BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
Summary
Hide ▲
Show ▼
The BlackFile campaign is driving vishing-based data theft and extortion against retail and hospitality organizations, putting employee credentials and enterprise data at risk. Since February 2026, the operators have posed as IT helpdesk staff to lure employees to fake login pages. They harvest passwords and one-time passcodes, then use the stolen access to bypass multifactor authentication and reach higher-value accounts. The operation escalates into data theft from Salesforce and SharePoint, followed by seven-figure ransom demands.
Related Happenings
Pink new extortion brand within The Com
Threat Actor Meta
H score30
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
Pink new extortion brand within The Com
Threat Actor MetaAbout this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
FortiBleed Fortinet credential-theft campaign
Campaign
H score89
First: 19.06.2026 13:48
Last: 19.06.2026 13:48
Sources 1
About this happening:
The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
FortiBleed Fortinet credential-theft campaign
CampaignAbout this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
Latest development: 22.06.2026 11:30
The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.
Icarus Salesforce data-theft extortion campaign
Campaign
H score42
First: 18.06.2026 17:19
Last: 18.06.2026 17:19
Sources 1
About this happening:
The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Icarus Salesforce data-theft extortion campaign
CampaignAbout this happening: The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Latest development: 23.06.2026 16:58
LastPass says an unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in its Salesforce environment, potentially exposing customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data; LastPass says its products, services, infrastructure, and customer vaults were not affected, rotated the exposed API/OAuth tokens, disabled employee access to Klue, and notified law enforcement.
Klue hit by network compromise
Incident
H score39
First: 18.06.2026 17:19
Last: 18.06.2026 17:19
Sources 1
About this happening:
**Klue** confirmed a **June 12, 2026** security incident in which an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue’s integration infrastru...
Klue hit by network compromise
IncidentAbout this happening: **Klue** confirmed a **June 12, 2026** security incident in which an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue’s integration infrastru...
Latest development: 23.06.2026 16:58
Unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in LastPass's Salesforce environment. LastPass said its products, services, infrastructure, and customer vaults were not affected, and it disabled employee access to Klue, rotated exposed API/OAuth tokens, and notified law enforcement.
Silent Ransom Group US law firm IT impersonation campaign
Campaign
H score36
First: 29.05.2026 16:00
Last: 29.05.2026 16:00
Sources 1
About this happening:
**Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...
Silent Ransom Group US law firm IT impersonation campaign
CampaignAbout this happening: **Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...
Timeline
-
24.04.2026 21:26 2 articles · 2mo ago
BlackFile vishing extortion campaign disclosed
Initial DisclosureBlackFile, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is linked to a financially motivated vishing and extortion campaign against retail and hospitality organizations that has been active since February 2026. The group impersonates IT helpdesk staff with spoofed VoIP numbers or fraudulent CNAM, lures employees to fake corporate login pages, steals credentials and one-time passcodes, registers attacker devices to bypass multifactor authentication, escalates to executive-level access, and steals data from Salesforce and SharePoint before demanding seven-figure ransoms; Unit 42 also links BlackFile with moderate confidence to The Com.
Show sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks — thehackernews.com — 01.05.2026 17:26