Find notable cyber news and cases, enriched with sources, timelines, and signals.

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First reported
Last updated
Happening score
H score 37
2 unique sources, 2 articles

Summary

Hide ▲

The BlackFile campaign is driving vishing-based data theft and extortion against retail and hospitality organizations, putting employee credentials and enterprise data at risk. Since February 2026, the operators have posed as IT helpdesk staff to lure employees to fake login pages. They harvest passwords and one-time passcodes, then use the stolen access to bypass multifactor authentication and reach higher-value accounts. The operation escalates into data theft from Salesforce and SharePoint, followed by seven-figure ransom demands.

Related Happenings

Pink new extortion brand within The Com

Threat Actor Meta
H score30 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

Icarus Salesforce data-theft extortion campaign

Campaign
H score42 First: 18.06.2026 17:19 Last: 18.06.2026 17:19 Sources 1

About this happening: The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...

Latest development: 23.06.2026 16:58

LastPass says an unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in its Salesforce environment, potentially exposing customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data; LastPass says its products, services, infrastructure, and customer vaults were not affected, rotated the exposed API/OAuth tokens, disabled employee access to Klue, and notified law enforcement.

Klue hit by network compromise

Incident
H score39 First: 18.06.2026 17:19 Last: 18.06.2026 17:19 Sources 1

About this happening: **Klue** confirmed a **June 12, 2026** security incident in which an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue’s integration infrastru...

Latest development: 23.06.2026 16:58

Unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in LastPass's Salesforce environment. LastPass said its products, services, infrastructure, and customer vaults were not affected, and it disabled employee access to Klue, rotated exposed API/OAuth tokens, and notified law enforcement.

Silent Ransom Group US law firm IT impersonation campaign

Campaign
H score36 First: 29.05.2026 16:00 Last: 29.05.2026 16:00 Sources 1

About this happening: **Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...

Timeline

  1. 24.04.2026 21:26 2 articles · 2mo ago

    BlackFile vishing extortion campaign disclosed

    Initial Disclosure

    BlackFile, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is linked to a financially motivated vishing and extortion campaign against retail and hospitality organizations that has been active since February 2026. The group impersonates IT helpdesk staff with spoofed VoIP numbers or fraudulent CNAM, lures employees to fake corporate login pages, steals credentials and one-time passcodes, registers attacker devices to bypass multifactor authentication, escalates to executive-level access, and steals data from Salesforce and SharePoint before demanding seven-figure ransoms; Unit 42 also links BlackFile with moderate confidence to The Com.

    Show sources