"The attackers behind CL-CRI-1116 do not rely on custom malware or tooling," Palo Alto Networks’ Unit 42 and the Retail and Hospitality Information Security and Analysis Center (RH-ISAC) wrote in their April 23 report — a concise diagnosis that underpins a persistent and quietly escalating threat to retail and hospitality firms.
CL-CRI-1116 and the groups behind it
The activity cluster described in the report, CL-CRI-1116, is linked to financially motivated extortion campaigns that researchers trace back to February 2026. Unit 42 and RH-ISAC say CL-CRI-1116 overlaps publicly reported activity associated with BlackFile, UNC6671 and Cordial Spider, and is likely tied to the collective described as "The Com." That association frames the campaign not as isolated criminal opportunism but as a pattern of coordinated extortion activity affecting an entire sector.
Vishing as the opening gambit
BlackFile's favored initial vector is vishing: voice-based social engineering that impersonates an organization's IT helpdesk. The actors use spoofed VoIP numbers or fraudulent Caller ID Names to hide their identity, then attempt to harvest credentials and one-time passwords. To capture credentials they deploy phishing pages that spoof legitimate corporate single sign-on (SSO) portals — a low-tech, high-return approach when paired with convincing phone-based pretexting.
Living off the land: tools, APIs and browser-based exfiltration
The report stresses that these attackers "do not rely on custom malware or tooling." Instead, they exploit existing services and legitimate functionality. Techniques include the use of antidetect browsers and residential proxies to mask geographic origin and to bypass basic IP-reputation controls. After stealing account credentials, attackers frequently register a new device to bypass multi-factor authentication and to preserve persistence.
Once inside, CL-CRI-1116 actors move laterally from standard employee accounts to high-privileged accounts, scrape internal employee directories for executive contact lists, and then target senior accounts for additional social engineering. Those compromises yield persistent, broad-spectrum access that the report says can "mirror legitimate executive session activity," helping the attackers evade simple behavioral detection.
Data discovery, API abuse and exfiltration mechanics
The group orbits SaaS environments. Researchers report a focus on SaaS data discovery, API abuse and scraping SharePoint sites for search terms like "confidential" and "SSN" to locate high-value files. CL-CRI-1116 exfiltrates data directly through the browser or via API exports. Unit 42 and RH-ISAC note that attackers leverage Salesforce API access and standard SharePoint download functions to move large volumes of data — including CSV datasets of employee phone numbers and confidential business reports — to attacker-controlled infrastructure.
Because much of this activity can occur within SSO-authenticated sessions, attackers can avoid triggering simple user-agent or session alerts, making detection harder for organizations that rely only on basic telemetry.
Extortion playbook and operational pressure
After exfiltration, the actors demand payment — commonly a seven-figure sum — using random Gmail addresses or compromised employee email accounts as contact points. The group has also used SWAT-ing of C-suite executives and others as an additional coercive measure to force payment. The combination of large exfiltrated datasets, executive-level compromise, and real-world intimidation tactics increases both leverage and urgency for victims.
What this means for retailers, hospitality firms, and frontline phone staff
- Retail and hospitality security teams should assume attackers will exploit legitimate SaaS and API capabilities; monitoring must include API use patterns and anomalous browser-based exports.
- IT and helpdesk managers need clear protocols: manage multi-factor identity verification for callers, define what information can be shared over the phone, and specify what support actions are not permitted in a single unauthenticated call without managerial escalation.
- Frontline phone staff benefit from simulation-based security awareness training that emphasizes identifying social engineering red flags such as vague answers to identity questions and attempts to create high-pressure requests for immediate action.
Unit 42 and RH-ISAC’s April 23 report paints a picture of an extortion operation that wins not by bespoke malware but by patient, procedural manipulation of legitimate systems and human trust. For organizations in retail and hospitality, the immediate challenge is not an exotic technical fix but a disciplined combination of policy, verification, and training designed to close the human and API-enabled vectors these attackers exploit.
