Executive Summary
In May 2026, the cybercriminal collective known as 'The Com' orchestrated a series of sophisticated cyberattacks targeting cloud environments and SaaS platforms of major organizations. These breaches resulted in significant data exfiltration and operational disruptions. The Com, comprising subgroups like Scattered Lapsus$ Hunters, utilized advanced social engineering tactics, including vishing campaigns, to infiltrate IT helpdesks and gain unauthorized access to sensitive systems. The financial gains from these cybercrimes were reportedly funneled into supporting violent activities and the exploitation of minors, highlighting the broader societal impact of such security breaches.
This incident underscores the evolving threat landscape where cybercriminal groups are increasingly targeting cloud infrastructures and leveraging social engineering to bypass traditional security measures. Organizations must enhance their security protocols, particularly around identity verification and access controls, to mitigate the risks posed by such sophisticated threat actors.
Why This Matters Now
The Com's recent cyberattacks highlight the urgent need for organizations to fortify their cloud security and educate employees on advanced social engineering tactics, as these breaches have far-reaching consequences beyond financial loss, including supporting violent crimes and exploitation.
Attack Path Analysis
The Com initiated the attack by exploiting misconfigured cloud services to gain initial access. They escalated privileges by compromising IAM roles, enabling broader access. Utilizing this access, they moved laterally across cloud environments to identify sensitive data. Established command and control channels facilitated persistent access and data exfiltration. Sensitive data was exfiltrated to external servers. The attack culminated in the deployment of ransomware, disrupting operations and demanding ransom payments.
Kill Chain Progression
Initial Compromise
Description
The Com exploited misconfigured cloud services to gain unauthorized access.
MITRE ATT&CK® Techniques
Valid Accounts
Phishing
Application Layer Protocol
Data Encrypted for Impact
Exfiltration Over Web Service
Inhibit System Recovery
Command and Scripting Interpreter
Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High-value targets for The Com's cloud/SaaS attacks exploiting Okta and financial platforms, with proceeds funding violent crimes and child exploitation networks.
Computer Software/Engineering
Critical exposure through SaaS platforms like Salesforce and Microsoft365 targeted by Scattered Lapsus$ Hunters, requiring enhanced cloud security and egress controls.
Gaming
Primary recruitment vector for The Com collective targeting gaming communities to groom minors, necessitating stronger user protection and monitoring capabilities.
Government Administration
Infiltrated by high-ranking employees within The Com network, facing insider threats and requiring enhanced zero trust segmentation and threat detection.
Sources
- 'The Com' Cyberattacks Support Violence & Sexploitationhttps://www.darkreading.com/threat-intelligence/the-com-cyberattacks-violence-sexploitationVerified
- Scattered Spider hackers return to hit more victims - despite retirement claimshttps://www.techradar.com/pro/security/scattered-spider-hackers-return-despite-retirement-claimsVerified
- Scattered Spiderhttps://en.wikipedia.org/wiki/Scattered_SpiderVerified
- Google says hackers stole data from 200 companies following Gainsight breachhttps://techcrunch.com/2025/11/21/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach/Verified
- Salesforce says it won’t pay extortion demand in 1 billion records breachhttps://arstechnica.com/security/2025/10/salesforce-says-it-wont-pay-extortion-demand-in-1-billion-records-breach/Verified
- More Okta customers trapped in Scattered Spider's webhttps://www.theregister.com/2023/09/01/okta_scattered_spider/Verified
- Salesforce platforms are being cracked open for data theft - FBI warns of UNC6040 and UNC6395 IOCshttps://www.techradar.com/pro/security/salesforce-platforms-are-being-cracked-open-for-data-theft-fbi-warns-of-unc6040-and-unc6395-iocsVerified
- Okta discloses details regarding data breachhttps://www.quorumcyber.com/threat-intelligence/okta-discloses-details-regarding-data-breach/Verified
- SCATTERED SPIDER Escalates Attacks Across Industrieshttps://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/Verified
- FBI, CISA warn of more Scattered Spider attacks to comehttps://www.techradar.com/pro/security/fbi-cisa-warn-of-more-scattered-spider-attacks-to-comeVerified
- Scattered Spider evolved massively in 2025 - here's what to expect in 2026https://www.itpro.com/security/cyber-attacks/scattered-spider-evolved-massively-heres-what-to-expectVerified
- ‘0ktapus’ hackers are back and targeting tech and gaming companies, says leaked reporthttps://techcrunch.com/2023/02/02/0ktapus-hackers-are-back-and-targeting-tech-and-gaming-companies-says-leaked-report/Verified
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeeshttps://www.itpro.com/security/ransomware/the-scattered-spider-ransomware-group-is-infiltrating-slack-and-microsoft-teams-to-target-vulnerable-employeesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited by reducing the exposure of misconfigured services through embedded security controls.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained by limiting access to critical resources through identity-aware segmentation.
Control: East-West Traffic Security
Mitigation: Lateral movement within the cloud environment could have been limited by enforcing east-west traffic controls, reducing the attacker's ability to traverse the network.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels could have been constrained by providing comprehensive visibility and control over multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts may have been limited by enforcing strict egress policies, reducing the attacker's ability to transfer data externally.
The deployment of ransomware may have been limited by reducing the attacker's access to critical systems and data through enforced segmentation.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management (CRM)
- Sales Operations
- IT Help Desk
- Data Security Compliance
Estimated downtime: 14 days
Estimated loss: $5,000,000
Personal Identifiable Information (PII) of customers, including names, email addresses, and contact details; sensitive corporate data such as sales records and internal communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within cloud environments.
- • Enforce Multi-Factor Authentication (MFA) for all IAM roles to prevent unauthorized access.
- • Utilize Cloud Firewall (ACF) to monitor and control egress traffic, preventing data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Regularly audit and remediate misconfigurations in cloud services to eliminate initial access vectors.
