Signal

BlackFile threat group targets retail and hospitality sectors with vishing and data extortion

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-27 14:18 UTCUpdated 2026-04-27 23:20 UTC

rss

extortionmalwarethreat_actorsincident_responsesecurity_policy

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

BlackFile hackers target retail, hospitality with vishing and data extortion

SC Media · News · scworld.com · 2026-04-27 23:20 UTC

BlackFile actively extorting data-theft victims in retail and hospitality sector

CyberScoop · News · cyberscoop.com · 2026-04-27 14:18 UTC

limited source diversity in top sources

View all evidence

Overview

The BlackFile extortion group, likely linked to The Com, is actively targeting organizations in retail and hospitality through voice phishing (vishing) and social engineering attacks.

Entities

Palo Alto NetworksRetail & Hospitality Information Sharing and Analysis Center (RH-ISAC)Unit 42Matt Brady

Score total

1.02

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

The campaign has been active and escalating since February, indicating ongoing risk.
Recent intelligence sharing by Unit 42 and RH-ISAC provides timely indicators to help organizations defend themselves.
Awareness of this threat can prompt organizations to strengthen incident response and employee training against vishing attacks.

Why it matters

BlackFile’s use of vishing and social engineering exploits human vulnerabilities in organizations’ security.
The campaign targets critical sectors like retail and hospitality, increasing risk to consumer and business data.
Large ransom demands in the seven-figure range pose significant financial and operational threats to victims.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

BlackFile uses voice phishing (vishing) calls impersonating IT support to initiate attacks.
BlackFile pressures victims into paying large ransom demands, typically in the seven-figure range.
The extortion campaign has been active since February and targets multiple industries including retail, hospitality, healthcare, technology, and logistics.

How sources frame it

Palo Alto Networks Unit 42 Researcher Matt Brady: neutral

All evidence

BlackFile hackers target retail, hospitality with vishing and data extortion

SC Media · scworld.com · 2026-04-27 23:20 UTC

BlackFile actively extorting data-theft victims in retail and hospitality sector

CyberScoop · cyberscoop.com · 2026-04-27 14:18 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

SC Media (1)
CyberScoop (1)

Top origin domains (this list)

scworld.com (1)
cyberscoop.com (1)