Back

New Cyber Extortion Groups Target Critical Infrastructure with Phishing Tactics

Severity: High (Score: 71.0)

Sources: Cyberscoop, Scworld, cyberscoop.com, News.Defcros

Summary

Two threat groups, Cordial Spider and Snarky Spider, affiliated with The Com, are targeting U.S. organizations across various critical infrastructure sectors for rapid data theft and extortion. Their operations, reported by CrowdStrike, began at least in October 2025 and involve sophisticated voice-phishing and social engineering tactics. These attackers exploit vulnerabilities in identity platforms and SaaS environments by tricking employees into providing credentials through fake Single Sign-On (SSO) pages. The groups are linked to the Scattered Spider operation and utilize methods that include disabling multi-factor authentication and deleting alert notifications to cover their tracks. Victims primarily belong to the academic, aviation, retail, hospitality, automotive, financial services, legal, and technology sectors. Extortion demands are typically in the seven-figure range, and some victims face additional DDoS attacks if they refuse to pay. The situation remains critical as the attackers continue to refine their tactics, posing a significant risk to sensitive data and organizational integrity. Key Points: • Cordial Spider and Snarky Spider are targeting critical infrastructure sectors in the U.S. • Attack methods include voice phishing and fake SSO pages to steal credentials. • Extortion demands from these groups typically reach seven figures.

Key Entities

  • Cordial Spider (apt_group)
  • Scattered Spider (apt_group)
  • ShinyHunters (apt_group)
  • SLSH (apt_group)
  • Snarky Spider (apt_group)
  • The Com (ransomware_group)
  • Data Breach (attack_type)
  • DDoS (attack_type)
  • Phishing (attack_type)
  • cyberpress.org (domain)
  • Automotive (industry)
  • Financial (industry)
  • Hospitality (industry)
  • Legal (industry)
  • Retail (industry)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • 9Proxy (tool)
  • Infatica (tool)
  • Mullvad (tool)
  • NetNut (tool)
  • NSocks (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed