BlackFile Extortion Group Targets Retail and Hospitality via Vishing and MFA Bypass
A financially motivated extortion group tracked as BlackFile has been targeting retail and hospitality firms since February 2026, using vishing attacks, MFA bypass, and SaaS data exfiltration to demand seven-figure ransoms.
Security researchers have exposed a new extortion group, BlackFile, that has been systematically targeting retail and hospitality businesses since February 2026. In a joint report published on April 23 by Palo Alto Networks' Unit 42 and the Retail and Hospitality Information Security and Analysis Center (RH-ISAC), the group is described as financially motivated and linked to the activity cluster CL-CRI-1116, which overlaps with public reporting on UNC6671 and Cordial Spider. The attackers are believed to be associated with the notorious collective known as "The Com."
BlackFile does not rely on custom malware or sophisticated tooling. Instead, the group focuses on living off the land by abusing application programming interfaces (APIs) and legitimate internal resources. Their primary initial access vector is vishing — voice phishing — where they impersonate IT helpdesk staff using spoofed VoIP numbers or fraudulent Caller ID names. The goal is to steal credentials and one-time passwords (OTPs) via phishing pages that mimic legitimate corporate single sign-on portals. The attackers also use antidetect browsers and residential proxies to mask their geographic location and bypass basic IP-based reputation filters.
Once they gain physical access to a user's account through credential phishing, BlackFile registers a new device to bypass multi-factor authentication (MFA) and maintain persistence. The group then moves laterally from standard employee accounts to high-privileged accounts, scraping internal employee directories to obtain contact lists for executives. By compromising these senior accounts through further social engineering, they gain persistent, broad-spectrum access that mirrors legitimate executive session activity.
Inside the victim network, BlackFile focuses on SaaS data discovery, API abuse, and scraping SharePoint sites. They search for keywords like "confidential" and "SSN" to find high-value files and reports in SharePoint and Salesforce. Data exfiltration is performed directly through the browser or via API exports, leveraging Salesforce API access and standard SharePoint download functions to move large volumes of data — including CSV datasets of employee phone numbers and confidential business reports — to attacker-controlled infrastructure. This is often done under the guise of legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts.
The group extorts its victims via random Gmail addresses or compromised employee email accounts, typically demanding a seven-figure sum. In some cases, they escalate pressure by SWAT-ing C-suite executives and other senior personnel to force payment. The report emphasizes that organizations should focus on security policies, managing multi-factor identity verification for callers, establishing protocols around what information can be shared in calls, and limiting what IT support actions can be completed in a single call without escalation to management. Security awareness training for frontline phone staff, focused on simulation-based scenarios and identifying signs of social engineering, is also recommended.
The emergence of BlackFile underscores a growing trend of financially motivated threat actors using social engineering and living-off-the-land techniques rather than deploying custom malware. The retail and hospitality sectors, which handle large volumes of sensitive customer data and often have complex IT environments, are particularly vulnerable to such attacks. The report serves as a critical reminder that even without sophisticated malware, determined attackers can cause significant damage through targeted social engineering and abuse of legitimate tools.