BlackFile extortion – A new extortion crew called BlackFile is using vishing, stolen credentials, and fake IT helpdesk pages to steal data and demand seven-figure ransoms.
A new financially motivated hacking group tracked as BlackFile has been tied to a fast-growing pattern of data theft and extortion against retail and hospitality organizations since February 2026.
BlackFile’s playbook starts with phone calls, not malware
BlackFile—also seen under names such as CL-CRI-1116, UNC6671, and Cordial Spider—doesn’t rely on flashy initial intrusions. Instead, attackers start with phone calls that impersonate corporate IT helpdesk staff, pushing employees to a fake login flow.
For victims, it’s a familiar trap with a different emphasis: the call sounds routine, and the next step looks like “access support.” The group’s vishing tactics often use spoofed VoIP numbers or fraudulent caller ID details, aiming to make the request feel internal and urgent.
Misryoum’s takeaway from this shift is simple—attackers are doubling down on the human layer. Credential theft remains cheaper and often faster than building malware that will survive hardened endpoint defenses.
Fake helpdesk pages to steal credentials—and bypass MFA
Once employees enter information on the counterfeit corporate login pages, attackers harvest usernames, passwords, and one-time passcodes. From there, the group uses stolen credentials to register devices and route around multifactor authentication checks.
Security researchers also report that BlackFile then escalates access toward executive-level accounts by scraping internal employee directories. The goal isn’t just entry; it’s finding systems and people who can accelerate the next stage of the operation.
A key detail is how the group uses legitimate-looking session behavior.. By leveraging Salesforce API access and standard SharePoint download functions. attackers can move large volumes of data while blending into normal operational patterns—often avoiding “obvious” detection signals that rely on blunt user-agent heuristics.
What’s being stolen, and how victims are pressured
The theft isn’t random. BlackFile searches within stored files for sensitive terms such as “confidential” and personal identifiers including SSN. From there, stolen documents and datasets are downloaded to attacker-controlled infrastructure.
After exfiltration, the group publishes data on a dark web leak site before reaching out to victims with ransom demands.. Communications are reportedly sent via compromised employee email accounts and. in some cases. randomly generated Gmail addresses—another tactic designed to increase the chance that victims will believe the message is authentic.
Misryoum also notes an additional pressure mechanism: swatting attempts. Attackers make false emergency calls to responders to intensify fear and scramble response timelines. For organizations already dealing with breach uncertainty, this adds a layer of chaos that can delay incident containment.
Why retail and hospitality are being hit harder
Retail and hospitality environments tend to share common technology realities: fast-moving frontline staffing, frequent shifts, and identity workflows that depend heavily on employees trusting IT communications. That makes vishing a particularly efficient entry point.
These sectors also rely on cloud productivity suites where valuable business records live—Salesforce for customer and sales context. and SharePoint for internal documents.. If credentials fall into the wrong hands. attackers can often retrieve sensitive data without triggering the kind of alarms associated with noisier malware deployment.
The “what now” checklist for organizations
RH-ISAC recommends practical defenses aimed at reducing the chance that a convincing phone call becomes a credential-compromise event.. Among the steps are strengthening call-handling policies so employees verify unexpected requests through approved channels. enforcing multifactor identity verification specifically for caller scenarios. and running social engineering simulations for frontline staff.
Those recommendations map to a broader pattern Misryoum has been tracking across recent incidents: organizations that treat identity as a process—not just a login screen—tend to reduce damage even when attackers can still attempt social engineering.
For incident response teams. the other implication is operational: teams should prepare for credential-led intrusion paths that quickly touch SaaS platforms.. If “the breach” starts with a vishing call. containment often needs to begin with access reviews. session analysis. and rapid credential resets in the affected identity systems.
Beyond one group: vishing is becoming the default attack route
BlackFile’s activity has been described with moderate confidence links to networks like “The Com,” and parallels to other extortion-driven crews known for copycat tactics. The broader message is that vishing isn’t an isolated technique—it’s evolving into a repeatable starter kit.
Misryoum’s editorial lens here is that the threat is moving upstream. As attackers get better at impersonating helpdesks and using stolen credentials to maintain access, the perimeter becomes less relevant than the decision-making inside everyday workflows.
Until verification habits catch up, the most effective defense may be the least glamorous: consistent employee training, disciplined call routing, and identity protections that don’t assume every “internal” request is actually internal.