New BlackFile extortion group linked to surge of vishing attacks
Source: Bleeping Computer
Overview
A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.
The group, also known as CL‑CRI‑1116, UNC6671 (see the Google Cloud blog post), and Cordial Spider (details on CrowdStrike), impersonates corporate IT help‑desk staff to steal employee credentials and demand seven‑figure ransoms. Information was shared by Palo Alto Networks’ Unit 42 with the Retail & Hospitality Information Sharing and Analysis Center (RH‑ISAC).
Unit 42 researchers have also linked BlackFile, with moderate confidence, to “The Com”, a loose‑knit network of English‑speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM) (BleepingComputer article).
Attack Techniques
RH‑ISAC reports that BlackFile’s attacks begin with phone calls from spoofed numbers. The threat actors pose as IT support and direct staff to fake corporate login pages that request credentials and one‑time passcodes.
“The attackers behind CL‑CRI‑1116 use voice‑based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social‑engineering technique, typically posing as IT support staff,” – RH‑ISAC.
Using stolen credentials, the attackers:
- Register their own devices to bypass multifactor authentication.
- Scrape internal employee directories to elevate access to executive‑level accounts.
- Deploy standard API calls against Salesforce and SharePoint servers, searching for files containing terms such as “confidential” and “SSN”.
Data Exfiltration
Exfiltrated documents are downloaded to attacker‑controlled servers and later published on the gang’s dark‑web data‑leak site.
BlackFile data leak site (RH‑ISAC)
“By leveraging Salesforce API access and standard SharePoint download functions, the attackers move large volumes of data – including CSV datasets of employee phone numbers and confidential business reports – to attacker‑controlled infrastructure,” – RH‑ISAC.
“This is often done under the guise of legitimate SSO‑authenticated sessions to avoid triggering simple user‑agent alerts.”
Victims are subsequently contacted with ransom demands via compromised employee email accounts or randomly generated Gmail addresses.
Additional Threats
- Swatting – Compromised employees, including senior executives, have been targeted with false emergency calls to law‑enforcement responders, adding pressure on the victims.
- Victim‑shaming sites – Mandiant reported active investigations into vishing incidents that involved a BlackFile‑hosted victim‑shaming site (now offline).
Mitigation Recommendations
RH‑ISAC advises organizations to:
- Strengthen call‑handling policies – Verify the identity of callers through out‑of‑band methods before disclosing any credentials.
- Enforce multifactor identity verification for callers – Require a secondary verification step (e.g., a callback to a known number).
- Conduct simulation‑based social‑engineering training – Regularly train frontline staff to recognize vishing and other phishing tactics.
Implementing these controls can reduce the success rate of BlackFile’s vishing‑based extortion campaigns.