A new financially motivated hacking group known as BlackFile is behind a surge of vishing attacks against retail and hospitality organizations, using sophisticated social engineering techniques to steal credentials and demand seven-figure ransoms.
A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks' Unit 42 with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).
BlackFile data leak site (RH-ISAC)
Unit 42 security researchers have also linked BlackFile with moderate confidence to "The Com," a loose-knit network of English-speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM). This connection suggests that BlackFile may have access to more extensive criminal networks and resources than typical extortion groups.
In a recent report, RH-ISAC detailed how the group's attacks begin with phone calls to employees from spoofed numbers, in which the threat actors pose as IT support to lure staff to fake corporate login pages that ask them to enter their credentials and one-time passcodes.
"The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-ISAC explained. "We can confirm that we are seeing a significant increase in Blackfile matters and that TTPs appear to be very similar to such groups as ShinyHunters and SLSH and similar copycats employing vishing/social engineering data exploit tactics."
Using stolen credentials, the BlackFile attackers register their own devices to bypass multifactor authentication, then escalate access to executive-level accounts by scraping internal employee directories. This technique allows them to move laterally through the organization's network without triggering immediate alarms.
"By leveraging Salesforce API access and standard SharePoint download functions, the attackers move large volumes of data – including CSV datasets of employee phone numbers and confidential business reports – to attacker-controlled infrastructure," RH-ISAC added. "This is often done under the guise of legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts."
BlackFile specifically targets Salesforce and SharePoint servers, using standard API functions to search for files containing sensitive terms such as "confidential" and "SSN." The exfiltrated documents are downloaded to attacker-controlled servers and published to the gang's dark web data leak site before victims are contacted with ransom demands via compromised employee email accounts or randomly generated Gmail addresses.
Featured image
Employees of compromised companies (including senior executives) have also been targets of swatting attempts, which involve making false emergency calls to responders. Attackers often use this tactic to exert additional pressure on their victims, creating a sense of urgency and fear that complements their digital extortion efforts.
"The attackers behind BlackFile demonstrate a concerning level of operational sophistication," said Jason S.T. Kotler, founder and CEO of CyberSteward. "Their ability to combine traditional social engineering techniques with API-based data exfiltration represents a significant threat to organizations that haven't implemented comprehensive identity verification protocols for all access methods."
Mandiant has also confirmed they are actively responding to several vishing incidents that led to data theft and extortion, including one that used a BlackFile victim-shaming site that is now offline. This suggests that while the group is relatively new, they've already caused significant damage to multiple organizations.
To reduce the success rate of BlackFile's attacks, RH-ISAC recommends that organizations strengthen their call-handling policies, enforce multifactor identity verification for callers, and conduct simulation-based social engineering training for frontline staff. Organizations should also implement strict controls over API access to critical systems like Salesforce and SharePoint, and monitor for unusual data access patterns.
"The human element remains the most vulnerable point in most security architectures," noted Kotler. "Until organizations implement robust identity verification for all communication channels – including voice – attackers will continue to exploit this weakness. The combination of technical controls and employee awareness is essential to mitigating threats like BlackFile."
For organizations concerned about potential BlackFile activity, RH-ISAC recommends reviewing call logs for suspicious patterns, implementing caller verification procedures for IT support requests, and conducting immediate audits of Salesforce and SharePoint access logs for unusual activity.
More information about BlackFile and recommended defensive measures can be found in the RH-ISAC report and Palo Alto Networks' Unit 42 blog.
Comments
Please log in or register to join the discussion