Two New Extortion Crews Are Speedrunning the Scattered Spider Playbook

The emergence of Cordial Spider and Snarky Spider underscores how threat actors are modularizing successful ransomware playbooks. Both groups operate under the umbrella of The Com, a loosely coordinated network of cybercriminals that shares tools, infrastructure, and recruitment pipelines. By focusing on voice‑phishing and social engineering, they bypass traditional email filters and directly target employees responsible for single sign‑on and identity‑provider portals. Once credentials or session tokens are harvested, the attackers move laterally across SaaS ecosystems, disabling multi‑factor authentication and erasing alerts to remain undetected. This approach mirrors the tactics of the earlier Scattered Spider group, but the new crews have refined their operational cadence, employing distinct phishing domains, varied operating systems, and a rotating roster of residential proxy services to mask their IP footprints.

The financial motive behind these campaigns is evident: extortion demands routinely climb into the seven‑figure range, and victims who refuse to pay may face secondary attacks such as distributed denial‑of‑service assaults or even swatting incidents. By leveraging residential proxies from providers like Mullvad, Oxylabs, and NetNut, the actors blend malicious traffic with legitimate home‑user traffic, complicating detection for conventional security tools. Their ability to hijack multi‑factor authentication devices further amplifies risk, as it grants persistent access to a victim’s entire cloud environment. This multi‑vector threat model forces security teams to adopt a zero‑trust stance, continuously validating user identities and monitoring anomalous authentication patterns.

For organizations, the key takeaway is the urgency of strengthening identity and access management (IAM) controls. Deploying solutions such as CrowdStrike Falcon Shield, which offers real‑time credential theft detection and MFA abuse prevention, can mitigate the initial foothold. Regular phishing simulations, employee training on voice‑phishing, and strict verification of any credential‑reset requests are essential. Additionally, monitoring for the use of residential proxies and implementing robust logging of authentication events can surface suspicious activity before it escalates to full‑scale extortion. As threat actors continue to iterate on the Scattered Spider playbook, a proactive, layered defense strategy will be critical to safeguarding both data and reputation.