"The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-ISAC said.
BlackFile (CL-CRI-1116 / UNC6671 / Cordial Spider): a new extortion wave since February 2026
A financially motivated group tracked as BlackFile — also identified in intelligence as CL-CRI-1116, UNC6671, and Cordial Spider — has been tied to a wave of data theft and extortion attacks against retail and hospitality organizations beginning in February 2026, according to information Palo Alto Networks' Unit 42 shared with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).
Vishing playbook: spoofed calls, fake login pages, and one-time passcodes
RH-ISAC and Unit 42 describe a playbook that starts with phone calls from spoofed numbers or fraudulent CNAM values while threat actors pose as corporate IT support. Those calls lure employees to counterfeit corporate login pages that request credentials and one-time passcodes; attackers then use the harvested data to move deeper into victim environments.
MFA bypass and API-driven data theft from Salesforce and SharePoint
With stolen credentials in hand, the attackers register attacker-controlled devices to bypass multifactor authentication and escalate access. The group escalates to executive-level accounts by scraping internal employee directories, then uses legitimate functionality — Salesforce API access and standard SharePoint download functions — to search for and exfiltrate documents containing terms such as "confidential" and "SSN." RH-ISAC said the attackers move large volumes of data, including CSV datasets of employee phone numbers and confidential business reports, to attacker-controlled infrastructure, often under SSO-authenticated sessions to avoid simple user-agent alerts.
Public leaks, ransom demands, and coercive follow-on tactics including swatting
Exfiltrated documents are downloaded to attacker-controlled servers and published to the gang's dark web data leak site before victims are contacted with seven-figure ransom demands sent via compromised employee email accounts or randomly generated Gmail addresses, RH-ISAC and Unit 42 report. Employees of compromised companies — including senior executives — have also been subject to swatting attempts, a coercive tactic that uses false emergency calls to responders to add pressure on victims.
Connections to "The Com" and comparisons to other groups
Unit 42 linked BlackFile with moderate confidence to "The Com," described in the report as a loose-knit network of English-speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM). CyberSteward founder and CEO Jason S.T. Kotler told BleepingComputer that "TTPs appear to be very similar to such groups as ShinyHunters and SLSH and similar copycats employing vishing/social engineering data exploit tactics."
What this means for technologists, front-line staff, and executives
- Technologists and security teams: expect credential harvesting to be followed by device registration and API-based bulk exfiltration; RH-ISAC highlights the specific need to monitor Salesforce and SharePoint API use and SSO-authenticated sessions.
- Front-line staff and call centers: are the primary target for vishing and should be the focus of simulation-based social engineering training and stricter call-handling policies, per RH-ISAC.
- Executives and corporate leaders: face elevated risk from escalation to executive-level accounts and the added pressure of swatting; the advisory recommends enforcing multifactor identity verification for callers as a mitigation.
Unit 42's sharing of intelligence with RH-ISAC and Mandiant's active response to several vishing incidents — including one that used a BlackFile victim-shaming site that is now offline — underline that multiple response teams are engaged, but the techniques combine simple social engineering with legitimate API functions to move large volumes of data. RH-ISAC's concrete recommendations — strengthen call-handling policies, enforce multifactor identity verification for callers, and run simulation-based social engineering training for frontline staff — are targeted at the precise tactics described in the incident reports.
Whether organizations adopt those specific operational controls at scale will shape how effective BlackFile's combination of vishing, MFA bypass, and API-facilitated exfiltration remains in the months ahead.
