BlackFile Group Targets Retail and Hospitality with Vishing Attacks
BlackFile Group Targets Retail and Hospitality with Vishing Attacks
https://www.infosecurity-magazine.com/news/blackfile-group-targets-retail/
Publish Date: 2026-04-27 04:15:00
Source Domain: www.infosecurity-magazine.com
Security researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since February 2026.
Palo Alto Networks’ Unit 42 teamed up with the Retail and Hospitality Information Security and Analysis Center (RH-ISAC) to publish a new report on April 23, Extortion in the Enterprise: Defending Against BlackFile Attacks.
It detailed financially-motivated activity linked to the activity cluster CL-CRI-1116, which the authors said overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider, and is likely to be associated with notorious collective “The Com.”
“The attackers behind CL-CRI-1116 do not rely on custom malware or tooling,” it explained. “Rather, they focus on living off the land through misuse of application programming interfaces (APIs) and other legitimate internal resources.”
Read more on The Com: NCA Singles Out “The Com” as it Chairs Five Eyes Group
BlackFile typically targets victims through vishing attacks impersonating the IT helpdesk. Spoofed VoIP numbers or fraudulent Caller ID Names are used to hide their true identity and the end goal is credential/one-time-password theft.
To this end, the threat actors use phishing pages designed to spoof legitimate corporate single sign-on portals.
“They also utilize antidetect browsers and residential proxies to mask their geographic location and bypass basic IP-based reputation filters,” the report noted.
From Access to Exfiltration
After they’ve gained physical access to a user’s account via credential phishing, BlackFile often registers a new device in order to bypass multi-factor authentication (MFA) and maintain persistence.
“The attackers also maintain access by moving laterally from standard employee accounts to high-privileged accounts. They scrape internal employee directories to obtain contact lists for executives,” the report continued.
“By compromising these senior accounts via…
