BlackFile Group Intensifies Vishing Attacks on Retail and Hospitality Sectors
Security researchers have identified a new extortion group, BlackFile, which has been targeting retail and hospitality businesses since February 2026. The group, linked to the activity cluster CL-CRI-1116, is known for its financially motivated attacks. Unlike other cybercriminals, BlackFile does not use custom malware but exploits legitimate internal resources and APIs. They employ vishing attacks, impersonating IT helpdesks to steal credentials and one-time passwords. The attackers use spoofed VoIP numbers and fraudulent Caller ID Names to conceal their identities. Once they gain access, they register new devices to bypass multi-factor authentication and maintain persistence. The group focuses on SaaS data discovery and API abuse, exfiltrating data through browsers or API exports. They demand ransom through random Gmail addresses or compromised employee emails, sometimes resorting to SWAT-ing to force payment. 
