BlackFile extortion group linked to rise in vishing attacks

A new cybercriminal group known as BlackFile has been tied to a surge in data theft and extortion attacks targeting the retail and hospitality sectors, with activity escalating since February 2026, according to recent intelligence from cybersecurity experts.

Tracked under multiple aliases including CL-CRI-1116, UNC6671, and Cordial Spider, the group employs a deceptive technique: impersonating corporate IT helpdesk staff through phone calls to trick employees into surrendering their credentials. Palo Alto Networks’ Unit 42 shared these findings with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), noting that the attackers are demanding ransoms in the seven-figure range.

Unit 42 researchers have also linked BlackFile with moderate confidence to “The Com,” a loosely organized English-speaking cybercriminal network notorious for recruiting young individuals into activities involving extortion, violence, and the production of child sexual exploitation material (CSAM). This connection underscores the group’s broader, more dangerous affiliations.

The attack chain begins with vishing (voice phishing) calls from spoofed VoIP numbers or fraudulent Caller ID Names (CNAM). The callers pose as IT support staff, directing employees to fake corporate login pages where they are prompted to enter their credentials and one-time passcodes. “The attackers behind CL-CRI-1116 use voice-based phishing from spoofed numbers as a social engineering technique, typically posing as IT support staff,” RH-ISAC explained in a Thursday report.

Once credentials are stolen, BlackFile registers its own devices to bypass multifactor authentication. The group then escalates access to executive-level accounts by scraping internal employee directories. Data is exfiltrated from victims’ Salesforce and SharePoint servers using standard API functions, with searches specifically targeting files containing keywords like “confidential” and “SSN.”

Stolen documents are downloaded to attacker-controlled servers and published on the gang’s dark web data leak site. Victims are then contacted with ransom demands via compromised employee email accounts or randomly generated Gmail addresses. “By leveraging Salesforce API access and standard SharePoint download functions, the attackers move large volumes of data – including CSV datasets of employee phone numbers and confidential business reports – to attacker-controlled infrastructure,” RH-ISAC added. “This is often done under the guise of legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts.”

Adding to the pressure, compromised companies,including senior executives,have been targeted with swatting attempts, where false emergency calls are made to law enforcement. This tactic is used to further intimidate victims.

Jason S. T. Kotler, founder and CEO of CyberSteward, confirmed the trend: “We can confirm that we are seeing a significant increase in Blackfile matters and that TTPs appear to be very similar to such groups as ShinyHunters and SLSH and similar copycats employing vishing/social engineering data exploit tactics.” Mandiant also told BleepingComputer that they are actively responding to several vishing incidents leading to data theft and extortion, including one that used a BlackFile victim-shaming site now taken offline.

To defend against these attacks, RH-ISAC advises organizations to strengthen call-handling policies, enforce multifactor identity verification for callers, and conduct simulation-based social engineering training for frontline staff. Proactive measures remain critical to reducing the success rate of BlackFile’s sophisticated vishing campaigns.