their rapid adoption of proven tactics demonstrates how successful attack methodologies spread through the cybercriminal ecosystem. Organizations must recognize that facing one of these groups means dealing with actors who have learned from the most successful identity-focused attacks of recent years, even if they haven't yet matched their predecessors' sophistication.
Detection and Response Playbook: Immediate Actions by Priority
Organizations facing potential compromise from these identity-focused attacks need a structured response plan that prioritizes actions based on available resources and immediate risk indicators. The following playbook addresses detection and response requirements specific to the multi-stage attack patterns employed by these threat groups.
Immediate Actions (Execute Today)
Begin hunting for residential proxy network connections in your authentication logs. Search specifically for login attempts originating from IP addresses associated with Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS services. These connections often appear during off-hours when legitimate employees aren't actively authenticating, making temporal analysis particularly valuable for initial detection.
Review your identity provider's audit logs for patterns indicating MFA device manipulation. Look for sequences where existing authentication devices are removed and new ones are immediately registered, especially when these actions occur outside normal business hours or from unusual geographic locations. Pay special attention to administrative accounts where such changes would grant elevated privileges across your SaaS environment.
Check email deletion logs across your messaging platforms. The attackers systematically remove security alerts and authentication notifications to mask their presence. Bulk deletions of system-generated emails, particularly those containing keywords like "login," "authentication," or "security alert," warrant immediate investigation. Cross-reference these deletions with MFA device changes to identify potentially compromised accounts.
Short-Term Response (Complete This Week)
Implement network segmentation between your identity management systems and production SaaS applications. This architectural change limits the blast radius when credentials are compromised, preventing automatic propagation across your entire cloud infrastructure. Configure conditional access policies that require step-up authentication when users attempt to access sensitive data repositories from new devices or locations.
Establish a communication protocol for handling extortion contact. Designate specific personnel authorized to engage with threat actors, and ensure all communications are logged and reviewed by legal counsel. Create templates for internal notifications that avoid triggering panic while ensuring appropriate stakeholders understand the severity of the situation. Document your decision-making process regarding ransom payments, considering both the seven-figure demands typical of these groups and the potential for follow-on harassment including DDoS attacks or employee swatting.
Rotate credentials for all accounts with access to customer data or critical business systems. Focus first on accounts that haven't required MFA historically, as these represent the easiest targets for initial compromise. Include service accounts and API keys in this rotation, as attackers often target these overlooked authentication mechanisms to maintain persistence after primary credentials are reset.
Long-Term Hardening (Implement This Month)
Deploy behavioral analytics specifically tuned to detect identity platform abuse. Configure alerting for unusual patterns such as rapid traversal across multiple SaaS applications, bulk data downloads following new device registrations, or authentication attempts from residential IP ranges. Aviation sector organizations should prioritize monitoring for lateral movement between IT and operational technology boundaries, while financial services firms need enhanced scrutiny on systems accessing customer financial records.
Conduct third-party risk assessments focusing on identity federation relationships. Review which external applications have SSO integration with your primary identity provider, and validate that each maintains appropriate security controls. Remove unnecessary integrations that expand your attack surface without delivering business value. Academic institutions with numerous research partnerships face particular exposure through these federated connections and should implement additional verification steps for external collaborator access.
Industry-Specific Risk Assessment: Where You Stand
The intersection of sector-specific operations and identity-based attacks creates unique extortion leverage that these threat groups systematically exploit. Each industry's regulatory framework, data sensitivity, and operational dependencies determine not just the initial ransom demand but the likelihood of escalation to DDoS attacks or employee swatting when payments aren't made.
Academic institutions face a perfect storm of vulnerabilities. Student records containing Social Security numbers, financial aid information, and medical data from campus health centers create multiple regulatory exposures under FERPA, HIPAA, and state privacy laws. Research data, particularly from defense-funded projects or pharmaceutical trials, becomes leverage for both financial extortion and potential nation-state interest. The decentralized nature of university IT systems - where individual departments often manage their own authentication - multiplies the attack surface these groups exploit.
Aviation sector organizations confront national security implications that transform data theft into potential terrorism charges. Passenger manifests, crew schedules, and maintenance records fall under TSA regulations, while flight operations data could enable physical attacks. The interconnected nature of airline systems means identity compromise at a regional carrier can cascade through codeshare agreements to major airlines. International data transfers trigger GDPR complications when European passenger data gets exposed.
Automotive manufacturers protect intellectual property worth billions in R&D investments. CAD files for unreleased models, supplier contracts, and manufacturing processes become extortion ammunition. Connected vehicle telemetry data exposes customer location histories and driving patterns, creating privacy violations across multiple jurisdictions. Supply chain integration means attackers accessing tier-one supplier portals can pivot into OEM networks, threatening just-in-time manufacturing schedules.
Financial services firms navigate the most complex regulatory maze. Customer account data, transaction histories, and credit reports trigger mandatory breach notifications under multiple frameworks including GLBA, PCI-DSS, and state banking regulations. Know Your Customer documentation contains passport scans and proof-of-address documents that enable identity theft at scale. Trading algorithms and investment strategies represent competitive advantages worth protecting at almost any cost.
Hospitality companies manage reservation systems containing payment cards, passport numbers, and travel itineraries that reveal executive movement patterns. Loyalty program databases with millions of members become targets for credential stuffing attacks across other platforms. Property management systems at individual hotels often lack centralized security oversight, creating entry points into corporate networks. GDPR fines for European guest data exposure can exceed the extortion demands themselves.
Legal firms hold the most sensitive client communications protected by attorney-client privilege. Merger documentation, litigation strategies, and settlement negotiations lose their value once exposed. Conflicts of interest emerge when multiple clients' data gets compromised simultaneously. State bar associations may require disclosure that damages reputation regardless of whether ransoms are paid. International law firms face conflicting breach notification requirements across jurisdictions.
Retail organizations process payment card data that triggers PCI-DSS compliance requirements and potential card brand fines. Customer purchase histories reveal personal preferences that competitors would pay to access. Inventory management systems control supply chains where disruption causes empty shelves and lost revenue. E-commerce platforms integrate with dozens of third-party services, each representing a potential pivot point for attackers who've compromised identity systems.
Technology companies safeguard source code repositories that represent years of development investment. API keys and service credentials embedded in code enable lateral movement across customer environments. Customer data from SaaS platforms includes not just user information but their clients' data, creating nested liability. Intellectual property theft enables competitors to replicate products without development costs.
If You're Contacted: Extortion Response Framework
The first contact arrives through channels designed to maximize psychological pressure. A phone call to your CEO's direct line, an email to your board members, or messages sent through your own compromised systems. The attackers claim they've exfiltrated sensitive data and set a deadline - typically 48 to 72 hours - before publication on their leak site.
Your immediate priority becomes verification without alerting the attackers to your investigation status. Request proof of data possession through a secure channel, demanding specific file names, folder structures, or unique identifiers only someone with genuine access would know. Avoid generic requests like "show us what you have" - instead ask for the last three rows from a specific database table or metadata from proprietary documents.
Contact your cyber insurance carrier before any direct engagement with threat actors. Most policies require notification within 24 hours and prohibit ransom payments without insurer approval. Your carrier maintains relationships with specialized negotiation firms who understand these groups' patterns, typical discount structures, and verification protocols. They've handled hundreds of similar cases and know when claims are legitimate versus opportunistic bluffs.
Document every interaction meticulously for law enforcement and potential litigation. Record phone calls where legally permitted, preserve all written communications with full headers, and maintain a timeline log with timestamps in UTC. The FBI's Internet Crime Complaint Center (IC3) requires specific data elements for their reports: the initial contact method, any cryptocurrency wallet addresses provided, communication platforms used, and samples of exfiltrated data if shared.
Legal consultation becomes mandatory when considering any form of engagement. OFAC sanctions prohibit payments to certain threat actors and jurisdictions, violations carrying penalties far exceeding typical ransom amounts. Your legal team must assess whether paying would violate state breach notification laws, SEC disclosure requirements, or industry-specific regulations like HIPAA or PCI-DSS. Some states now criminalize ransom payments to sanctioned entities, adding personal liability for executives who authorize transfers.
If verification confirms data theft, establish communication protocols that protect your organization while maintaining dialogue. Use dedicated email accounts on ProtonMail or Tutanota rather than corporate systems. Assign a single point of contact to prevent contradictory messages. Never admit liability, acknowledge specific data types, or confirm internal system names. Phrase responses carefully: "We're reviewing your claims" rather than "We see you have our customer database."
The decision to pay involves factors beyond the ransom amount. Organizations that refuse payment face potential DDoS attacks disrupting operations for days or weeks. Employee swatting incidents create physical safety risks and psychological trauma. Published data triggers regulatory investigations, class-action lawsuits, and competitive disadvantage as trade secrets become public. Yet payment provides no guarantee of data deletion, often funds additional attacks, and may violate corporate insurance policies or loan covenants.
Prepare these materials before contacting authorities: network logs showing initial compromise timestamps, inventory of potentially accessed systems, list of data types stored in compromised environments, count of affected individuals for breach notifications, and evidence of extortion communications. Local FBI field offices maintain cybercrime units familiar with these groups' operations, while Secret Service Electronic Crimes Task Forces offer additional federal resources. State attorneys general increasingly coordinate multi-victim responses when attackers target numerous organizations within their jurisdiction.
