Who Is BlackFile?
A financially motivated threat group known as BlackFile — also tracked under the aliases CL-CRI-1116, UNC6671, and Cordial Spider — has emerged as a significant threat to retail and hospitality organizations. Active since at least February 2026, the group specializes in data theft followed by extortion demands reaching into seven figures.
The connection to BlackFile was made public through intelligence shared by Palo Alto Networks' Unit 42 with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC). Unit 42 researchers have also assessed with moderate confidence that BlackFile maintains ties to "The Com" — a loosely organized network of English-speaking cybercriminals with a documented history of targeting and recruiting young individuals for extortion schemes, acts of violence, and the production of child sexual exploitation material (CSAM).
How the Attacks Begin: Vishing and Social Engineering
BlackFile's intrusion chain starts with a deceptively simple tactic: a phone call. Threat actors impersonate corporate IT helpdesk personnel, contacting employees from spoofed numbers to build trust before directing victims to fraudulent login pages designed to harvest credentials and one-time passcodes.
"The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-ISAC stated in its Thursday report.
This method of attack is not unique to BlackFile, but the group has refined it into an effective entry mechanism. Jason S.T. Kotler, founder and CEO of CyberSteward, confirmed the trend to BleepingComputer, noting that his firm is seeing a significant increase in BlackFile-related matters and that the group's tactics, techniques, and procedures (TTPs) closely resemble those of ShinyHunters, SLSH, and similar copycat groups employing vishing and social engineering to exploit data.
Escalating Access and Bypassing MFA
Once credentials are in hand, the attackers move quickly. Using the stolen login information, BlackFile operatives register their own devices to the victim's environment, effectively circumventing multifactor authentication (MFA) controls. From there, they escalate their access by scraping internal employee directories and working their way up to executive-level accounts.
This methodical escalation allows the group to position itself deep within an organization before any data theft begins, maximizing the volume and sensitivity of the information it can exfiltrate.
Data Theft via Salesforce and SharePoint
BlackFile's data collection strategy leverages legitimate platform functionality to avoid detection. The group targets victims' Salesforce and SharePoint environments, using standard API functions to search for and download files containing sensitive terms such as "confidential" and "SSN."
"By leveraging Salesforce API access and standard SharePoint download functions, the attackers move large volumes of data — including CSV datasets of employee phone numbers and confidential business reports — to attacker-controlled infrastructure," RH-ISAC explained. "This is often done under the guise of legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts."
The stolen data is subsequently uploaded to attacker-controlled servers and, critically, published to the group's dark web data leak site prior to any contact with the victim. This sequencing — leak first, demand second — adds pressure to ransom negotiations.
Ransom Demands and Additional Pressure Tactics
Victims receive ransom demands through two channels: compromised employee email accounts belonging to the target organization, or randomly generated Gmail addresses. The dual approach ensures delivery even if the primary channel is detected and shut down.
Beyond financial extortion, BlackFile has escalated its intimidation playbook to include swatting — placing false emergency calls to law enforcement or first responders to trigger armed responses at the homes or workplaces of employees, including senior executives. This tactic is designed to inflict psychological harm and increase the likelihood that victims comply with ransom demands.
Mandiant separately confirmed to BleepingComputer that the firm is actively responding to multiple vishing incidents that resulted in data theft and extortion, including at least one case that involved a BlackFile victim-shaming site that has since been taken offline.
Similarities to Known Threat Actors
The tactics deployed by BlackFile bear a striking resemblance to those associated with other groups that have made headlines in recent years. The use of vishing, social engineering, credential harvesting, and cloud platform abuse echoes campaigns attributed to actors like ShinyHunters — responsible for high-profile breaches involving Snowflake customer data — and other English-speaking threat clusters that prioritize social manipulation over technical exploitation.
The broader pattern suggests a maturing ecosystem in which criminal groups share knowledge, tooling, and even personnel, making attribution increasingly complex for defenders.
Defensive Recommendations from RH-ISAC
To counter BlackFile's methods, RH-ISAC has issued targeted guidance for organizations in the retail and hospitality sectors. Key recommendations include:
- Strengthening call-handling policies to reduce the risk of employees being manipulated by spoofed helpdesk calls.
- Enforcing multifactor identity verification for all callers requesting sensitive account actions, ensuring that verbal requests cannot bypass established security controls.
- Conducting simulation-based social engineering training for frontline staff, equipping employees with the skills to identify and report vishing attempts before credentials are compromised.
Organizations are also encouraged to monitor for anomalous API activity within Salesforce and SharePoint environments, particularly bulk data exports or access originating from newly registered devices, which may signal an active intrusion by BlackFile or similar threat actors.
Source: BleepingComputer