Cybersecurity researchers warn about the operation of two cybercriminal groups, Cordial Spider and Snarky Spider, which are executing data theft and extortion attacks in a “rapid and high-impact” manner, operating almost exclusively within SaaS (Software as a Service) environments and leaving minimal trace of their activities.
Both groups, active since at least October 2025, share notable operational similarities. Snarky Spider, a native English-speaking group, has ties to the cybercrime ecosystem known as “The Com.”
Attack Tactics and Methodologies:
- Vishing and AiTM Phishing: Attackers use vishing (voice phishing) to direct specific users to malicious SSO (Single Sign-On) themed Adversary-in-the-Middle (AiTM) pages. There, they capture authentication data and pivot directly to SSO-integrated SaaS applications.
- Operating within Trusted Environments: By operating almost exclusively within trusted SaaS environments, they minimize their digital footprint and accelerate time to impact, presenting significant challenges for defender detection and visibility.
- Impersonation of IT Personnel: The attacks consist of impersonating IT support personnel to trick victims into obtaining their credentials and multi-factor authentication (MFA) codes, directing them to phishing pages.
- MFA Bypass and Maintain Access: Attackers register a new device to bypass MFA and maintain access, after removing existing devices.
- Notification Suppression: Configure inbox rules to automatically delete unauthorized notification emails about device registration.
- Social Engineering and Privilege Escalation: They then target high-privilege accounts through additional social engineering, extracting information from internal employee directories.
- Data Access and Exfiltration: Once they gain elevated access, they break into targeted SaaS environments to search for high-value files and business-critical reports on platforms such as Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, then exfiltrate the data into their infrastructure.
- IdP-SaaS Trust Abuse: Compromised credentials often grant access to the organization’s identity provider (IdP), providing a single entry point to multiple SaaS applications. By abusing the trust relationship between the IdP and connected services, adversaries avoid compromising individual SaaS applications and move laterally throughout the victim’s entire SaaS ecosystem with a single authenticated session.
Impact on Specific Sectors:
CL-CRI-1116 activity has been actively targeting the retail and hospitality sectors since February 2026.
Evasion Techniques:
- Living-off-the-Land (LotL): Intrusions primarily rely on “living-off-the-land” techniques, using legitimate operating system tools and processes to go undetected.
- Residential Proxies: They use residential proxies to hide their geographic location and bypass basic IP-based reputation filters.
Conclusion:
The sophistication and speed of the attacks executed by Cordial Spider and Snarky Spider highlight the growing threat posed by cybercriminal groups exploiting the operational efficiencies of SaaS environments. The combination of vishing, AiTM phishing, and abuse of organizations’ identity infrastructure allows these actors to achieve rapid access and significant data exfiltration with minimal detection.
Confidence
What would we do in these cases?
Defensive Cybersecurity | Protection and Response to Threats - Comfidentia
Defensive cybersecurity services: digital forensics, secure software development, vulnerability management, threat intelligence and incident response. Protect your networks and servers with our defensive security solutions.
Protect your business from digital threats with Defensive Cybersecurity from Comfidentia. Our comprehensive services provide you with robust protection against cyberattacks, helping you ensure the security of your sensitive data.
Forensic Analysis
Discover the truth hidden in the data with our Forensic Analysis service. We collect, examine and thoroughly analyze every digital trace to reveal the root cause of any incident. Our team of experts follows the key steps: Identification, Acquisition, Analysis and Presentation of solid evidence. Don’t waste any more time searching for answers, trust our experience to reveal the evidence you need.
Vulnerability Management
Don’t risk the security of your company! With our Vulnerability Management solutions, you won’t just get a simple scan or risk assessment, but a complete assessment together with your team. Our approach goes further by proposing real and lasting solutions, adapted to the specific capabilities and needs of your business and systems.
Protect your Brand from Cyber Threats
Protect your business today with Brand Intelligence! Our specialized service provides you with valuable information about possible malicious actors trying to impersonate your brand or domain. By detecting these threats, you can take quick and effective measures to safeguard your company’s reputation. Don’t let cybercriminals damage your image, trust Brand Intelligence to keep your business safe at all times.
Secure Software Development
With our specialized tools and skills, you can create vulnerability-proof applications and programs from start to finish. Our approach is based on a robust model that includes secure design, development process, vulnerability management and information security. This ensures that your software is protected at every stage of the process. Source: See more at Comfidentia
Other related pages:
Schedule a presentation with Comfidentia
References
Original source: See original article
- CrowdStrike Counter Adversary Operations Report
- Mandiant Report (January 2026) *Palo Alto Networks Unit 42
- Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC)