Two cyber-criminal collectives have recently emerged as notable actors in the evolving landscape of cloud-centric attacks, leveraging Software-as-a-Service (SaaS) platforms to conduct sophisticated data theft and extortion operations.
SaaS, a cloud computing model that enables users to access applications via web browsers or lightweight client interfaces, has become integral to modern enterprise infrastructure.
By abstracting away the need for on-premises hardware, reducing capital expenditure, and providing continuous updates, SaaS platforms offer both scalability and operational efficiency. However, these same advantages have also expanded the attack surface for threat actors.
Since approximately October 2025, two groups identified as Cordial Spider and Snarky Spider have reportedly exploited SaaS ecosystems to orchestrate targeted campaigns involving credential harvesting and data extortion.
According to findings published by Mandiant, both groups are affiliated with a broader underground cybercriminal network known as The Com. This ecosystem is known for its decentralized structure, enabling loosely connected actors to share tools, tactics, and infrastructure.
The primary attack vector employed by these groups is Vishing, a form of social engineering that uses voice communication—often via VoIP systems—to deceive victims. In these campaigns, attackers impersonate legitimate IT support personnel or service providers, guiding targets to fraudulent Single Sign-On (SSO) portals. These spoofed interfaces are carefully crafted to mimic authentic authentication workflows, thereby increasing the likelihood of credential compromise. Once harvested, these credentials grant attackers unauthorized access to enterprise SaaS environments, where sensitive data can be exfiltrated or leveraged for extortion.
A key challenge in mitigating these threats lies in the attackers’ operational use of SaaS platforms themselves. By utilizing legitimate cloud services as their command-and-control infrastructure or staging environments, adversaries benefit from trusted domains, encrypted communications, and high availability. This significantly complicates detection and attribution efforts, as malicious activity is often obfuscated within normal network traffic patterns. Furthermore, the agility of SaaS deployments allows these groups to execute attacks with remarkable speed and precision, often outpacing traditional defensive measures.
This modus operandi bears resemblance to tactics previously observed in campaigns attributed to the ShinyHunters group, which also exploited cloud-based platforms for large-scale data breaches. The convergence of social engineering, credential harvesting, and cloud infrastructure abuse underscores a broader shift in cyber threat dynamics, where identity becomes the primary security perimeter.
In conclusion, the activities of Cordial Spider and Snarky Spider highlight the urgent need for organizations to adopt robust identity and access management (IAM) practices, implement multi-factor authentication (MFA), and enhance user awareness against social engineering attacks. As SaaS adoption continues to grow, so too must the sophistication of defensive strategies to counteract these increasingly complex threat vectors.
Join our LinkedIn group Information Security Community!
