New extortion group stalks.
It’s not just about sophisticated zero-days anymore, or even the well-worn paths of email phishing. The latest wave of cybercrime is getting decidedly more analog, and frankly, more invasive. A financially motivated hacking group, codenamed BlackFile, has been methodically targeting organizations in the retail and hospitality sectors since February 2026, leveraging an old-school tactic with a modern twist: voice phishing, or vishing. This isn’t just a minor uptick; cybersecurity firm Palo Alto Networks’ Unit 42 is flagging it as a significant trend, which should set alarm bells ringing across the C-suite.
The Vishing Playbook
What makes BlackFile particularly concerning is their carefully crafted social engineering playbook. They’re not sending out mass emails hoping for a click. Instead, they’re making phone calls. Yes, actual phone calls, often from spoofed numbers that look legitimate. Their modus operandi involves impersonating corporate IT helpdesk staff, a role many employees are conditioned to trust. The goal is simple, yet devastatingly effective: trick employees into divulging their login credentials and one-time passcodes, often by directing them to fake corporate login pages that mimic real ones with uncanny accuracy. This initial credential theft is the linchpin of their entire operation.
According to information shared with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), these attackers are adept at using voice-based phishing (vishing) techniques, exploiting Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) to lend an air of legitimacy to their calls. As RH-ISAC put it:
“The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff.”
This approach bypasses many of the technical defenses designed to catch digital sleight of hand. Who checks the Caller ID on an internal IT support call? Most people don’t, and that’s precisely the vulnerability BlackFile is exploiting. It’s a stark reminder that human trust, and the manipulation of it, remains a potent weapon in the cybercriminal’s arsenal.
Beyond Credentials: Data Exfiltration and Extortion
Once BlackFile gains a foothold with stolen credentials, they don’t stop at a single compromised account. Their ambition is far grander. They’re registering their own devices to circumvent multi-factor authentication, a critical security layer that many organizations rely on. Then, they escalate their access by scraping internal employee directories, aiming for executive-level accounts. This allows them to move laterally within the organization and gain access to the sensitive data they covulate.
Their tools of choice for data exfiltration are surprisingly mundane, yet powerful: standard API functions for Salesforce and SharePoint. They’re not necessarily breaking into these systems in novel ways; they’re using legitimate access, albeit obtained nefariously, to vacuum up vast amounts of information. Their search is specific, looking for files containing terms like “confidential” and “SSN.” This targeted approach suggests a calculated strategy to maximize the impact and value of the stolen data. Imagine your company’s most sensitive employee data, or confidential business reports, sitting on an attacker’s server. The exfiltrated documents are then downloaded to attacker-controlled infrastructure, ready to be published on the gang’s dark web data leak site before the ransom demand is issued.
Communication with victims is equally insidious, often occurring through compromised employee email accounts or, for a touch of impersonal anonymity, randomly generated Gmail addresses. The ransom demands? Seven figures. This isn’t petty cash; this is a serious, financially motivated operation designed for maximum payout. The sheer volume of data, including CSV datasets of employee phone numbers, being moved under the guise of legitimate, SSO-authenticated sessions is particularly alarming, as it can fly under the radar of simple user-agent alerts.
The Swatting Shadow
And if the data theft and extortion weren’t enough, BlackFile has an even more sinister tactic in their arsenal: swatting. Yes, they’re using compromised employee accounts to initiate false emergency calls to law enforcement, targeting employees and even senior executives. This tactic, while not directly related to data theft, serves as a terrifying method of psychological warfare and pressure. Imagine receiving a frantic call from a family member because police have shown up at their door due to a false report. It’s a tactic designed to instill fear and accelerate ransom payments.
A Familiar Pattern?
This modus operandi isn’t entirely novel. CyberSteward founder and CEO Jason S.T. Kotler pointed out the similarities: “We can confirm that we are seeing a significant increase in Blackfile matters and that TTPs appear to be very similar to such groups as ShinyHunters and SLSH and similar copycats employing vishing/social engineering data exploit tactics.” This suggests BlackFile might be an evolution or a splinter group from existing criminal networks, refining their techniques and focusing on lucrative sectors like retail and hospitality.
Mandiant has also confirmed they are actively responding to multiple vishing incidents leading to data theft and extortion, including one previously involving a BlackFile victim-shaming site that has since gone offline. This all points to a coordinated and growing threat that organizations can’t afford to ignore.
Is This Just Another Phishing Variant?
The core of BlackFile’s attack is social engineering, a tactic as old as time. However, the sophisticated use of vishing, combined with their ability to bypass MFA through credential stuffing and their targeted data exfiltration methods, elevates this beyond a typical phishing campaign. They’re not just trying to steal an individual’s banking details; they’re aiming to cripple businesses through mass data theft and extortion. The linkage to “The Com,” a network known for more disturbing criminal activities, also casts a long shadow, suggesting a potentially dangerous escalation in the group’s capabilities and motivations. This isn’t just about money; it could be about more insidious goals.
What Can Retail and Hospitality Do?
The recommendations from RH-ISAC are clear and actionable. Organizations in vulnerable sectors need to bolster their defenses beyond traditional cybersecurity measures. Strengthening call-handling policies is paramount. This means implementing stricter protocols for verifying callers, even those claiming to be internal IT. Multi-factor identity verification for all callers, especially when sensitive information or system access is requested, should be standard practice. Furthermore, simulation-based social engineering training for frontline staff isn’t just a good idea; it’s a necessity. Employees need to be conditioned to recognize and report suspicious calls, not just emails. The human element, often the weakest link, must be fortified. They’re also seeing a strong link between these attacks and groups that target and recruit young people for extortion and violence, which adds a layer of societal concern beyond just corporate security.
BlackFile represents a significant evolution in cybercrime tactics, marrying old-school social engineering with modern digital infrastructure to achieve devastating results. Their focus on retail and hospitality, sectors heavily reliant on customer data and often possessing large employee bases, makes them prime targets. Ignoring this vishing surge would be a costly mistake.
