BlackFile hackers target retail, hospitality with vishing and data extortion

A financially motivated hacking group known as BlackFile has been actively targeting retail and hospitality organizations since February 2026, Palo Alto Networks' Unit 42 reports. The group employs sophisticated social engineering tactics, impersonating IT helpdesk staff to steal employee credentials and extort seven-figure ransoms. This wave of attacks, also tracked under aliases such as UNC6671 and Cordial Spider, highlights a growing threat to sensitive corporate data, with further coverage provided by Bleeping Computer.

BlackFile initiates attacks through voice phishing (vishing) calls, using spoofed numbers to impersonate IT support. Employees are lured to fake login pages where their credentials and one-time passcodes are captured. The attackers then use these stolen credentials to register their own devices, bypassing multi-factor authentication and escalating access to executive accounts. Data is exfiltrated from Salesforce and SharePoint servers, with a focus on files containing terms like "confidential" and "SSN."

The stolen data is published on a dark web leak site before ransom demands are issued. In some instances, victims have also faced swatting attempts, where false emergency calls are made to pressure them. Organizations are advised to strengthen call-handling policies, enforce multi-factor authentication rigorously, and conduct regular social engineering training for staff to mitigate these risks. 

Source: Bleeping Computer