TWO cybercrime groups, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been linked to rapid, high‑impact extortion campaigns that operate largely inside trusted SaaS environments. According to CrowdStrike's Counter Adversary Operations, they use voice phishing (vishing) to direct targeted users to malicious SSO‑themed AiTM pages to capture credentials and MFA codes, then pivot into SSO‑integrated SaaS apps.
The firms note these groups have been active since at least October 2025, with Snarky Spider described as a native English‑speaking crew tied to The Com; Mandiant’s January 2026 report further links the activity to extortion‑themed campaigns observed in the wild.
Attacks typically involve impersonating IT staff to obtain credentials and MFA codes, exfiltrating data from services such as Google Workspace, HubSpot, Microsoft SharePoint and Salesforce, and then moving laterally across the IdP trust relationship to access multiple SaaS applications with a single session. Snarky Spider is said to begin exfiltration in under an hour, while defenders face significant detection challenges due to SaaS‑only activity and fast pivoting.