← All stories

Infosecurity Magazine

BlackFile Group Targets Retail and Hospitality with Vishing Attacks

2026-04-27 · Read original ↗

ATT&CK techniques detected

10 predictions

T1598.004Spearphishing Voice

86%

“victims through vishing attacks impersonating the it helpdesk. spoofed voip numbers or fraudulent caller id names are used to hide their true identity and the end goal is credential / one - time - password theft. to this end, the threat actors use phishing pages designed to spoof…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.004Spearphishing Voice

78%

“blackfile group targets retail and hospitality with vishing attacks security researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since february 2026. palo alto networks ’ unit 42 teamed up with the retail a…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.004Spearphishing Voice

58%

“victims through vishing attacks impersonating the it helpdesk. spoofed voip numbers or fraudulent caller id names are used to hide their true identity and the end goal is credential / one - time - password theft. to this end, the threat actors use phishing pages designed to spoof…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

52%

“blackfile group targets retail and hospitality with vishing attacks security researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since february 2026. palo alto networks ’ unit 42 teamed up with the retail a…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1530Data from Cloud Storage

50%

“once inside the victim network, the group focuses on saas data discovery, api abuse and scraping sharepoint sites – searching for “ confidential ” and “ ssn ” to find high - value files and reports in sharepoint and salesforce. “ cl - cri - 1116 attacks exfiltrate data directly t…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078.004Cloud Accounts

42%

“victims through vishing attacks impersonating the it helpdesk. spoofed voip numbers or fraudulent caller id names are used to hide their true identity and the end goal is credential / one - time - password theft. to this end, the threat actors use phishing pages designed to spoof…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1657Financial Theft

40%

“blackfile group targets retail and hospitality with vishing attacks security researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since february 2026. palo alto networks ’ unit 42 teamed up with the retail a…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1213.004Customer Relationship Management Software

36%

“once inside the victim network, the group focuses on saas data discovery, api abuse and scraping sharepoint sites – searching for “ confidential ” and “ ssn ” to find high - value files and reports in sharepoint and salesforce. “ cl - cri - 1116 attacks exfiltrate data directly t…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

34%

“blackfile group targets retail and hospitality with vishing attacks security researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since february 2026. palo alto networks ’ unit 42 teamed up with the retail a…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

34%

“victims through vishing attacks impersonating the it helpdesk. spoofed voip numbers or fraudulent caller id names are used to hide their true identity and the end goal is credential / one - time - password theft. to this end, the threat actors use phishing pages designed to spoof…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Researchers uncover a new data theft and extortion group dubbed “BlackFile”