A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks' Unit 42 with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC). Unit 42 security researchers have also linked BlackFile with moderate confidence to "The Com," a loose-knit network of English-speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM). In a Thursday report, RH-ISAC said that the group's attacks begin with phone calls to employees from spoofed numbers, in which the threat actors pose as IT support to lure staff to fake corporate login pages that ask them to enter their credentials and one-time passcodes. "The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-ISAC said. "We can confirm that we are seeing a significant increase in Blackfile matters and that TTPs appear to be very similar to such groups as ShinyHunters and SLSH and similar copycats employing vishing/social engineering data exploit tactics," CyberSteward founder and CEO Jason S.T. Kotler also told BleepingComputer. Using stolen credentials, the BlackFile attackers register their own devices to bypass multifactor authentication, then escalate access to executive-level accounts by scraping internal employee directories. BlackFile steals data from victims' Salesforce and SharePoint servers using standard API functions, searching specifically for