Com
The Com is described as a loose, amorphous collective of mostly cybercriminal gangs that evolved on Discord and Telegram and is also referred to as Comm. Reported subgroups include LAPSUS$ and Scattered Spider. The collective has been linked in the provided content to cyberattacks, ransomware extortion operations, and doxxing activity. The content states that Com-affiliated groups commonly use social engineering and vishing, including impersonating internal IT staff or employees to trick help desks or users into resetting credentials, enrolling unauthorized MFA devices, or entering credentials and MFA codes into phishing pages. In the cited activity, actors rapidly identify and exfiltrate sensitive data from Microsoft cloud services such as SharePoint and OneDrive after account compromise, then use compromised accounts to send extortion emails and internal Microsoft Teams messages. Reported infrastructure patterns include reuse of common second-level phishing domains with victim-specific third-level subdomains, with phishing infrastructure often hosted through DDoS-Guard. The content also describes Scattered Spider, identified as part of the Com, as using social engineering, help-desk phishing, and insider access in hybrid environments; targeting third-party IT providers; and conducting data theft, extortion, and ransomware deployment. In one reported intrusion, attackers targeted a CFO, used personal data to pass identity checks, enumerated Entra ID privileged accounts and service principals, performed SharePoint discovery, accessed Horizon VDI and VPN infrastructure, reinstated and created VMs to reach VMware vCenter, shut down a production domain controller, extracted NTDS.dit, accessed a CyberArk vault and obtained more than 1,400 secrets, used ngrok for persistence, and deleted Azure Firewall policy rule collection groups after detection. The content says Scattered Spider has targeted sectors including aviation and transportation, and that Com subgroups have conducted attacks against victims including MGM Casinos and Marks & Spencer. Separately, the content reports that a member of The Com posted spreadsheets on Telegram containing personal information for hundreds of US government officials, including DHS, FBI, and DOJ personnel, with home addresses in some cases. Another mention states that in October, the Com reportedly published personal data belonging to hundreds of government officials. The provided content does not attribute The Com to a nation state.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Com-affiliated groups are referenced as commonly using vishing for initial access, harvesting credentials and MFA codes via phishing pages, rapidly exfiltrating data from SharePoint and OneDrive, and using compromised accounts for extortion via email and Microsoft Teams.
Reportedly published personal data belonging to hundreds of government officials, indicating doxxing and exposure of sensitive personal information.
Loose collective associated with cyberattacks, ransomware/extortion activity, and doxxing/leaking of personal information of US federal law enforcement and government officials via Telegram.
Loose-knit online collective (Discord/Telegram-origin) that includes multiple cybercrime groups; characterized by fluid membership that complicates disruption efforts.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.