A new financially motivated threat group called BlackFile (also tracked as CL-CRI-1116, UNC6671, and Cordial Spider) has been conducting data theft and extortion attacks against retail and hospitality organizations since February 2026. The group uses vishing — phone calls from spoofed VoIP numbers impersonating IT helpdesk staff — to trick employees into entering credentials on fake login pages. Stolen credentials are used to register attacker devices, bypass MFA, escalate to executive accounts, and exfiltrate data from Salesforce and SharePoint via standard APIs. Stolen data is published to a dark web leak site before ransom demands are made. Victims have also been subjected to swatting. Unit 42 links BlackFile with moderate confidence to 'The Com' cybercrime network. Recommended defenses include stronger call-handling policies, MFA identity verification for callers, and social engineering simulation training.
Table of contents
Related Articles:Sort: