Emerging Cybercriminal Groups Exploit SaaS Platforms in Sophisticated Extortion Campaigns
Two cybercriminal collectives, Cordial Spider and Snarky Spider, have escalated attacks on cloud-based environments since October 2025, leveraging Software-as-a-Service (SaaS) platforms to conduct data theft and extortion operations. Both groups operate under The Com, a decentralized cybercriminal network known for sharing tools and infrastructure.
The primary attack method involves vishing (voice phishing), where threat actors impersonate IT support or service providers to direct victims to fraudulent Single Sign-On (SSO) portals. These spoofed login pages harvest credentials, granting attackers access to enterprise SaaS environments. Once inside, they exfiltrate sensitive data or use it for extortion.
A key challenge in countering these threats is the groups’ use of legitimate SaaS platforms for command-and-control operations. By blending malicious activity with trusted cloud services, they evade detection, exploiting encrypted communications and high availability. This tactic mirrors previous campaigns by ShinyHunters, signaling a broader shift toward identity-based attacks as the new security perimeter.
The rise of these groups underscores the growing risks of SaaS adoption, where operational efficiency expands the attack surface. Their agility allows them to outpace traditional defenses, complicating attribution and mitigation efforts.
iZOOlogic cybersecurity rating report: https://www.rankiteo.com/company/izoologic
"id": "IZO1777884204",
"linkid": "izoologic",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': ['Vishing', 'Credential Harvesting', 'Spoofed SSO Portals'],
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data'},
'date_detected': '2025-10-01',
'description': 'Two cybercriminal collectives, Cordial Spider and Snarky '
'Spider, have escalated attacks on cloud-based environments '
'since October 2025, leveraging Software-as-a-Service (SaaS) '
'platforms to conduct data theft and extortion operations. '
'Both groups operate under The Com, a decentralized '
'cybercriminal network known for sharing tools and '
'infrastructure. The primary attack method involves vishing '
'(voice phishing), where threat actors impersonate IT support '
'or service providers to direct victims to fraudulent Single '
'Sign-On (SSO) portals. These spoofed login pages harvest '
'credentials, granting attackers access to enterprise SaaS '
'environments. Once inside, they exfiltrate sensitive data or '
'use it for extortion. A key challenge is the groups’ use of '
'legitimate SaaS platforms for command-and-control operations, '
'blending malicious activity with trusted cloud services to '
'evade detection.',
'impact': {'data_compromised': 'Sensitive data',
'identity_theft_risk': 'High',
'systems_affected': ['SaaS environments']},
'initial_access_broker': {'entry_point': 'Fraudulent SSO portals via vishing'},
'lessons_learned': 'The rise of these groups underscores the growing risks of '
'SaaS adoption, where operational efficiency expands the '
'attack surface. Their agility allows them to outpace '
'traditional defenses, complicating attribution and '
'mitigation efforts.',
'motivation': ['Financial Gain', 'Extortion'],
'post_incident_analysis': {'root_causes': 'Exploitation of legitimate SaaS '
'platforms for command-and-control, '
'identity-based attacks via '
'credential harvesting'},
'references': [{'source': 'Cyber Incident Report'}],
'threat_actor': ['Cordial Spider', 'Snacky Spider', 'The Com'],
'title': 'Emerging Cybercriminal Groups Exploit SaaS Platforms in '
'Sophisticated Extortion Campaigns',
'type': ['Data Theft', 'Extortion'],
'vulnerability_exploited': 'Legitimate SaaS platforms for command-and-control'}