A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.
The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks’ Unit 42 with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).
Unit 42 security researchers have also linked BlackFile with moderate confidence to “The Com,” a loose-knit network of English-speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM).
In a Thursday report, RH-ISAC said that the group’s attacks begin with phone calls to employees from spoofed numbers, in which the threat actors pose as IT support to lure staff to fake corporate login pages that ask them to enter their credentials and one-time passcodes.
“The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff,” RH-ISAC said.
“We can confirm that we are seeing a significant increase in Blackfile matters and that TTPs appear to be very similar to such groups as ShinyHunters and SLSH and similar copycats employing vishing/social engineering data exploit tactics,” CyberSteward founder and CEO Jason S.T. Kotler also told BleepingComputer.
Using stolen credentials, the BlackFile attackers register their own devices to bypass multifactor authentication, then escalate access to executive-level accounts by scraping internal employee directories.
BlackFile steals data from victims’ Salesforce and SharePoint servers using standard API functions, searching specifically for files containing terms such as “confidential” and “SSN.”
The exfiltrated documents are downloaded to attacker-controlled servers and published to the gang’s dark web data leak site before victims are contacted with ransom demands via compromised employee email accounts or randomly generated Gmail addresses.
“By leveraging Salesforce API access and standard SharePoint download functions, the attackers move large volumes of data – including CSV datasets of employee phone numbers and confidential business reports – to attacker-controlled infrastructure,” RH-ISAC added.
“This is often done under the guise of legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts.”
Employees of compromised companies (including senior executives) have also been targets of swatting attempts, which involve making false emergency calls to responders. Attackers often use this tactic to exert additional pressure on their victims.
Mandiant also told BleepingComputer that they are actively responding to several vishing incidents that led to data theft and extortion, including one that used a BlackFile victim-shaming site that is now offline.
To reduce the success rate of BlackFile’s attacks, RH-ISAC recommends that organizations strengthen their call-handling policies, enforce multifactor identity verification for callers, and conduct simulation-based social engineering training for frontline staff.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
