What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

Cordial Spider & Snarky Spider: The Com's New-Generation Extortion Machine Tearing Through Enterprise SaaS

← Threat-Actor-Profile

0 sources verified·9 min read

By Lyrie.ai Cyber Research Division·5/12/2026

TL;DR

Two new Com-affiliated threat actors — Cordial Spider (aka BlackFile, CL-CRI-1116, UNC6671) and Snarky Spider — have been actively extorting enterprises across retail, hospitality, aviation, financial services, and technology since at least October 2025. CrowdStrike and Unit 42 both issued concurrent intelligence reports this week documenting their tradecraft in detail. The groups use no custom malware whatsoever. Their weapon is your identity stack: a voice call, a fake SSO page, and sixty minutes is all it takes to exfiltrate enough data to demand seven figures. They are not Scattered Spider — but they're running the same playbook, and they're getting good at it fast.

Background

The Com Lineage

Understanding Cordial Spider and Snarky Spider requires understanding their origin. Both are products of The Com — a loosely organized, largely English-speaking criminal network that has, over the past three years, produced some of the most damaging data theft and extortion operations in enterprise cybersecurity history.

The most visible Com branch is the SLH collective (Scattered Lapsus$ Hunters), which traces its genealogy through a merger of Scattered Spider (UNC3944), Lapsus$, and ShinyHunters. SLH has claimed over 1.5 billion stolen Salesforce records from a single campaign, disrupted schools and universities nationwide via the Instructure/Canvas breach affecting 275 million individuals, and cost Coinbase between $180M and $400M through insider bribery.

Cordial Spider and Snarky Spider are not confirmed members of SLH, but they are Com members operating from the same shared cultural and technical playbook. CrowdStrike's senior vice president of counter adversary operations, Adam Meyers, was direct: "They've taken [Scattered Spider's] playbook and they're using a lot of their techniques. It's kind of the new generation of Scattered Spider."

That framing matters. These are not script kiddies borrowing someone else's techniques. These are increasingly capable operators absorbing and iterating on a proven methodology that has produced hundreds of millions of dollars in enterprise damage.

Timeline

October 2025 — First observed intrusions attributed to both groups, per CrowdStrike intelligence
February 2026 — BlackFile/Cordial Spider activity expands into aggressive targeting of retail and hospitality chains, documented by Unit 42 and RH-ISAC
April 2026 — Unit 42 and RH-ISAC publish joint advisory on CL-CRI-1116 attacks
May 8, 2026 — CrowdStrike publishes dual threat actor profiles and Falcon Shield defense blog, exclusively previewed by CyberScoop
May 2026 (current) — BlackFile data leak site domain goes offline; Snarky Spider remains operationally active; both groups continue targeting

Technical Analysis

Phase 1: Vishing as the Entry Weapon

There is no phishing email, no malicious attachment, and no CVE exploit in these intrusions. The first move is a phone call.

Cordial Spider and Snarky Spider operatives — native English speakers, predominantly US-based — call target employees directly, impersonating IT support. The calls create urgency: a "mandatory passkey rollout," a "security incident affecting your account," an "urgent MFA reset." The goal is to direct the employee to a URL, right now, while still on the call.

That URL resolves to an adversary-in-the-middle (AiTM) phishing page — a real-time proxy that mirrors the organization's legitimate SSO portal. Domain patterns follow a predictable logic:

<companyname>sso[.]com
my<companyname>[.]com
<companyname>id[.]com
<companyname>internal[.]com

When the employee enters credentials, the AiTM proxy captures both the credentials and the active session token relayed back from the real identity provider. The user sees a normal login experience. The attacker now holds a live authenticated session to the IdP.

This is not a new technique. What is new is the scale, speed, and operational consistency with which Cordial and Snarky Spider are executing it against enterprise targets.

Phase 2: MFA Subversion and Persistence

With IdP access in hand, the actor's next move is to secure persistence by hijacking or replacing the victim's MFA configuration.

Snarky Spider registers a Genymobile Android emulator as the new MFA device. This choice is operationally elegant: Genymobile runs on Linux, Windows, and macOS, meaning a single operator can manage multiple compromised accounts across multiple sessions from any device. The emulated phone fingerprint is distinct and consistent — a behavioral IOC detectable by any identity platform that profiles device characteristics.

Cordial Spider uses a broader mix: real mobile devices and Windows QEMU virtual machines for MFA enrollment. CrowdStrike observed the same adversary-controlled MFA device being enrolled across multiple compromised accounts simultaneously — further evidence of a scaled, streamlined operation. In several cases, the victim account had never previously had MFA enabled, meaning the attacker was the first to register any MFA factor.

Immediately following MFA enrollment, both groups pursue notification suppression:

Security alert emails are manually deleted
Inbox rules are created to auto-delete any incoming messages containing keywords: alert, incident, MFA, password reset, suspicious, unauthorized

The goal is simple: the victim must not know they've been compromised until the extortion demand lands.

Phase 3: SaaS-Native Lateral Movement

Here is where these attacks diverge most sharply from traditional intrusions. Cordial Spider and Snarky Spider never touch endpoints. They do not install malware, execute payloads, or interact with any system outside the SaaS layer. This is pure living-off-the-land in cloud environments — what CrowdStrike calls "SaaS-centric attacks that bypass traditional endpoint visibility."

With IdP credentials established, the actor's authenticated session cascades across every connected SaaS application. Observed targets include:

Microsoft SharePoint — bulk document downloads
HubSpot — CRM data, customer contact lists
Salesforce — CSV exports via API, employee directories, deal data
Google Workspace — Drive exfiltration, email archive access

Discovery queries across these platforms are targeted and consistent. Confirmed search terms: confidential, SSN, contracts, VPN, credentials, passkey, audit. The goal is to surface the highest-leverage documents quickly before any defensive response occurs.

Unit 42 documented these groups moving from initial vishing call to complete data exfiltration in under 60 minutes. CrowdStrike corroborated this, noting that Snarky Spider specifically begins exfiltration in under one hour from initial compromise.

Phase 4: Extortion and Escalation

Extortion demands arrive via Gmail addresses or compromised employee email accounts — both channels that appear legitimate to naive email security controls. Cordial Spider's standard ask is in the seven-figure range. For comparison, the average ransomware payment in 2025 was approximately $850,000.

For victims that refuse to pay:

Cordial Spider escalates to DDoS attacks against victim infrastructure
Snarky Spider goes further — documented swatting attacks targeting victim employees and executives, including reports of armed police dispatched to private residences

The latter is a significant escalation in threat actor behavior. Swatting has historically been associated with gaming communities and individual harassment. Its deployment as a corporate extortion lever by an organized financial crime group marks a chilling convergence.

IOCs and Behavioral Indicators

Network Indicators

Residential proxy providers in use: Mullvad, NetNut, 9Proxy, Infatica, NSOCKS
Anti-detect browsers (Cordial Spider): used to mask geographic origin and device fingerprint
AiTM domain patterns: [companyname]sso[.]com, my[companyname][.]com, [companyname]id[.]com

Identity / Authentication IOCs

New MFA device registration: Genymobile Android emulator (Snarky Spider — high confidence IOC)
New MFA device: QEMU virtual machine (Cordial Spider)
Same device enrolled across multiple accounts — strong automated detection signal
MFA enrollment on accounts with no prior MFA history
Anomalous login location immediately following normal-location login (session hijacking pattern)

Behavioral IOCs

Manual bulk deletion of security-related emails post-compromise
Inbox rules filtering on: alert, incident, MFA, password reset, unauthorized
SaaS search queries for: confidential, SSN, contracts, VPN
Bulk SharePoint downloads or Salesforce API exports within 60 minutes of anomalous authentication
Compromised accounts scraping internal employee directories

Attribution

Cordial Spider aliases: BlackFile, CL-CRI-1116, UNC6671
Linked data leak site: BlackFile (domain offline as of May 2026)
Operator language: Native English, primarily US-based
Affiliation: The Com; associated with Scattered Spider ecosystem, SLSH, ShinyHunters — not confirmed SLH

Lyrie Take

The Cordial Spider and Snarky Spider threat profiles represent a structural problem for enterprise security architecture, not just a new set of actors to block.

Endpoint security is irrelevant here. No payload. No beacon. No lateral movement through Active Directory. Traditional EDR and antivirus solutions — the foundation of most enterprise security stacks — have zero visibility into these attacks until the ransom note lands or a SIEM fires on anomalous API export volume.

The attack surface is the identity plane. Every enterprise's CISO should be asking right now: if an attacker calls my helpdesk with convincing social engineering and gets one employee to visit a link, what is the minimum blast radius? For most SaaS-heavy organizations, the answer is: your entire business.

The acceleration factor is the most operationally concerning element. Sixty minutes from vishing call to data exfiltration is faster than most security operations centers can escalate an alert, pull a ticket, and get eyes on the incident. Detection needs to be automated and preemptive — anomalous MFA enrollment on known emulator fingerprints should trigger immediate account lockout, not a queue item.

Swatting as an extortion lever also demands a broader organizational response than IT security alone. Organizations must have protocols for physical security escalation when cyber extortion victims include C-suite employees who may become targets for in-person harassment or armed response calls.

Defender Playbook

Immediate Actions

1. MFA device registration hardening — Require manager or secondary approval for any new MFA device enrollment. Flag Genymobile and QEMU fingerprints in identity platform device policies as high-risk.

2. AiTM detection via passkeys — Migrate all high-privilege accounts to FIDO2/passkey authentication. AiTM pages cannot relay passkey challenges because they are origin-bound. This is the single highest-impact mitigation.

3. Helpdesk verification protocols — Implement callback verification to known employee numbers before any account or MFA changes. Vishing fails when IT support cannot be spoofed. Train helpdesk staff on social engineering pressure patterns.

4. SaaS anomaly detection tuning — Alert on bulk SharePoint downloads, high-volume Salesforce API exports, and SaaS searches for sensitive keywords (confidential, SSN, contracts) outside of known business hours or from anomalous locations.

5. Inbox rule monitoring — Alert on creation of inbox rules that filter or delete security-related keywords. This is a post-compromise persistence technique and should trigger immediate investigation.

6. Residential proxy IP blocking — Add known residential proxy CIDR ranges (Mullvad, NetNut, 9Proxy, Infatica, NSOCKS) to Conditional Access policies as high-risk sign-in signals.

Strategic Actions

Adopt an Identity Threat Detection and Response (ITDR) solution with real-time behavioral analytics across the IdP and SaaS layer
Establish a physical security escalation protocol for swatting scenarios — brief HR, legal, and C-suite on the tactic and the recommended response (non-engagement, law enforcement notification, employee notification)
Conduct tabletop exercises specifically simulating vishing + AiTM attack chains against your helpdesk and security operations teams
Assess SaaS application connectivity to your IdP — restrict OAuth scopes and minimize which applications can access sensitive data stores under any authenticated session

Sources

1. CrowdStrike — Defending Against CORDIAL SPIDER and SNARKY SPIDER with Falcon Shield (May 2026) — https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/

2. CyberScoop — Two new extortion crews are speedrunning the Scattered Spider playbook (May 8, 2026) — https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/

3. Infosecurity Magazine — BlackFile Group Targets Retail and Hospitality with Vishing Attacks (April 2026) — https://www.infosecurity-magazine.com/news/blackfile-group-targets-retail/

4. Push Security — How three techniques are behind ShinyHunters' 2026 campaigns (May 2026) — https://pushsecurity.com/blog/analyzing-the-instructure-breach

5. Unit 42 / RH-ISAC — Extortion in the Enterprise: Defending Against BlackFile Attacks (April 23, 2026)

6. CrowdStrike Adversary Profile — CORDIAL SPIDER — https://www.crowdstrike.com/en-us/adversaries/cordial-spider/

Lyrie.ai Cyber Research Division — Senior Analyst Desk