In a concerning development within the cyber security landscape, researchers have uncovered details regarding a new extortion group actively targeting retail and hospitality sectors since early February 2026. This revelation emerges from a collaborative report released on April 23 by Palo Alto Networks’ Unit 42 and the Retail and Hospitality Information Security and Analysis Center (RH-ISAC), titled Extortion in the Enterprise: Defending Against BlackFile Attacks.
The report outlines the financially motivated activities associated with an activity cluster designated as CL-CRI-1116. This group’s tactics seemingly overlap with previously reported entities such as BlackFile, UNC6671, and the ominously named Cordial Spider. Analysts suggest a potential link to a notorious collective known as “The Com,” which has been garnering attention for its aggressive strategies in compromising businesses.
Investigations indicate that the various attackers behind cluster CL-CRI-1116 do not depend on sophisticated malware or unique tools for their operations. Instead, they primarily utilize existing legitimate internal resources and application programming interfaces (APIs), thereby “living off the land” in a manner that complicates detection efforts. This method of operation highlights a shift in cyber attack strategies towards leveraging existing infrastructure against organizations.
The BlackFile group distinguishes itself through its use of vishing—voice phishing—attacks that masquerade as IT helpdesk calls. These attacks employ spoofed VoIP numbers or false Caller ID Names to obscure the identity of the attackers, with the ultimate aim of stealing credentials or one-time passwords. This deceptive tactic is further supplemented by phishing webpages designed to imitate genuine corporate single sign-on portals, tricking victims into compromising their login information.
The report details how the criminals behind these attacks employ advanced techniques in an effort to further conceal their operations. For instance, antidetect browsers and residential proxies are utilized to mask their geographic locations and circumvent basic IP reputation filters, allowing them to operate undetected.
The Path from Access to Data Exfiltration
Once the attackers successfully acquire a user’s credentials through phishing methods, they commonly register new devices to circumvent multi-factor authentication (MFA), thereby ensuring ongoing access to compromised accounts. The report highlights that these attackers adopt a lateral movement approach, transitioning from standard employee accounts to high-privileged accounts. This allows them to glean insights from internal employee directories and compile contact lists for executives.
By targeting senior personnel through additional social engineering methods, the attackers secure persistent and extensive access to networks, effectively mimicking legitimate executive session activities. This level of deception enables them to conduct operations similar to those of authorized users, complicating detection and response efforts from the organizations involved.
Once embedded within the target network, the group shifts focus to data discovery within Software as a Service (SaaS) platforms, employing API abuse and scraping operations on SharePoint sites. Their search is specifically aimed at “confidential” documents and records containing Social Security Numbers (SSNs), which are typically high-value assets for cybercriminals.
According to the report, the attacks originating from CL-CRI-1116 facilitate the exfiltration of sensitive data either through browser access or via API exports. By leveraging access to systems like Salesforce and employing standard SharePoint download functionalities, the attackers can siphon off extensive volumes of information—be it CSV files containing employee contact details or confidential business reports—to infrastructures they control. The use of SSO-authenticated sessions mitigates the risk of triggering alerts that might stem from suspicious user-agent activity.
Once data is exfiltrated, extortion demands are made, often communicated through random Gmail accounts or compromised employee emails. The attackers usually request a hefty sum, with figures often reaching into the seven-digit range. In their attempts to compel compliance, they also resort to intimidation tactics such as orchestrating SWAT-style incidents involving C-suite executives.
To combat the rising threat posed by groups like CL-CRI-1116, the report advocates for organizations to tighten security protocols. Emphasis is placed on robust security policies, careful management of multi-factor identity verification during calls, and clear guidelines concerning the information that can be shared through phone calls.
Furthermore, investing in security awareness training for frontline staff is recommended. This training should focus on realistic simulations that help employees identify signs of social engineering, such as ambiguous responses to security questions and pressure tactics aimed at eliciting immediate action. By reinforcing awareness and response strategies, organizations can mitigate the risk of falling victim to such sophisticated cyber extortion schemes.