BlackFile Group Targets Retail, Hospitality via Vishing Attacks
▼ Summary
– A new extortion group, tracked as CL-CRI-1116 and linked to BlackFile and “The Com,” has been targeting retail and hospitality businesses since February 2026.
– The attackers use vishing and phishing to steal credentials, bypassing MFA by registering new devices and moving laterally to high-privileged accounts.
– They “live off the land” by abusing APIs and legitimate resources, exfiltrating data via browser sessions and API exports from platforms like SharePoint and Salesforce.
– The group demands seven-figure payments, using Gmail addresses, compromised employee emails, and occasionally SWAT-ing executives to pressure victims.
– Defenses include strict security policies, multi-factor identity verification for calls, and simulation-based training for staff to recognize social engineering.
A new cyber extortion group has been targeting the retail and hospitality sectors since February 2026, according to a joint report from Palo Alto Networks’ Unit 42 and the Retail and Hospitality Information Security and Analysis Center (RH-ISAC). The report, published April 23, details the financially motivated activities of a cluster identified as CL-CRI-1116, which researchers link to the groups BlackFile, UNC6671, and Cordial Spider. This cluster is also believed to have ties to the notorious collective known as “The Com.”
Unlike many cybercriminal operations, this group does not rely on custom malware. Instead, it employs a living-off-the-land strategy, abusing legitimate application programming interfaces (APIs) and internal resources to infiltrate networks. The primary entry method is vishing attacks, where threat actors impersonate IT helpdesk staff. They use spoofed VoIP numbers or fraudulent Caller ID names to conceal their identity, aiming to steal credentials and one-time passwords. These attacks are supported by phishing pages that mimic legitimate corporate single sign-on portals. To further evade detection, the attackers use antidetect browsers and residential proxies, masking their geographic location and bypassing basic IP-based reputation filters.
Once initial access is gained through credential theft, BlackFile operators register new devices to bypass multi-factor authentication (MFA) and maintain persistence. They then move laterally from standard employee accounts to high-privileged ones, scraping internal employee directories to build contact lists for executives. By compromising these senior accounts through further social engineering, they gain persistent, broad-spectrum access that mirrors legitimate executive activity.
Inside the victim’s network, the group focuses on SaaS data discovery, API abuse, and scraping SharePoint sites. They search for keywords like “confidential” and “SSN” to locate high-value files and reports in SharePoint and Salesforce. Data exfiltration occurs directly through the browser or via API exports, with attackers leveraging Salesforce API access and standard SharePoint download functions to move large volumes of data, including CSV datasets of employee phone numbers and confidential business reports. This activity is often masked within legitimate SSO-authenticated sessions to avoid triggering user-agent alerts.
Extortion demands are communicated via random Gmail addresses or compromised employee email accounts, typically demanding seven-figure sums. In some cases, the group resorts to SWAT-ing C-suite executives and others to pressure payment.
To defend against these tactics, the report recommends focusing on security policies, multi-factor identity verification for callers, and clear protocols around information sharing and IT support actions during calls. Security awareness training for frontline phone staff, particularly simulation-based scenarios that identify signs of social engineering, is also advised. This includes recognizing vague answers to identity questions and high-pressure requests for immediate action.
(Source: Infosecurity Magazine)
