BlackFile Extortion Gang Hits Retail and Hospitality With Vishing-Led Data Theft
BlackFile, a financially motivated extortion group likely tied to The Com and overlapping with activity tracked by CrowdStrike as Cordial Spider, has targeted retail and hospitality organizations with voice-phishing campaigns that impersonate corporate IT help desks. Researchers at Palo Alto Networks Unit 42 and RH-ISAC said the group has been active since at least February 2026, using spoofed phone numbers and fake corporate single sign-on pages to trick employees into surrendering credentials and one-time passcodes.
After gaining access, the attackers register their own devices to bypass MFA, escalate privileges into administrative and executive accounts, and steal data from platforms including Salesforce and SharePoint through legitimate API and download functions. The stolen information is moved to attacker-controlled infrastructure, posted on a dark web leak site, and used to support seven-figure ransom demands sent from compromised employee accounts or Gmail; in some cases, the group has also used swatting against employees and executives to intensify pressure on victims.
Timeline
Apr 24, 2026
Researchers publicly link BlackFile to The Com
Palo Alto Networks Unit 42 and RH-ISAC publicly reported that BlackFile is likely associated with The Com, describing its use of spoofed help-desk vishing, MFA bypass through attacker-registered devices, privilege escalation, and data theft for extortion.
Feb 1, 2026
BlackFile uses swatting and seven-figure extortion demands
During its campaign, BlackFile escalated pressure on victims by exfiltrating data from platforms such as Salesforce and SharePoint, posting stolen data to a leak site, sending seven-figure ransom demands, and in some cases using swatting against employees and executives.
Feb 1, 2026
BlackFile begins targeting retail and hospitality organizations
According to Palo Alto Networks Unit 42 and RH-ISAC, the financially motivated group BlackFile has conducted data-theft and extortion attacks against retail and hospitality organizations since February 2026 using vishing and fake corporate login pages.
Oct 1, 2025
Cordial Spider activity overlaps with BlackFile tactics
Researchers said BlackFile's operations overlap with activity CrowdStrike tracks as Cordial Spider since at least October 2025, indicating the tactics or operators were active before the BlackFile name emerged publicly.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Former Black Basta Affiliates Target Executives With Teams Phishing and Email Bombing
Suspected former **Black Basta** affiliates have launched a fast-scaling social-engineering campaign against dozens of organizations, targeting more than 100 employees to gain network access for **data theft, ransomware deployment, and extortion**. According to ReliaQuest, the operators use mass email bombing to overwhelm victims and then follow up through **Microsoft Teams** messages or phone calls while impersonating IT help desk staff. The activity has been linked to former Black Basta members or closely aligned actors because the tooling, targeting, and execution closely mirror the group’s historical playbook, even after Black Basta fragmented following the leak of its internal chats. The campaign has increasingly focused on senior leaders and other highly privileged personnel, with executive targeting rising from **59%** in January and February to **77%** in March. Attackers have persuaded victims to install remote monitoring and management tools such as **Supremo Remote Desktop** or to launch **Windows Quick Assist**, sometimes obtaining remote access within minutes before running malicious scripts. Manufacturing and professional services have been hit hardest, with finance, insurance, construction, and technology also affected, underscoring how the operators are moving faster and using more automation to scale intrusions and make early detection more difficult.
3 days ago
Cordial Spider and Snarky Spider hit U.S. sectors with identity-driven extortion
CrowdStrike says two financially motivated threat groups tied to **The Com** — **Cordial Spider** and **Snarky Spider** — are conducting rapid data-theft and extortion campaigns against U.S.-based organizations across critical infrastructure and commercial sectors, including aviation, retail, hospitality, automotive, financial services, legal, academic, and technology. The actors are described as closely aligned with **Scattered Spider** and linked to other The Com subsets such as **SLSH** and **ShinyHunters**, with operations observed since at least October 2025 and ransom demands in some cases reaching seven figures. The groups rely on voice phishing, text messages, emails, and other social-engineering tactics to compromise identity platforms and move through victims’ SaaS environments. Researchers said the attackers use phishing pages that mimic legitimate single sign-on and identity provider portals to steal credentials, session keys, and tokens, then register their own MFA devices, disable MFA, suppress or delete alerts, and expand access across connected services. CrowdStrike also identified differences in the crews’ tradecraft, including operating hours, phishing infrastructure, leak sites, preferred operating systems, and MFA-registration methods, while noting their use of residential proxy services such as **Mullvad**, **Oxylabs**, **NetNut**, **9Proxy**, **Infatica**, and **NSOCKS** to evade detection; some victims were additionally subjected to **DDoS attacks** or **swatting**.
Yesterday
ShinyHunters-Linked Vishing Campaign Steals MFA Codes to Breach SaaS Platforms for Extortion
Google-owned **Mandiant** reported an expansion in **ShinyHunters**-style intrusions using **voice phishing (vishing)** and spoofed credential-harvesting sites to steal **SSO credentials** and **MFA codes**, enabling unauthorized access to cloud **SaaS** environments. Mandiant tracked the activity across multiple clusters (**UNC6661**, **UNC6671**, and **UNC6240** / *ShinyHunters*) and assessed the objective as data theft from cloud applications (including internal communications) followed by **extortion**, with some incidents involving escalatory pressure such as **harassment of victim personnel**. In observed tradecraft, operators impersonated IT staff, directed employees to phishing links under the pretext of updating MFA settings, then used captured credentials to enroll attacker-controlled devices for MFA. Separate reporting characterized the same campaign as a broad vishing operation with **hundreds of organizations** in scope, reinforcing that the activity is not limited to a single SaaS provider and is focused on identity-layer compromise rather than software exploitation. Other items in the set were unrelated: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, a Fortinet write-up on **Interlock** ransomware tradecraft, an article on EU vulnerability identifier policy, and general security-awareness/detection-engineering content; these do not describe the ShinyHunters vishing activity and should not be treated as part of the same incident thread.
1 months ago