BlackFile extortion group escalates vishing campaigns with identity theft and data theft targeting retail and hospitality sectors
Summary
Hide ▲
Show ▼
Since February 2026, the BlackFile extortion group (aliases: CL-CRI-1116, UNC6671, Cordial Spider) has conducted sustained vishing-driven credential theft and data exfiltration campaigns against retail and hospitality organizations. The group impersonates IT helpdesk staff using spoofed VoIP numbers and fraudulent Caller ID Names, often combined with antidetect browsers and residential proxies to avoid detection. Stolen credentials are used to register attacker-controlled devices and bypass MFA, enabling escalation to executive accounts via internal directory scraping. Data is exfiltrated through legitimate Salesforce and SharePoint API functions and web interfaces, targeting files containing terms such as 'confidential' and 'SSN'. Extortion demands, typically seven-figure sums, are delivered via compromised employee email accounts or randomly generated Gmail addresses, with additional harassment including swatting attempts against executives. Security researchers from Unit 42 and RH-ISAC have linked BlackFile to the activity cluster CL-CRI-1116 and noted overlaps with the loosely affiliated collective 'The Com'.
Timeline
-
24.04.2026 21:26 2 articles · 3d ago
BlackFile escalation: vishing-driven credential theft and API-based data exfiltration in retail and hospitality sectors
Palo Alto Networks’ Unit 42 and the Retail and Hospitality Information Security and Analysis Center (RH-ISAC) jointly published a report on April 23, 2026, detailing the BlackFile cluster CL-CRI-1116’s tactics. The report confirms overlap with public reporting on BlackFile, UNC6671, and Cordial Spider, and links the activity to the collective 'The Com'. The report adds technical detail on the group’s vishing infrastructure, including the use of antidetect browsers and residential proxies to mask geographic locations and bypass IP-based reputation filters. It also describes SaaS data discovery and API abuse for exfiltrating large volumes of data—including CSV datasets of employee phone numbers and confidential business reports—via legitimate Salesforce API access and SharePoint download functions. Extortion demands are noted to typically be seven-figure sums, delivered via random Gmail addresses or compromised employee email accounts. Security recommendations emphasize managing identity verification for callers, restricting information shared in calls, and limiting IT support actions per call without escalation to mitigate these tactics.
Show sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
Information Snippets
-
BlackFile (aliases: CL-CRI-1116, UNC6671, Cordial Spider) has targeted retail and hospitality organizations since February 2026 using vishing attacks to steal credentials and extort victims.
First reported: 24.04.2026 21:262 sources, 2 articlesShow sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
Vishing campaigns involve spoofed VoIP numbers or fraudulent Caller ID Names (CNAM), with attackers posing as IT support to trick employees into entering credentials and one-time passcodes on fake login pages.
First reported: 24.04.2026 21:262 sources, 2 articlesShow sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
Stolen credentials are used to register attacker-controlled devices and bypass MFA, enabling escalation to executive-level accounts via internal directory scraping.
First reported: 24.04.2026 21:262 sources, 2 articlesShow sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
Exfiltrated data is extracted using Salesforce API access and standard SharePoint download functions, targeting files containing terms such as 'confidential' and 'SSN' before being published on a dark web leak site.
First reported: 24.04.2026 21:262 sources, 2 articlesShow sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
Extortion demands are delivered via compromised employee email accounts or randomly generated Gmail addresses following the data theft phase.
First reported: 24.04.2026 21:262 sources, 2 articlesShow sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
Additional pressure tactics include swatting attempts against employees and executives of compromised organizations.
First reported: 24.04.2026 21:261 source, 1 articleShow sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
-
Unit 42 researchers have linked BlackFile with moderate confidence to 'The Com', a loose-knit network of English-speaking cybercriminals involved in extortion, recruitment of young individuals, and CSAM production.
First reported: 24.04.2026 21:262 sources, 2 articlesShow sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
Mandiant has confirmed active response to multiple vishing-linked incidents resulting in data theft and extortion, including one involving a now-offline BlackFile victim-shaming site.
First reported: 24.04.2026 21:261 source, 1 articleShow sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
-
Palo Alto Networks’ Unit 42 and the Retail and Hospitality Information Security and Analysis Center (RH-ISAC) jointly published a report on April 23, 2026, detailing BlackFile’s tactics under the activity cluster CL-CRI-1116
First reported: 27.04.2026 11:151 source, 1 articleShow sources
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
BlackFile leverages antidetect browsers and residential proxies to mask geographic locations and bypass IP-based reputation filters during vishing campaigns
First reported: 27.04.2026 11:151 source, 1 articleShow sources
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
The group performs SaaS data discovery and abuses Salesforce API access and SharePoint download functions to exfiltrate large volumes of data, including CSV datasets of employee phone numbers and confidential business reports
First reported: 27.04.2026 11:151 source, 1 articleShow sources
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
Extortion demands are typically seven-figure sums and may be delivered via random Gmail addresses or compromised employee email accounts
First reported: 27.04.2026 11:151 source, 1 articleShow sources
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
-
Security recommendations include policies for managing identity verification during calls, restricting information shared via phone, and limiting IT support actions per call without escalation
First reported: 27.04.2026 11:151 source, 1 articleShow sources
- BlackFile Group Targets Retail and Hospitality with Vishing Attacks — www.infosecurity-magazine.com — 27.04.2026 11:15
Similar Happenings
Telephone-Oriented Attack Delivery (TOAD) Bypasses Secure Email Gateways
Telephone-Oriented Attack Delivery (TOAD) emails, which contain only a phone number as the payload, are bypassing secure email gateways and becoming a significant threat. These attacks, which accounted for nearly 28% of gateway-bypassing detections, exploit the simplicity of a phone number to evade detection and manipulate victims into revealing sensitive information or granting remote access. The attacks are particularly effective due to their ability to blend in with legitimate business communications and the increasing sophistication of evasion tactics.
Optimizely Data Breach After Vishing Attack
An ongoing wave of vishing-led breaches attributed to ShinyHunters has claimed a new victim: Aura, a digital safety firm. The attack exposed contact details of nearly 900,000 individuals, stemming from a marketing tool inherited in a 2021 acquisition. ShinyHunters claimed the theft of 12GB of files containing PII and corporate data, releasing it after failed extortion attempts. The company emphasized no SSNs, passwords, or financial data were compromised and is conducting an internal review with law enforcement involvement. Earlier in February, Optimizely disclosed a similar breach following a voice phishing attack that compromised basic business contact information. Both incidents underscore the continued exploitation of vishing tactics by ShinyHunters to gain initial access to organizations, with impacts focused on contact data rather than deeper system compromise.
Figure Fintech Breach Exposes 967,200 Accounts via Social Engineering
Figure Technology Solutions, a blockchain-based fintech firm, suffered a data breach affecting nearly 1 million accounts. Hackers stole personal and contact information through a social engineering attack. The breach was attributed to the ShinyHunters extortion group, which leaked 2.5GB of data from loan applicants. The attackers impersonated IT support to trick employees into providing access to SSO accounts, gaining entry to various enterprise applications.
Increased Social Engineering Attacks Targeting MFA and Help Desks
Threat actors, including groups like Scattered Spider, are increasingly using social engineering tactics to bypass multi-factor authentication (MFA) and gain unauthorized access to enterprise networks. These attacks often target help desk personnel, exploiting human vulnerabilities to reset passwords or override MFA. The FBI and CISA have issued alerts about the growing threat of such high-touch social engineering campaigns. The attack on Clorox by Scattered Spider resulted in approximately $380 million in damages, including $49 million in remedial costs and hundreds of millions in business-interruption losses. The attackers exploited the service desk run by Cognizant, repeatedly phoning to obtain password and MFA resets without meaningful verification. This incident highlights the need for robust caller verification and stringent security protocols in help desk operations. Organizations must rethink their help desk operations, focusing on training, validation processes, and a security-first culture. Frontline staff need to recognize red flags and escalate suspicious requests. Executives and senior leaders should model verification behavior, reinforcing that diligence is expected throughout the organization. Effective defense against these attacks requires ongoing training, relevant simulations, and a culture that prioritizes security over speed. Help desk and security teams must collaborate closely to identify and mitigate potential threats.