Security researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since February 2026.

Palo Alto Networks’ Unit 42 teamed up with the Retail and Hospitality Information Security and Analysis Center (RH-ISAC) to publish a new report on April 23, Extortion in the Enterprise: Defending Against BlackFile Attacks.

It detailed financially-motivated activity linked to the activity cluster CL-CRI-1116, which the authors said overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider, and is likely to be associated with notorious collective “The Com.”

“The attackers behind CL-CRI-1116 do not rely on custom malware or tooling,” it explained. “Rather, they focus on living off the land through misuse of application programming interfaces (APIs) and other legitimate internal resources.”

Read more on The Com: NCA Singles Out “The Com” as it Chairs Five Eyes Group

BlackFile typically targets victims through vishing attacks impersonating the IT helpdesk. Spoofed VoIP numbers or fraudulent Caller ID Names are used to hide their true identity and the end goal is credential/one-time-password theft.

To this end, the threat actors use phishing pages designed to spoof legitimate corporate single sign-on portals.

“They also utilize antidetect browsers and residential proxies to mask their geographic location and bypass basic IP-based reputation filters,” the report noted.

From Access to Exfiltration

After they’ve gained physical access to a user’s account via credential phishing, BlackFile often registers a new device in order to bypass multi-factor authentication (MFA) and maintain persistence.

“The attackers also maintain access by moving laterally from standard employee accounts to high-privileged accounts. They scrape internal employee directories to obtain contact lists for executives,” the report continued.

“By compromising these senior accounts via further social engineering, they gain persistent, broad-spectrum access to the environment that mirrors legitimate executive session activity.”

Once inside the victim network, the group focuses on SaaS data discovery, API abuse and scraping SharePoint sites – searching for “confidential” and “SSN” to find high-value files and reports in SharePoint and Salesforce.

“CL-CRI-1116 attacks exfiltrate data directly through the browser or via API exports. By leveraging Salesforce API access and standard SharePoint download functions, the attackers move large volumes of data – including CSV datasets of employee phone numbers and confidential business reports – to attacker-controlled infrastructure,” the report explained.

“This is often done under the guise of legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts.”

The group extorts its victims via random Gmail addresses or compromised employee email accounts, usually demanding a seven-figure sum. Sometimes they will also use SWAT-ing of C-suite execs and others in a bid to force payment.

“To mitigate the success rate of these tactics, organizations are advised to focus on security policies, managing multi-factor identity verification for callers, protocols around what information can be shared in calls, and what IT support actions can be completed in a single call without escalation to management,” the report concluded.

“Additionally, security awareness training for frontline phone staff can be effective, focused on simulation-based scenarios and identifying signs of social engineering, such as vague answers to identity questions and attempts to create a high-pressure request for immediate action.”