“The core objective of these threat actors is to pressure targeted organizations into paying large ransom demands, typically in the seven-figure range,” Matt Brady, senior principal researcher at Palo Alto Networks’ Unit 42, told CyberScoop.
Who BlackFile is and the names researchers use
Researchers warn that BlackFile is an extortion group likely associated with The Com and is tracked under several names, including CL-CRI-1116, UNC6671 and Cordial Spider. Unit 42 describes the campaign as active and ongoing; CrowdStrike has been tracking related data theft and extortion activity as Cordial Spider since at least October 2025, and Unit 42 reports relatively consistent activity from BlackFile since February.
How attacks are staged: impersonation, voice-phishing, and credential theft
BlackFile’s playbook centers on impersonating IT support in voice-phishing and social engineering attacks. The group lures victims via voice-phishing and phishing pages that mimic corporate single-sign on services to steal credentials, Unit 42 and RH-ISAC reported. Attackers then use stolen credentials to move into privileged accounts and to “gain persistent, broad-spectrum access to the environment that mirrors legitimate executive session activity,” RH-ISAC wrote.
Researchers say the group scrapes internal employee directories to build contact lists for executives and then targets those senior accounts for compromise via additional social engineering. Once inside, BlackFile has targeted SaaS environments and APIs — specifically Microsoft Graph API permissions and Salesforce API access — and exfiltrated data from internal repositories, SharePoint sites, and datasets containing employees’ phone numbers and business records.
Scope: industries hit and coercive tactics
Unit 42 says BlackFile’s activity has affected organizations across multiple industries, including healthcare, technology, transportation, logistics, wholesale and retail. Since February attackers have been actively targeting organizations in the retail and hospitality industry, according to Unit 42 intelligence that RH-ISAC released alongside indicators of compromise Thursday.
The campaign is opportunistic, Unit 42 told CyberScoop, with the “core objective” being to coerce victims into paying large ransoms. RH-ISAC also reported that some attackers have gone beyond digital coercion: “some attackers have swatted company personnel, including executives, to increase leverage and pressure victims to pay their ransom demands,” the organization wrote.
Operational tradecraft: data-leak sites and extortion pressure
BlackFile does not rely solely on access; researchers observed the group creating a data-leak site to extort victims it claims ignored or failed to agree to demands. That public pressure tactic complements the private demands, amplifies reputational risk for targeted organizations, and raises the stakes for executives and incident responders who must weigh paying ransoms against potential disclosures.
Unit 42 declined to quantify how many organizations have been impacted, and RH-ISAC did not respond to a request for comment, underscoring that public counts of victims are not available from those sources.
What this means for technologists, retail and hospitality organizations, and executives
- Technologists and security teams: RH-ISAC advises managing multi-factor identity verification for callers and limiting the IT support actions that can be completed in a single call without escalation to management. The group’s use of phishing pages that mimic corporate single-sign on services and its targeting of API permissions (Microsoft Graph, Salesforce) indicate defenders should review access controls and audit logs for those services.
- Retail and hospitality organizations: Unit 42’s intelligence notes active targeting of retail and hospitality since February; organizations in those sectors should treat indicators of compromise released by RH-ISAC as operationally relevant and prioritize endpoint and identity protections tied to SaaS and SharePoint repositories.
- Executives and senior staff: RH-ISAC’s reporting that attackers scrape internal directories to assemble executive contact lists and sometimes swat personnel highlights the need for communication protocols that verify caller identity and for executive safety planning that coordinates with local authorities when threats escalate.
BlackFile’s campaign combines social engineering, credential theft, API abuse, and public extortion in a pattern researchers link to groups tracked under multiple names. With consistent activity reported since February and public indicators distributed by RH-ISAC Thursday, organizations that rely on SaaS platforms, corporate single-sign on, and executive-access controls are the immediate focus of both the threat actors and the defensive guidance.
Original reporting: https://cyberscoop.com/blackfile-data-theft-extortion-retail-unit-42-rh-isac/
