Two new extortion crews are speedrunning the Scattered Spider playbook | CyberScoop<\/title> <meta name=\"description\" content=\"CrowdStrike says The Com-affiliated the groups are using voice phishing and fake SSO pages to break into SaaS environments and steal data fast for extortion.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/crowdstrike-cordial-spider-snarky-spider-extortion-attacks\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Two new extortion crews are speedrunning the Scattered Spider playbook\"> <meta property=\"og:description\" content=\"CrowdStrike says The Com-affiliated the groups are using voice phishing and fake SSO pages to break into SaaS environments and steal data fast for extortion.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/crowdstrike-cordial-spider-snarky-spider-extortion-attacks\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-04-30T15:00:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg\"> <meta property=\"og:image:width\" content=\"2309\"> <meta property=\"og:image:height\" content=\"1299\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1774626878g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1777394973g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88804\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88804\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcrowdstrike-cordial-spider-snarky-spider-extortion-attacks%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcrowdstrike-cordial-spider-snarky-spider-extortion-attacks%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88804 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/crowdstrike-cordial-spider-snarky-spider-extortion-attacks\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.295454545455\">\n<div class=\"single-article__header-content\" readability=\"34.305882352941\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/crowdstrike-cordial-spider-snarky-spider-extortion-attacks\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> CrowdStrike says The Com-affiliated threat groups are using voice phishing and fake SSO pages to break into SaaS environments and steal data fast for extortion. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88804\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Phishing concept\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg 2309w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-2.jpg?resize=1498,843 1498w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"57.226804123711\"><body readability=\"120.25589706934\"><\/p>\n<p>A pair of persistent and problematic threat groups affiliated with <a href=\"https:\/\/cyberscoop.com\/fbi-warning-the-com-cybercrime-extortion-violence\/\">The Com<\/a> are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to CrowdStrike.<\/p>\n<p>The financially-motivated attackers, which CrowdStrike tracks as Cordial Spider and Snarky Spider, have used voice-phishing and social engineering attacks to break into victims\u2019 identity platforms and traverse SaaS environments since at least October 2025, the company said in a <a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield\/\">report<\/a> Thursday, which it shared exclusively with CyberScoop prior to release. <\/p>\n<p>Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the subgroups composed of native English speakers primarily target U.S.-based organizations in the academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.<\/p>\n<p>This \u201cnew wave of ecrime threat actors\u201d are closely aligned with <a href=\"https:\/\/cyberscoop.com\/scattered-spider-social-engineering-cybercrime\/\">Scattered Spider<\/a> and linked to other subsets of The Com, including SLSH and ShinyHunters, Meyers said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Because these attacks target identity systems and can expose data in other connected services beyond the initial breach point, it\u2019s difficult to determine how many victims have been caught up in these campaigns. <\/p>\n<p>CrowdStrike\u2019s warning closely follows research Palo Alto Networks\u2019 Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center shared last week about Cordial Spider\u2019s string of attacks targeting organizations in the <a href=\"https:\/\/cyberscoop.com\/blackfile-data-theft-extortion-retail-unit-42-rh-isac\/\">retail and hospitality industry<\/a>, among others. <\/p>\n<p>Cordial and Snarky Spider have set lures via voice calls, text messages and emails directing targeting employees to phishing pages posing as their employer\u2019s legitimate single sign-on page or primary identity provider, researchers said. <\/p>\n<p>These phishing pages, which capture credentials, session keys or tokens, depending on the workflow, provide attackers an entry point into systems, which they exploit for widespread access across victims\u2019 entire SaaS ecosystems.<\/p>\n<p>Attackers use these initial hooks to remove and establish multi-factor authentication devices, then delete emails and other alerts that would otherwise warn organizations of potential malicious activity, researchers said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The data theft for extortion campaigns share striking similarities, but CrowdStrike said the tactics, techniques and procedures for each subgroup are distinct. These variances include hours of operation, different phishing domain providers, preferred operating systems, data leak sites, and the tools or devices they used to register for multi-factor authentication. <\/p>\n<p>The domain for BlackFile, Cordial Spider\u2019s data-leak site, was offline as of Wednesday, according to Meyers.<\/p>\n<p>CrowdStrike declined to put a range on the groups\u2019 extortion demands, but Unit 42 previously said Cordial Spider, which is also tracked as CL-CRI-1116 and UNC6671, are typically in the seven-figure range.<\/p>\n<p>Some victims that didn\u2019t pay extortion demands have been subjected to DDoS attacks, and Snarky Spider has used more aggressive follow-on harassment tactics, including the swatting of victim organizations\u2019 employees, Meyers said. <\/p>\n<p>CrowdStrike said Cordial and Snarky Spider also use residential proxy networks \u2014 including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS \u2014 to evade IP-based detection and blend in with typical traffic. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Residential proxy networks, which rely on IP addresses assigned to real home users, can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.<\/p>\n<p>Cordial and Snarky Spider haven\u2019t achieved the impact or technical capability of Scattered Spider, but the groups share many commonalities and objectives, Meyers said. <\/p>\n<p>\u201cThey\u2019ve kind of taken their playbook and they\u2019re using a lot of their techniques, but we haven\u2019t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider,\u201d he said. \u201cIt\u2019s kind of the new generation of Scattered Spider.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"2.8435582822086\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/crowdstrike-cordial-spider-snarky-spider-extortion-attacks\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Two new extortion crews are speedrunning the Scattered Spider playbook<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4449,1282,916,6513,634,6545,2350,282,78,895,323,1901,2455,6514,3834,715,46,256,6184,4592,419,953,6546,310,984,288,183],"tags":[4452,1284,920,6516,635,6547,2354,286,86,902,327,1902,2457,6517,3836,720,54,262,6187,4593,423,958,6548,311,986,294,207],"class_list":["post-8597","post","type-post","status-publish","format-standard","hentry","category-academia","category-automotive","category-aviation","category-blackfile","category-cloud","category-cordial-spider","category-crowdstrike","category-cybercrime","category-cybersecurity","category-data-theft","category-extortion","category-financial-sector","category-financial-services","category-hospitality","category-legal","category-palo-alto-networks","category-ransomware","category-research","category-residential-proxy-network","category-retail","category-saas","category-scattered-spider","category-snarky-spider","category-technology","category-the-com","category-threats","category-unit-42","tag-academia","tag-automotive","tag-aviation","tag-blackfile","tag-cloud","tag-cordial-spider","tag-crowdstrike","tag-cybercrime","tag-cybersecurity","tag-data-theft","tag-extortion","tag-financial-sector","tag-financial-services","tag-hospitality","tag-legal","tag-palo-alto-networks","tag-ransomware","tag-research","tag-residential-proxy-network","tag-retail","tag-saas","tag-scattered-spider","tag-snarky-spider","tag-technology","tag-the-com","tag-threats","tag-unit-42"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/academia\/\" rel=\"category tag\">academia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/automotive\/\" rel=\"category tag\">automotive<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aviation\/\" rel=\"category tag\">aviation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/blackfile\/\" rel=\"category tag\">BlackFile<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cloud\/\" rel=\"category tag\">Cloud<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cordial-spider\/\" rel=\"category tag\">Cordial Spider<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crowdstrike\/\" rel=\"category tag\">CrowdStrike<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-theft\/\" rel=\"category tag\">Data theft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extortion\/\" rel=\"category tag\">extortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/financial-sector\/\" rel=\"category tag\">financial sector<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/financial-services\/\" rel=\"category tag\">Financial services<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hospitality\/\" rel=\"category tag\">hospitality<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/legal\/\" rel=\"category tag\">legal<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/palo-alto-networks\/\" rel=\"category tag\">Palo Alto Networks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/residential-proxy-network\/\" rel=\"category tag\">residential proxy network<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/retail\/\" rel=\"category tag\">retail<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/saas\/\" rel=\"category tag\">SaaS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/scattered-spider\/\" rel=\"category tag\">Scattered Spider<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/snarky-spider\/\" rel=\"category tag\">Snarky Spider<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/the-com\/\" rel=\"category tag\">The Com<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unit-42\/\" rel=\"category tag\">Unit 42<\/a>","tag_info":"Unit 42","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8597"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8597\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8597,"date":"2026-04-30T10:00:00","date_gmt":"2026-04-30T15:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88804"},"modified":"2026-04-30T10:00:00","modified_gmt":"2026-04-30T15:00:00","slug":"two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/04\/30\/two-new-extortion-crews-are-speedrunning-the-scattered-spider-playbook\/","title":{"rendered":"Two new extortion crews are speedrunning the Scattered Spider playbook"},"content":{"rendered":"