BlackFile Gang Uses Vishing to Hit Retail and Hospitality Orgs

A new financially motivated hacking group called BlackFile has emerged as a significant threat to retail and hospitality organizations, using voice phishing (vishing) calls to compromise employee accounts and demand ransoms reaching seven figures. The group has been active since at least February 2026.

Who is BlackFile?

BlackFile, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider by various threat intelligence firms, operates a data theft and extortion scheme that bypasses traditional malware delivery entirely. Instead of phishing emails or exploit kits, they call employees directly.

Unit 42 researchers have linked BlackFile "with moderate confidence" to The Com, a network of English-speaking cybercriminals known for recruiting young people into extortion and exploitation activities. This connection suggests BlackFile may represent an evolution of tactics from groups that previously targeted individuals rather than enterprises.

Attack Methodology

Initial Access via Vishing

The attacks begin with phone calls from spoofed VoIP numbers or fraudulent Caller IDs. Threat actors pose as corporate IT support staff, directing victims to fake login pages where credentials and one-time passcodes are harvested. This technique circumvents many technical controls—employees expecting a helpdesk call may not question authentication requests that would seem suspicious in email form.

For organizations unfamiliar with these voice-based attacks, our guide on social engineering tactics covers the psychological techniques attackers use to build trust over the phone.

Credential Abuse and Escalation

Once credentials are captured, attackers:

1. Register unauthorized devices to bypass MFA protections
2. Scrape internal directories to identify executive accounts
3. Escalate access through legitimate administrative channels
4. Access Salesforce and SharePoint systems using standard API functions

The group specifically searches for files containing keywords like "confidential" and "SSN," downloading large volumes of sensitive data including CSV datasets and confidential reports to attacker-controlled infrastructure.

Extortion Tactics

BlackFile maintains a dark web data leak site where exfiltrated documents are published before victims are contacted. Ransom demands arrive via compromised employee email accounts or random Gmail addresses, with amounts reaching into the seven figures.

In a particularly aggressive twist, employees of compromised companies—including senior executives—have been targets of swatting attempts. These involve making false emergency calls to law enforcement, potentially putting victims in physical danger and adding psychological pressure to pay ransoms.

Connection to Broader Trends

BlackFile's tactics echo those of Scattered Spider, which successfully breached major casino operators using similar social engineering approaches. The retail and hospitality focus also aligns with recent ransomware trends showing threat actors shifting toward sectors with large customer databases and time-sensitive operations.

The emphasis on vishing over email phishing suggests defenders need to expand security awareness training beyond the usual "don't click suspicious links" messaging. Phone-based attacks exploit different psychological vulnerabilities and require different defensive strategies.

Defensive Recommendations

1. Establish callback verification - Train employees to hang up and call IT through official channels before providing any credentials
2. Implement out-of-band MFA verification - Require secondary confirmation for device enrollment changes
3. Monitor for API abuse - Alert on unusual Salesforce or SharePoint bulk downloads
4. Restrict sensitive file access - Limit who can search for and download files containing PII keywords
5. Brief executives on swatting risks - Ensure leadership is aware this may accompany extortion attempts

BlackFile represents a concerning evolution in extortion tactics—technically simple but highly effective against organizations that have focused defensive investments on email and endpoint security while leaving phone-based attack vectors relatively unguarded.