BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
Summary
Hide ▲
Show ▼
The BlackFile campaign is driving vishing-based data theft and extortion against retail and hospitality organizations, putting employee credentials and enterprise data at risk. Since February 2026, the operators have posed as IT helpdesk staff to lure employees to fake login pages. They harvest passwords and one-time passcodes, then use the stolen access to bypass multifactor authentication and reach higher-value accounts. The operation escalates into data theft from Salesforce and SharePoint, followed by seven-figure ransom demands.
Related Happenings
ShinyHunters school-by-school extortion campaign targeting Canvas institutions
Campaign
First: 11.05.2026 13:05
Last: 11.05.2026 13:05
Sources 1
About this happening:
ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...
ShinyHunters school-by-school extortion campaign targeting Canvas institutions
CampaignAbout this happening: ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor Meta
First: 27.04.2026 11:15
Last: 27.04.2026 11:15
Sources 1
How related:
It detailed financially-motivated activity linked to the activity cluster CL-CRI-1116, which the authors said overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider, and is likely to be associated with notorious collective “The Com.”
About this happening:
Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor MetaHow related: It detailed financially-motivated activity linked to the activity cluster CL-CRI-1116, which the authors said overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider, and is likely to be associated with notorious collective “The Com.”
About this happening: Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
BlackFile victims' Salesforce and SharePoint data leak
Data Leak
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
How related:
The exfiltrated documents are downloaded to attacker-controlled servers and published to the gang's dark web data leak site before victims are contacted with ransom demands via compromised employee email accounts or randomly generated Gmail addresses.
About this happening:
BlackFile's **stolen documents** were published on a **dark web leak site**, exposing employee and business records taken from **Salesforce** and **SharePoint** environments. The...
BlackFile victims' Salesforce and SharePoint data leak
Data LeakHow related: The exfiltrated documents are downloaded to attacker-controlled servers and published to the gang's dark web data leak site before victims are contacted with ransom demands via compromised employee email accounts or randomly generated Gmail addresses.
About this happening: BlackFile's **stolen documents** were published on a **dark web leak site**, exposing employee and business records taken from **Salesforce** and **SharePoint** environments. The...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Timeline
-
24.04.2026 21:26 2 articles · 1mo ago
BlackFile vishing extortion campaign disclosed
Initial DisclosureBlackFile, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is linked to a financially motivated vishing and extortion campaign against retail and hospitality organizations that has been active since February 2026. The group impersonates IT helpdesk staff with spoofed VoIP numbers or fraudulent CNAM, lures employees to fake corporate login pages, steals credentials and one-time passcodes, registers attacker devices to bypass multifactor authentication, escalates to executive-level access, and steals data from Salesforce and SharePoint before demanding seven-figure ransoms; Unit 42 also links BlackFile with moderate confidence to The Com.
Show sources
- New BlackFile extortion group linked to surge of vishing attacks — www.bleepingcomputer.com — 24.04.2026 21:26
- Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks — thehackernews.com — 01.05.2026 17:26