BlackFile group targets retail, hospitality with vishing

A financially motivated threat actor tracked as BlackFile has been linked to data theft and extortion attacks targeting retail and hospitality organizations since February 2026. The group impersonates corporate IT helpdesk staff via spoofed VoIP calls to trick employees into surrendering credentials and one-time passcodes on fake login pages, according to joint reporting by Unit 42 and RH-ISAC. Attackers then escalate access to executive accounts and exfiltrate sensitive data from Salesforce and SharePoint environments using legitimate API functions. BlackFile demands seven-figure ransoms and has employed swatting against executives to amplify pressure.