{"id":236601,"date":"2026-04-24T14:26:00","date_gmt":"2026-04-24T18:26:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/24\/new-blackfile-extortion-group-linked-to-surge-of-vishing-attacks\/"},"modified":"2026-04-28T09:15:18","modified_gmt":"2026-04-28T13:15:18","slug":"new-blackfile-extortion-group-linked-to-surge-of-vishing-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/24\/new-blackfile-extortion-group-linked-to-surge-of-vishing-attacks\/","title":{"rendered":"New BlackFile extortion group linked to surge of vishing attacks"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs\/\">New BlackFile extortion group linked to surge of vishing attacks<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-24 14:26:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.<\/p>\n<p>The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks&#8217; Unit 42 with the Retail &#038; Hospitality Information Sharing and Analysis Center (RH-ISAC).<\/p>\n<p>Unit 42 security researchers have also linked BlackFile with moderate confidence to &#8220;The Com,&#8221; a loose-knit network of English-speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM).<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/a\/as-tour-the-platform-970-x250.jpg\" alt=\"image\" style=\"margin-top: 0px;\"\/><\/p>\n<p>In a Thursday report, RH-ISAC said that the group&#8217;s attacks begin with phone calls to employees from spoofed numbers, in which the threat actors pose as IT support to lure staff to fake corporate login pages that ask them to enter their credentials and one-time passcodes.<\/p>\n<p>&#8220;The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff,&#8221; RH-ISAC said.<\/p>\n<p>&#8220;We can confirm that we are seeing a significant increase in Blackfile matters and that TTPs appear to be very similar to such groups as ShinyHunters and SLSH and similar copycats employing vishing\/social engineering data exploit tactics,&#8221;\u00a0CyberSteward founder and CEO Jason S.T. Kotler also told BleepingComputer.<\/p>\n<p>Using stolen credentials, the BlackFile attackers register their own devices to bypass multifactor authentication, then escalate access to executive-level accounts by scraping internal employee directories.<\/p>\n<p>BlackFile steals data from victims&#8217; Salesforce and SharePoint servers using standard API functions,&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New BlackFile extortion group linked to surge of vishing attacks https:\/\/www.bleepingcomputer.com\/news\/security\/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs\/ Publish Date: 2026-04-24 14:26:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":236602,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/04\/24\/Hackers.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,25],"class_list":["post-236601","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236601"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=236601"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236601\/revisions"}],"predecessor-version":[{"id":236603,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236601\/revisions\/236603"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/236602"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=236601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=236601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=236601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}