{"id":235903,"date":"2026-04-25T06:09:07","date_gmt":"2026-04-25T11:09:07","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/04\/new-blackfile-extortion-group-linked-to-surge-of-vishing-attacks"},"modified":"2026-04-25T06:09:07","modified_gmt":"2026-04-25T11:09:07","slug":"new-blackfile-extortion-group-linked-to-surge-of-vishing-attacks","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/04\/new-blackfile-extortion-group-linked-to-surge-of-vishing-attacks","title":{"rendered":"New BlackFile extortion group linked to surge of vishing attacks"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/new-blackfile-extortion-group-linked-to-surge-of-vishing-attacks.jpg\"><\/a><\/p>\n<p>A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.<\/p>\n<p>The group, also tracked as CL-CRI-1116, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/expansion-shinyhunters-saas-data-theft\" target=\"_blank\" rel=\"nofollow noopener\">UNC6671<\/a>, and <a href=\"https:\/\/www.crowdstrike.com\/en-us\/adversaries\/cordial-spider\/\" target=\"_blank\" rel=\"nofollow noopener\">Cordial Spider<\/a>, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks\u2019 Unit 42 with the Retail &amp; Hospitality Information Sharing and Analysis Center (RH-ISAC).<\/p>\n<p>Unit 42 security researchers have also linked BlackFile with moderate confidence to \u201c<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/police-crackdown-on-the-com-cybercrime-gang-leads-to-30-arrests\/\" target=\"_blank\" rel=\"nofollow noopener\">The Com<\/a>,\u201d a loose-knit network of English-speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,1635],"tags":[],"class_list":["post-235903","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-materials"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/235903","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=235903"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/235903\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=235903"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=235903"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=235903"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}