BlackFile Extortion Campaign Targets Retail and Hospitality Sectors with Voice-Phishing Attacks

BlackFile Extortion Group Expands Attacks on Retail and Hospitality Sectors

Researchers at Palo Alto Networks’ Unit 42 have identified an ongoing extortion campaign by the BlackFile threat group, which is likely associated with The Com. Since February, the group has been actively targeting organizations in the retail and hospitality industries, as well as other sectors including healthcare, technology, transportation, logistics, and wholesale.

Campaign Details and Threat Group Identification

The Retail Hospitality Information Sharing and Analysis Center (RH-ISAC) released the latest intelligence on the campaign alongside indicators of compromise on Thursday. The threat group is also tracked under multiple aliases, including CL-CRI-1116, UNC6671, and Cordial Spider. According to Matt Brady, senior principal researcher at Unit 42, the group’s core objective is to pressure targeted organizations into paying large ransom demands, typically in the seven-figure range.

Unit 42 declined to disclose the number of organizations impacted by the campaign, and RH-ISAC did not respond to requests for comment.

Overlap with Broader Cybercrime Trends

BlackFile’s attacks against retail and hospitality companies are part of a larger wave of voice-phishing campaigns initiated by multiple cybercrime groups. Google’s Threat Intelligence Group and Okta issued warnings about this trend in January. Additionally, Unit 42 noted that BlackFile’s activities overlap with an ongoing data theft and extortion campaign tracked by CrowdStrike as Cordial Spider since at least October 2025.

Tactics Include Swatting and Credential Theft

RH-ISAC reported that BlackFile has employed aggressive tactics, including swatting company personnel, including executives, to increase pressure on victims to pay ransom demands. The group’s initial access is gained through voice-phishing attacks and phishing pages that mimic corporate single-sign-on services to steal credentials. Once credentials are obtained, attackers move laterally to compromise privileged accounts.

According to RH-ISAC’s blog post, the group scrapes internal employee directories to obtain contact lists for executives. By compromising senior accounts through further social engineering, they gain persistent, broad-spectrum access to the environment, mimicking legitimate executive session activity.

Scope of Data Theft and Extortion

The unauthorized access and data theft conducted by BlackFile span multiple environments, including:

• SaaS environments
• Microsoft Graph API permissions
• Salesforce API access
• Internal repositories
• SharePoint sites
• Datasets containing employee phone numbers and business records

The group has also established a data-leak site to extort victims who fail to meet its demands.

“The core objective of these threat actors is to pressure targeted organizations into paying large ransom demands, typically in the seven-figure range.”
— Matt Brady, Senior Principal Researcher, Palo Alto Networks’ Unit 42

Brady noted that Unit 42 has observed relatively consistent activity from BlackFile since February.

Recommendations for Organizations

In response to the campaign, RH-ISAC advises organizations to:

• Implement robust multi-factor identity verification for callers
• Limit IT support actions that can be completed in a single call without escalation to management

The post BlackFile actively extorting data-theft victims in retail and hospitality sector appeared first on CyberScoop.