A pair of persistent and problematic threat groups affiliated with The Com are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to CrowdStrike.
The financially-motivated attackers, which CrowdStrike tracks as Cordial Spider and Snarky Spider, have used voice-phishing and social engineering attacks to break into victims’ identity platforms and traverse SaaS environments since at least October 2025, the company said in a report Thursday, which it shared exclusively with CyberScoop prior to release.
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the subgroups composed of native English speakers primarily target U.S.-based organizations in the academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.
This “new wave of ecrime threat actors” are closely aligned with Scattered Spider and linked to other subsets of The Com, including SLSH and ShinyHunters, Meyers said.
Because these attacks target identity systems and can expose data in other connected services beyond the initial breach point, it’s difficult to determine how many victims have been caught up in these campaigns.
CrowdStrike’s warning closely follows research Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center shared last week about Cordial Spider’s string of attacks targeting organizations in the retail and hospitality industry, among others.
Cordial and Snarky Spider have set lures via voice calls, text messages and emails directing targeting employees to phishing pages posing as their employer’s legitimate single sign-on page or primary identity provider, researchers said.
These phishing pages, which capture credentials, session keys or tokens, depending on the workflow, provide attackers an entry point into systems, which they exploit for widespread access across victims’ entire SaaS ecosystems.
Attackers use these initial hooks to remove and establish multi-factor authentication devices, then delete emails and other alerts that would otherwise warn organizations of potential malicious activity, researchers said.
The data theft for extortion campaigns share striking similarities, but CrowdStrike said the tactics, techniques and procedures for each subgroup are distinct. These variances include hours of operation, different phishing domain providers, preferred operating systems, data leak sites, and the tools or devices they used to register for multi-factor authentication.
The domain for BlackFile, Cordial Spider’s data-leak site, was offline as of Wednesday, according to Meyers.
CrowdStrike declined to put a range on the groups’ extortion demands, but Unit 42 previously said Cordial Spider, which is also tracked as CL-CRI-1116 and UNC6671, are typically in the seven-figure range.
Some victims that didn’t pay extortion demands have been subjected to DDoS attacks, and Snarky Spider has used more aggressive follow-on harassment tactics, including the swatting of victim organizations’ employees, Meyers said.
CrowdStrike said Cordial and Snarky Spider also use residential proxy networks — including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS — to evade IP-based detection and blend in with typical traffic.
Residential proxy networks, which rely on IP addresses assigned to real home users, can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.
Cordial and Snarky Spider haven’t achieved the impact or technical capability of Scattered Spider, but the groups share many commonalities and objectives, Meyers said.
“They’ve kind of taken their playbook and they’re using a lot of their techniques, but we haven’t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider,” he said. “It’s kind of the new generation of Scattered Spider.”
The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.
The U.S. Sentencing Commission is issuing preliminary sentencing guidelines for criminal offenses under the Take It Down Act, a law passed earlier this year to curb the spread of nonconsensual deepfake pornography.
The Take It Down Act marks one of the first major pieces of legislation passed by Congress to address AI-generated deepfakes, attracting broad bipartisan support. The legislation sailed through Congress, passing 402-2 in the House and comfortably in the Senate, despite opposition from some digital rights groups, and had the vocal support of First Lady Melania Trump.
The law’s language makes it a federal crime to publicize nonconsensual intimate or pornographic imagery of others, both real and AI-generated, and requires companies to remove any images hosted or shared on their platforms within 48 hours of receiving notice. It also empowers the Federal Trade Commission to investigate and enforce compliance.
The legislation provides broad guidance on prison sentences and financial penalties for offenses, with digital forgers subject to fines and up to two years of imprisonment for deepfaking an adult and up to three years for a minor.
The commission proposes more specific penalties for different types of offenses, while also seeking public input on the most appropriate way to define the offense in U.S. law.
For example, the law included specific language adding new criminal offenses for deepfakes to sections of U.S. law prohibiting obscene or harassing phone calls, a nod to how much nonconsensual pornography is shared through smartphones.
That section has been updated to further define the offense as anyone using “an interactive computer service” to knowingly publish an “intimate visual depiction” of a minor and (in certain cases) adults with the intent to “abuse, humiliate, harass, or degrade” or “arouse or gratify the sexual desire of any person.”
Individuals found guilty of threatening to publish nonconsensual deepfakes of an adult would be subject to a maximum of years in prison if the threat involves “an intimate visual depiction” of them and 18 months if the deepfake is used for digital forgery. Deepfaking a minor for the purpose of digital forgery carries a maximum sentence of 30 months.
While experts have warned about the damaging potential of deepfakes for years, large language models have gotten increasingly better at developing lifelike media. As more AI deepfake tools come online, public interest groups have called for companies like OpenAI to take tools like Sora 2 offline after they were used to create scores of false cell-phone style videos depicting food stamp recipients that were later picked up by real news outlets like Fox News.
This month, the American Bar Association released a report around the use of AI in the legal sector that found courts were generally unprepared for deepfake media and the many ways it could impact the integrity of evidence presented to the court.
The deepfake changes are part of a broader package of proposed regulatory changes the U.S. Sentencing Commission is proposing, with any comments from the public accepted until Feb. 16, 2026.
The post U.S. Sentencing Commission seeks input on criminal penalties for deepfakes appeared first on CyberScoop.
BB King//* The state of Ohio recently validated a webapp pentest finding that sometimes goes overlooked. It relates to the details of administrative functions, how they can be abused, and […]
The post When Infosec and Weed Collide: Handling Administrative Actions Safely appeared first on Black Hills Information Security, Inc..
Login