Cordial Spider

Cordial Spider is a financially motivated threat actor affiliated with The Com and closely aligned with Scattered Spider. It is also tracked as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671. Since at least October 2025, researchers have observed Cordial Spider conducting rapid data theft and extortion campaigns that operate almost exclusively within trusted SaaS environments, including Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, creating significant visibility challenges for defenders. The group primarily targets U.S.-based organizations across multiple sectors, including academic, aviation, retail, hospitality, automotive, financial services, legal, and technology. Separate reporting specifically noted targeting of retail and hospitality organizations since February 2026. Its operations rely heavily on voice phishing and other social engineering, including impersonation of IT help desk or support personnel via phone calls, texts, and emails, to direct victims to adversary-in-the-middle phishing pages that mimic legitimate single sign-on or identity provider portals. These pages capture credentials, MFA codes, session keys, or tokens, which are then used to access the victim’s identity provider and pivot across connected SaaS applications through existing trust relationships. After initial access, Cordial Spider establishes persistence by removing existing MFA devices and registering attacker-controlled devices, including a broader mix of mobile devices and QEMU-based emulators. The actor suppresses detection by deleting security emails and creating inbox rules to filter or remove messages related to alerts, incidents, or MFA changes. It also uses living-off-the-land techniques and residential proxy or VPN services, including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS, to obscure origin and evade IP-based detection. Cordial Spider targets privileged accounts through additional social engineering and internal directory scraping, then searches SaaS platforms for high-value files, business-critical reports, and sensitive data. Reported search themes include terms such as confidential, SSN, contracts, and VPN. The group’s objective is data theft for extortion, with reported ransom demands often in the seven-figure range. Some non-paying victims have reportedly also faced DDoS attacks. CrowdStrike described Cordial Spider and Snarky Spider as a newer generation using much of Scattered Spider’s playbook, while noting they have not demonstrated the same impact or technical capability as Scattered Spider.