BlackFile Extortion Gang Hits Retail and Hospitality With Vishing-Led Data Theft
BlackFile, a financially motivated extortion group likely tied to The Com and overlapping with activity tracked by CrowdStrike as Cordial Spider, has targeted retail and hospitality organizations with voice-phishing campaigns that impersonate corporate IT help desks. Researchers at Palo Alto Networks Unit 42 and RH-ISAC said the group has been active since at least February 2026, using spoofed phone numbers and fake corporate single sign-on pages to trick employees into surrendering credentials and one-time passcodes.
After gaining access, the attackers register their own devices to bypass MFA, escalate privileges into administrative and executive accounts, and steal data from platforms including Salesforce and SharePoint through legitimate API and download functions. The stolen information is moved to attacker-controlled infrastructure, posted on a dark web leak site, and used to support seven-figure ransom demands sent from compromised employee accounts or Gmail; in some cases, the group has also used swatting against employees and executives to intensify pressure on victims.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly link BlackFile to The Com
Palo Alto Networks Unit 42 and RH-ISAC publicly reported that BlackFile is likely associated with The Com, describing its use of spoofed help-desk vishing, MFA bypass through attacker-registered devices, privilege escalation, and data theft for extortion.
BlackFile uses swatting and seven-figure extortion demands
During its campaign, BlackFile escalated pressure on victims by exfiltrating data from platforms such as Salesforce and SharePoint, posting stolen data to a leak site, sending seven-figure ransom demands, and in some cases using swatting against employees and executives.
BlackFile begins targeting retail and hospitality organizations
According to Palo Alto Networks Unit 42 and RH-ISAC, the financially motivated group BlackFile has conducted data-theft and extortion attacks against retail and hospitality organizations since February 2026 using vishing and fake corporate login pages.
Cordial Spider activity overlaps with BlackFile tactics
Researchers said BlackFile's operations overlap with activity CrowdStrike tracks as Cordial Spider since at least October 2025, indicating the tactics or operators were active before the BlackFile name emerged publicly.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
BlackFile hackers target retail, hospitality with vishing and data extortion | brief | SC Media
scworld.com
Open sourceBlackFile actively extorting data-theft victims in retail and hospitality sector | CyberScoop
cyberscoop.com
Open sourceNew BlackFile extortion group linked to surge of vishing attacks
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Former Black Basta Affiliates Target Executives With Teams Phishing and Email Bombing
Suspected former **Black Basta** affiliates have launched a fast-scaling social-engineering campaign against dozens of organizations, targeting more than 100 employees to gain network access for **data theft, ransomware deployment, and extortion**. According to ReliaQuest, the operators use mass email bombing to overwhelm victims and then follow up through **Microsoft Teams** messages or phone calls while impersonating IT help desk staff. The activity has been linked to former Black Basta members or closely aligned actors because the tooling, targeting, and execution closely mirror the group’s historical playbook, even after Black Basta fragmented following the leak of its internal chats. The campaign has increasingly focused on senior leaders and other highly privileged personnel, with executive targeting rising from **59%** in January and February to **77%** in March. Attackers have persuaded victims to install remote monitoring and management tools such as **Supremo Remote Desktop** or to launch **Windows Quick Assist**, sometimes obtaining remote access within minutes before running malicious scripts. Manufacturing and professional services have been hit hardest, with finance, insurance, construction, and technology also affected, underscoring how the operators are moving faster and using more automation to scale intrusions and make early detection more difficult.
May 4, 2026
Cordial Spider and Snarky Spider hit U.S. sectors with identity-driven extortion
CrowdStrike says two financially motivated threat groups tied to **The Com** — **Cordial Spider** and **Snarky Spider** — are conducting rapid data-theft and extortion campaigns against U.S.-based organizations across critical infrastructure and commercial sectors, including aviation, retail, hospitality, automotive, financial services, legal, academic, and technology. The actors are described as closely aligned with **Scattered Spider** and linked to other The Com subsets such as **SLSH** and **ShinyHunters**, with operations observed since at least October 2025 and ransom demands in some cases reaching seven figures. The groups rely on voice phishing, text messages, emails, and other social-engineering tactics to compromise identity platforms and move through victims’ SaaS environments. Researchers said the attackers use phishing pages that mimic legitimate single sign-on and identity provider portals to steal credentials, session keys, and tokens, then register their own MFA devices, disable MFA, suppress or delete alerts, and expand access across connected services. CrowdStrike also identified differences in the crews’ tradecraft, including operating hours, phishing infrastructure, leak sites, preferred operating systems, and MFA-registration methods, while noting their use of residential proxy services such as **Mullvad**, **Oxylabs**, **NetNut**, **9Proxy**, **Infatica**, and **NSOCKS** to evade detection; some victims were additionally subjected to **DDoS attacks** or **swatting**.
May 2, 2026
ShinyHunters-Linked Vishing Campaign Steals MFA Codes to Breach SaaS Platforms for Extortion
Google-owned **Mandiant** reported an expansion in **ShinyHunters**-style intrusions using **voice phishing (vishing)** and spoofed credential-harvesting sites to steal **SSO credentials** and **MFA codes**, enabling unauthorized access to cloud **SaaS** environments. Mandiant tracked the activity across multiple clusters (**UNC6661**, **UNC6671**, and **UNC6240** / *ShinyHunters*) and assessed the objective as data theft from cloud applications (including internal communications) followed by **extortion**, with some incidents involving escalatory pressure such as **harassment of victim personnel**. In observed tradecraft, operators impersonated IT staff, directed employees to phishing links under the pretext of updating MFA settings, then used captured credentials to enroll attacker-controlled devices for MFA. Separate reporting characterized the same campaign as a broad vishing operation with **hundreds of organizations** in scope, reinforcing that the activity is not limited to a single SaaS provider and is focused on identity-layer compromise rather than software exploitation. Other items in the set were unrelated: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, a Fortinet write-up on **Interlock** ransomware tradecraft, an article on EU vulnerability identifier policy, and general security-awareness/detection-engineering content; these do not describe the ShinyHunters vishing activity and should not be treated as part of the same incident thread.
Mar 21, 2026