CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

BlackFile extortion group escalates vishing campaigns with identity theft and data theft targeting retail and hospitality sectors

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A financially motivated hacking group, tracked as BlackFile (aliases: CL-CRI-1116, UNC6671, Cordial Spider), has conducted sustained data theft and extortion attacks against retail and hospitality organizations since February 2026. The group employs voice-based phishing (vishing) campaigns impersonating corporate IT helpdesk staff to steal employee credentials and bypass multifactor authentication (MFA), escalating to executive-level account access. Stolen data is exfiltrated via Salesforce and SharePoint API functions, targeting files containing sensitive terms such as 'confidential' and 'SSN', prior to dark web leak site publications and extortion demands. Additional pressure tactics include swatting attempts against employees and executives.

Timeline

  1. 24.04.2026 21:26 1 articles · 17h ago

    BlackFile escalation: vishing-driven credential theft and API-based data exfiltration in retail and hospitality sectors

    Since February 2026, the BlackFile extortion group has conducted vishing campaigns impersonating IT support staff to steal employee credentials and bypass MFA. Following credential theft, the group escalates access to executive accounts and exfiltrates sensitive data from Salesforce and SharePoint via API functions. Stolen data is published on a dark web leak site prior to extortion demands delivered via compromised or spoofed email accounts. Additional harassment includes swatting attempts against employees and executives to increase pressure. Technical indicators overlap with other extortion groups, suggesting ongoing adaptation of social engineering and data theft techniques.

    Show sources
    Open in new tab

Information Snippets

  • BlackFile (aliases: CL-CRI-1116, UNC6671, Cordial Spider) has targeted retail and hospitality organizations since February 2026 using vishing attacks to steal credentials and extort victims.

    First reported: 24.04.2026 21:26
    1 source, 1 article
    Show sources

  • Vishing campaigns involve spoofed VoIP numbers or fraudulent Caller ID Names (CNAM), with attackers posing as IT support to trick employees into entering credentials and one-time passcodes on fake login pages.

    First reported: 24.04.2026 21:26
    1 source, 1 article
    Show sources

  • Stolen credentials are used to register attacker-controlled devices and bypass MFA, enabling escalation to executive-level accounts via internal directory scraping.

    First reported: 24.04.2026 21:26
    1 source, 1 article
    Show sources

  • Exfiltrated data is extracted using Salesforce API access and standard SharePoint download functions, targeting files containing terms such as 'confidential' and 'SSN' before being published on a dark web leak site.

    First reported: 24.04.2026 21:26
    1 source, 1 article
    Show sources

  • Extortion demands are delivered via compromised employee email accounts or randomly generated Gmail addresses following the data theft phase.

    First reported: 24.04.2026 21:26
    1 source, 1 article
    Show sources

  • Additional pressure tactics include swatting attempts against employees and executives of compromised organizations.

    First reported: 24.04.2026 21:26
    1 source, 1 article
    Show sources

  • Unit 42 researchers have linked BlackFile with moderate confidence to 'The Com', a loose-knit network of English-speaking cybercriminals involved in extortion, recruitment of young individuals, and CSAM production.

    First reported: 24.04.2026 21:26
    1 source, 1 article
    Show sources

  • Mandiant has confirmed active response to multiple vishing-linked incidents resulting in data theft and extortion, including one involving a now-offline BlackFile victim-shaming site.

    First reported: 24.04.2026 21:26
    1 source, 1 article
    Show sources