Full Report
A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. [...]
Analysis Summary
# Threat Actor: BlackFile
## Attribution & Identity
* **Name/Alias:** BlackFile
* **Other Identifiers:** CL-CRI-1116, UNC6671, Cordial Spider
* **Known Associations:** Linked with "moderate confidence" to **"The Com,"** a loose-knit network of English-speaking cybercriminals known for recruitment of youth and involvement in violent/illicit activities.
* **Comparison Groups:** TTPs are noted as being highly similar to those used by **ShinyHunters** and **SLSH**.
## Activity Summary
Since February 2026, BlackFile has been engaged in a wave of data theft and extortion campaigns. The group utilizes sophisticated social engineering, specifically voice phishing (vishing), to compromise corporate environments. Once inside, they exfiltrate sensitive data and leverage "swatting" tactics against executives to pressure organizations into paying seven-figure ransoms.
## Tactics, Techniques & Procedures
* **Vishing & Social Engineering:** Posing as corporate IT helpdesk staff using spoofed VoIP numbers and fraudulent Caller ID Names (CNAM).
* **Adversary-in-the-Middle (AiTM) Phishing:** Luring employees to fake corporate login pages to capture credentials and One-Time Passcodes (OTP).
* **MFA Bypass:** Registering attacker-controlled devices to the victim's account following credential theft.
* **Privilege Escalation:** Scraping internal employee directories to identify and target executive-level accounts.
* **Data Exfiltration via API:** Using standard API functions to scrape Salesforce and SharePoint servers.
* **Evasion:** Leveraging legitimate SSO-authenticated sessions to avoid triggering user-agent alerts.
* **Extortion/Harassment:** Using victim-shaming leak sites and "swatting" (false emergency calls to police) against senior executives to increase psychological pressure.
## Targeting
* **Sectors:** Retail and Hospitality.
* **Geography:** Primarily English-speaking (implied by association with "The Com").
* **Victims:** Corporate employees, frontline staff, and senior leadership/executives.
## Tools & Infrastructure
* **Malware/Tools:** No specific custom malware families mentioned; the group relies on legitimate administrative tools, standard APIs, and social engineering kits.
* **Infrastructure:**
* Spoofed VoIP/CNAM services.
* Dark web data leak site (currently reported as offline in some instances).
* Attacker-controlled servers for data storage.
* Randomly generated Gmail addresses and compromised employee email accounts for communication.
## Implications
BlackFile represents a significant shift toward high-pressure, non-technical entry vectors (vishing) that bypass traditional perimeter defenses and MFA. Their willingness to use physical-world threats, such as swatting, indicates a highly aggressive posture that prioritizes psychological coercion over purely technical exploits. Organizations must realize that MFA is no longer a silver bullet against these social engineering tactics.
## Mitigations
* **Identity Verification:** Enforce strict multifactor identity verification protocols for anyone claiming to be from IT support.
* **Call-Handling Policies:** Strengthen and formalize policies regarding what information can be shared over the phone.
* **Social Engineering Training:** Conduct simulation-based vishing training specifically for frontline and administrative staff.
* **API Monitoring:** Monitor Salesforce and SharePoint for atypical data export volumes or unusual API calls, even within authenticated sessions.
* **Executive Protection:** Brief senior leadership on the possibility of swatting and establish protocols with local law enforcement.