BlackFile Group Launches Vishing and Data Extortion Campaign Against Retail and Hospitality

Severity: High (Score: 71.0)

Sources: Scworld, Infosecurity-Magazine, rhisac.org

Summary

Since February 2026, the BlackFile Group has targeted retail and hospitality sectors, employing vishing attacks to steal employee credentials. Palo Alto Networks' Unit 42 reported that the group uses spoofed VoIP numbers to impersonate IT helpdesk staff, luring victims to phishing pages designed to capture login credentials and one-time passcodes. Once access is gained, attackers register new devices to bypass multi-factor authentication and escalate privileges to executive accounts. They exfiltrate sensitive data from Salesforce and SharePoint, focusing on files marked 'confidential' and containing Social Security Numbers (SSNs). The group demands seven-figure ransoms, sometimes resorting to swatting tactics to pressure victims. Organizations are advised to enhance security policies and conduct regular training to mitigate risks. The attacks have raised significant concerns about data security in these sectors. Key Points: • BlackFile Group targets retail and hospitality sectors using vishing attacks. • Attackers impersonate IT staff to steal credentials and bypass multi-factor authentication. • Victims face seven-figure ransom demands and potential swatting incidents.

Key Entities

• BlackFile (apt_group)
• Cordial Spider (apt_group)
• Unc6671 (apt_group)
• The Com (ransomware_group)
• Data Breach (attack_type)
• Phishing (attack_type)
• Hospitality (industry)
• Retail (industry)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1566 - Phishing (mitre_attack)
• T1567.002 - Exfiltration to Cloud Storage (mitre_attack)
• T1567 - Exfiltration Over Web Service (mitre_attack)
• Gmail (tool)
• Antidetect Browsers (tool)
• Residential Proxies (tool)
• Salesforce (company)
• SharePoint (platform)