A new cyber threat actor known as BlackFile has emerged, launching data theft and extortion campaigns against retail and hospitality organizations since February 2026. Tracked also as CL-CRI-1116, UNC6671, and Cordial Spider, the group employs sophisticated vishing attacks by impersonating IT helpdesk staff via spoofed VoIP calls. This tactic preys on frontline employees, tricking them into revealing credentials on fake SSO login pages.
BlackFile's attack chain begins with urgent phone calls claiming account security issues, directing victims to pixel-perfect phishing sites for credentials and MFA codes. Attackers then register rogue devices to bypass MFA, escalate privileges by scraping employee directories, and exploit SaaS APIs like Microsoft Graph and Salesforce to exfiltrate sensitive data. They target files with keywords such as "confidential," "SSN," or "salary," downloading massive volumes under legitimate-looking sessions.
Unlike ransomware groups focused on encryption, BlackFile prioritizes pure extortion, leaking stolen data—including customer PII and employee records—on dark web sites before contacting victims. Demands reach seven figures, delivered via compromised emails or random Gmail addresses, with added pressure from psychological tactics like swatting executives. Researchers from Palo Alto Networks' Unit 42 link BlackFile with moderate confidence to "The Com," a network tied to broader cybercrimes.
The group's success exploits high staff turnover in retail and hospitality, where social engineering evades traditional defenses. RH-ISAC warns of rising incidents, noting similarities to groups like ShinyHunters. As SaaS platforms hold crown-jewel data, BlackFile signals a shift to "extortion-first" models, blending digital theft with real-world harassment.
To counter BlackFile, organizations must enforce "callback" protocols—employees hang up and verify via internal lines—and audit SSO logs for suspicious device registrations. Regular social engineering training, API key rotations, and executive swatting briefings are essential for frontline resilience. Retail and hospitality firms ignoring these risks face multimillion-dollar breaches in 2026's volatile threat landscape.