Skip to content
Tech News
← Back to articles

New BlackFile extortion group linked to surge of vishing attacks

2026-04-24 | original
read original get Vishing Prevention Phone Kit → more articles
Why This Matters

The emergence of the BlackFile hacking group highlights a growing threat of sophisticated social engineering and vishing attacks targeting retail and hospitality sectors. Their methods, including impersonation and credential theft, underscore the need for enhanced security measures and employee awareness. This trend signals a broader shift towards more targeted, voice-based cyber threats that can have significant financial and reputational impacts on organizations and consumers alike.

Key Takeaways

A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.

The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks' Unit 42 with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).

Unit 42 security researchers have also linked BlackFile with moderate confidence to "The Com," a loose-knit network of English-speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM).

In a Thursday report, RH-ISAC said that the group's attacks begin with phone calls to employees from spoofed numbers, in which the threat actors pose as IT support to lure staff to fake corporate login pages that ask them to enter their credentials and one-time passcodes.

"The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-ISAC said.

"We can confirm that we are seeing a significant increase in Blackfile matters and that TTPs appear to be very similar to such groups as ShinyHunters and SLSH and similar copycats employing vishing/social engineering data exploit tactics," CyberSteward founder and CEO Jason S.T. Kotler also told BleepingComputer.

Using stolen credentials, the BlackFile attackers register their own devices to bypass multifactor authentication, then escalate access to executive-level accounts by scraping internal employee directories.

BlackFile steals data from victims' Salesforce and SharePoint servers using standard API functions, searching specifically for files containing terms such as "confidential" and "SSN."

The exfiltrated documents are downloaded to attacker-controlled servers and published to the gang's dark web data leak site before victims are contacted with ransom demands via compromised employee email accounts or randomly generated Gmail addresses.

BlackFile data leak site (RH-ISAC)

... continue reading

Explore topics: blackfile voip rh-isac palo alto networks shinyhunters
Related:
CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.
ADT confirms data breach after ShinyHunters leak threat
'Zealot' Shows What AI's Capable of in Staged Cloud Attack
AI cloud company Vercel breached after employee grants AI tool unrestricted access to Google Workspace — hacker seeking $2 million for stolen data
App host Vercel says it was hacked and customer data stolen

© 2026 GoKawiil

About | Editorial Policy | Contact