Skip to main content
Mallory
Back to threat actors

BlackFile

Also known asblackfile

BlackFile is a financially motivated data theft and extortion threat group active since at least October 2025, with reported targeting of retail and hospitality organizations since February 2026 and additional impacts across healthcare, technology, transportation, logistics, wholesale, and retail. It is also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, and reporting links it with moderate confidence or likely association to The Com, a loose-knit English-speaking cybercriminal ecosystem. Some reporting also states that Redact was a rebrand of BlackFile, and that Pink was assessed to be a rebrand of Redact. BlackFile conducts voice-phishing and social engineering operations by impersonating corporate IT helpdesk or IT support staff, often using spoofed phone numbers or fraudulent caller ID information. The group directs employees to fake corporate single sign-on or login pages to steal credentials and one-time passcodes, then uses the stolen access to register attacker-controlled devices and bypass MFA. After initial compromise, BlackFile escalates into privileged and executive accounts, including by scraping internal employee directories and conducting additional social engineering. Post-compromise activity includes data theft from SaaS and enterprise platforms including Salesforce, SharePoint, and other internal repositories. Reporting also notes abuse of Microsoft Graph API permissions and access to Salesforce APIs, with attackers operating in ways that mirror legitimate executive sessions. The group prioritizes sensitive files and datasets, including material containing terms such as "confidential" and "SSN," employee phone number datasets, and business records. Stolen data is exfiltrated to attacker-controlled infrastructure, published on a dark web data leak site, and used to support seven-figure ransom demands. Demands have been sent through compromised employee email accounts or Gmail addresses. Some victims and executives have also been subjected to swatting attempts to increase coercive pressure. BlackFile has also been identified as a user of a phishing platform analyzed by Push Security that was used by organized criminal actors including ShinyHunters. That platform supported hybrid vishing and adversary-in-the-middle phishing operations to bypass MFA, steal authenticated sessions, and pivot from identity providers into connected SaaS services such as SharePoint, Salesforce, DocuSign, and Slack for data theft and extortion.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

25 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics39 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1589
Gather Victim Identity Information
T1598×3
Phishing for Information
T1598.003
Spearphishing Link
T1598.004×3
Spearphishing Voice
TA0042
Resource Development
1 technique
T1586
Compromise Accounts
T1586.002
Email Accounts
TA0001
Initial Access
2 techniques
T1078×6
Valid Accounts
T1078.004×2
Cloud Accounts
T1566
Phishing
T1566.004×3
Spearphishing Voice
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.006
Python
TA0003
Persistence
2 techniques
T1078×6
Valid Accounts
T1078.004×2
Cloud Accounts
T1556×2
Modify Authentication Process
TA0004
Privilege Escalation
1 technique
T1078×6
Valid Accounts
T1078.004×2
Cloud Accounts
TA0005
Stealth
2 techniques
T1036
Masquerading
T1078×6
Valid Accounts
T1078.004×2
Cloud Accounts
TA0112
Defense Impairment
1 technique
T1556×2
Modify Authentication Process
TA0006
Credential Access
5 techniques
T1539×2
Steal Web Session Cookie
T1556×2
Modify Authentication Process
T1557×3
Adversary-in-the-Middle
T1621×2
Multi-Factor Authentication Request Generation
T1649×2
Steal or Forge Authentication Certificates
TA0007
Discovery
1 technique
T1087×3
Account Discovery
TA0009
Collection
4 techniques
T1114
Email Collection
T1114.003
Email Forwarding Rule
T1119
Automated Collection
T1213×4
Data from Information Repositories
T1557×3
Adversary-in-the-Middle
TA0011
Command and Control
1 technique
T1090
Proxy
T1090.002
External Proxy
TA0010
Exfiltration
3 techniques
T1041×2
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
T1567×3
Exfiltration Over Web Service
TA0040
Impact
1 technique
T1657×2
Financial Theft
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
socradar blogNews
Jun 12, 2026
New Data Extortion Group “Pink” Goes Big Game Hunting With Evasive Phishing Kits

Com-affiliated data extortion group referenced as operationally similar to Pink; the content states Pink is likely a rebrand of Redact, itself a previous rebrand of BlackFile.

Read more
knowbe4 blogNews
May 27, 2026
Alert: Extortion Groups Are Using Phishing Kits to Automate Their Attacks

Using a phishing platform in hybrid social engineering campaigns that combine voice phishing with MFA-bypassing adversary-in-the-middle phishing to steal authenticated sessions, pivot into connected SaaS platforms, exfiltrate data, and attempt extortion.

Read more
scworldNews
Apr 27, 2026
BlackFile hackers target retail, hospitality with vishing and data extortion | brief | SC Media

Financially motivated intrusion and extortion activity targeting retail and hospitality organizations using vishing-based social engineering, credential theft, MFA bypass, data exfiltration, and leak-site extortion.

Read more
cyberscoopNews
Apr 27, 2026
BlackFile actively extorting data-theft victims in retail and hospitality sector | CyberScoop

Extortion-focused cybercrime group conducting ongoing voice-phishing and social engineering campaigns to steal credentials, compromise privileged and executive accounts, exfiltrate data from SaaS and enterprise platforms, and pressure victims into paying large ransom demands.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping25

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.