Cordial Spider and Snarky Spider hit U.S. sectors with identity-driven extortion
CrowdStrike says two financially motivated threat groups tied to The Com — Cordial Spider and Snarky Spider — are conducting rapid data-theft and extortion campaigns against U.S.-based organizations across critical infrastructure and commercial sectors, including aviation, retail, hospitality, automotive, financial services, legal, academic, and technology. The actors are described as closely aligned with Scattered Spider and linked to other The Com subsets such as SLSH and ShinyHunters, with operations observed since at least October 2025 and ransom demands in some cases reaching seven figures.
The groups rely on voice phishing, text messages, emails, and other social-engineering tactics to compromise identity platforms and move through victims’ SaaS environments. Researchers said the attackers use phishing pages that mimic legitimate single sign-on and identity provider portals to steal credentials, session keys, and tokens, then register their own MFA devices, disable MFA, suppress or delete alerts, and expand access across connected services. CrowdStrike also identified differences in the crews’ tradecraft, including operating hours, phishing infrastructure, leak sites, preferred operating systems, and MFA-registration methods, while noting their use of residential proxy services such as Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS to evade detection; some victims were additionally subjected to DDoS attacks or swatting.
Timeline
Apr 30, 2026
CrowdStrike publicly identifies Cordial Spider and Snarky Spider
CrowdStrike reported that the two The Com-affiliated extortion crews were actively targeting critical infrastructure and enterprise sectors, primarily in the United States. The company described their links to Scattered Spider, identity-focused intrusion methods, use of residential proxies, and coercive tactics including DDoS and swatting in some cases.
Apr 16, 2026
Researchers document Silver Fox's modified RustSL and ABCDoor activity
Securelist published analysis attributing the tax-notification campaign to Silver Fox and detailing its customized Rust-based loader, geofencing, persistence methods, and use of the newly documented ABCDoor backdoor. The report also described segmented infrastructure and country-based execution controls used to reduce detection and maintain access.
Jan 1, 2026
Silver Fox sends more than 1,600 malicious tax emails
Researchers observed over 1,600 malicious emails sent between early January and early February 2026 as part of the Silver Fox campaign. The emails delivered a modified Rust-based loader that deployed ValleyRAT and, in some cases, ABCDoor.
Dec 1, 2025
Silver Fox launches tax-themed phishing campaign in India and Russia
From late 2025 into early 2026, Silver Fox ran a phishing campaign targeting organizations in India and Russia using tax-themed emails and PDFs with malicious links or archives. The activity affected organizations in industrial, consulting, retail, and transportation sectors.
Oct 1, 2025
Cordial Spider and Snarky Spider begin extortion campaigns
CrowdStrike said the two The Com-affiliated groups had been targeting primarily U.S.-based organizations since at least October 2025. Their operations focused on social engineering and identity-platform compromise to enable rapid data theft and extortion.
Jan 1, 2025
Silver Fox begins actively using ABCDoor
Researchers found ABCDoor had been actively used by Silver Fox since early 2025. Its use indicates the group had already integrated the backdoor into ongoing intrusion activity before the later tax-themed campaign.
Dec 1, 2024
ABCDoor likely enters Silver Fox toolkit
Investigators assessed that the Python backdoor ABCDoor was likely added to Silver Fox's malware toolkit in late 2024. The malware was later delivered through multiple loader types, including C++, Go, and JavaScript-based chains.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
Related Stories
BlackFile Extortion Gang Hits Retail and Hospitality With Vishing-Led Data Theft
**BlackFile**, a financially motivated extortion group likely tied to **The Com** and overlapping with activity tracked by CrowdStrike as **Cordial Spider**, has targeted retail and hospitality organizations with voice-phishing campaigns that impersonate corporate IT help desks. Researchers at Palo Alto Networks Unit 42 and RH-ISAC said the group has been active since at least February 2026, using spoofed phone numbers and fake corporate single sign-on pages to trick employees into surrendering credentials and one-time passcodes. After gaining access, the attackers register their own devices to bypass MFA, escalate privileges into administrative and executive accounts, and steal data from platforms including **Salesforce** and **SharePoint** through legitimate API and download functions. The stolen information is moved to attacker-controlled infrastructure, posted on a dark web leak site, and used to support **seven-figure ransom demands** sent from compromised employee accounts or Gmail; in some cases, the group has also used **swatting** against employees and executives to intensify pressure on victims.
5 days ago
Former Black Basta Affiliates Target Executives With Teams Phishing and Email Bombing
Suspected former **Black Basta** affiliates have launched a fast-scaling social-engineering campaign against dozens of organizations, targeting more than 100 employees to gain network access for **data theft, ransomware deployment, and extortion**. According to ReliaQuest, the operators use mass email bombing to overwhelm victims and then follow up through **Microsoft Teams** messages or phone calls while impersonating IT help desk staff. The activity has been linked to former Black Basta members or closely aligned actors because the tooling, targeting, and execution closely mirror the group’s historical playbook, even after Black Basta fragmented following the leak of its internal chats. The campaign has increasingly focused on senior leaders and other highly privileged personnel, with executive targeting rising from **59%** in January and February to **77%** in March. Attackers have persuaded victims to install remote monitoring and management tools such as **Supremo Remote Desktop** or to launch **Windows Quick Assist**, sometimes obtaining remote access within minutes before running malicious scripts. Manufacturing and professional services have been hit hardest, with finance, insurance, construction, and technology also affected, underscoring how the operators are moving faster and using more automation to scale intrusions and make early detection more difficult.
3 days ago
Emergence of New Cybercriminal Groups and Tools Targeting European Financial Sector
UK law enforcement is facing increased pressure from the simultaneous rise of young, English-speaking hackers such as those associated with 'Scattered Spider' and the continued threat from organized Russian-speaking ransomware groups. These new threat actors, often motivated by prestige and recruited from online communities, have been implicated in high-profile attacks on UK retailers, resulting in significant financial losses and straining the resources of authorities already challenged by budget constraints and evolving technology. The operational differences between these groups—Scattered Spider's focus on social engineering and the Russian-speaking groups' technical sophistication—are creating a complex threat landscape for the UK. Concurrently, a new phishing kit named 'Spiderman' has emerged, enabling cybercriminals to launch sophisticated phishing campaigns against dozens of European banks and cryptocurrency services. The kit allows attackers to create convincing replicas of legitimate banking and fintech sites, capture credentials and two-factor authentication codes, and even steal cryptocurrency wallet seed phrases. Its modular design and real-time control panel features make it a popular tool among cybercriminals, further complicating the security environment for financial institutions across Europe as they adapt to new e-banking authentication methods.
1 months ago