A new hacking organization identified as BlackFile has emerged, engaging in a series of data breaches and extortion attempts aimed particularly at retail and hospitality sectors since February 2026.

Also recognized by labels such as CL-CRI-1116, UNC6671, and Cordial Spider, this group employs tactics that involve impersonating IT helpdesk personnel. Their objective is to obtain sensitive employee credentials while demanding substantial ransom payments in the range of seven figures. This information has been highlighted by cybersecurity experts from Palo Alto Networks' Unit 42, which has collaborated with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).

Unit 42's analysis points to a potential connection between BlackFile and "The COM," a loosely associated group of English-speaking cybercriminals. This network is notorious for its recruitment of young individuals for purposes of extortion, violence, and the creation of child sexual exploitation material (CSAM).

In their recent report, RH-ISAC outlined the modus operandi of BlackFile, which initiates attacks through phone calls made from spoofed numbers. The perpetrators impersonate IT support staff to trick employees into providing their credentials on fake corporate login sites that require one-time passcodes.

According to RH-ISAC, the criminals use voice phishing, or vishing, tactics over voice over internet protocol (VoIP) services, employing false caller ID names as part of their social engineering schemes. Jason S.T. Kotler, the founder of CyberSteward, informed BleepingComputer of the significant uptick in incidents associated with BlackFile, noting similarities in their tactics to those used by other infamous groups such as ShinyHunters and SLSH.

Utilizing obtained credentials, BlackFile operators can register their own devices, effectively circumventing multifactor authentication measures. They seek to gain access to higher-level executive accounts by probing through internal employee directories.

The group exploits standard API functions to extract data from victims' Salesforce and SharePoint servers, targeting files that contain sensitive keywords like "confidential" and "SSN."

Once the data is securely captured, it is transferred to servers controlled by the attackers and subsequently listed on their dark web data leak site. Victims are then approached with ransom requests, often through compromised employee email accounts or newly generated Gmail addresses.

Researchers have observed a wave of sophisticated voice phishing (vishing) campaigns being attributed to a newly identified extortion group known as BlackFile, with organizations across multiple sectors reporting significant data breaches as a result of these coordinated intrusions.

According to intelligence shared by security researchers, the threat actors behind these attacks have demonstrated a notable ability to abuse legitimate enterprise tools and platforms during their operations. By exploiting Salesforce API access alongside standard SharePoint file download capabilities, the group has been able to exfiltrate substantial amounts of sensitive corporate data, including employee contact databases containing phone numbers as well as confidential internal business documents.

A particularly concerning element of the campaign involves how the data theft is conducted. The attackers have been observed operating behind the cover of legitimate Single Sign-On authenticated sessions, a technique that allows them to blend in with normal user activity and bypass conventional security monitoring tools that rely on user-agent detection.

The scope of targeting has extended beyond standard employees, with senior-level executives also being subjected to aggressive intimidation tactics. Among the most alarming methods employed is swatting — the deliberate placement of false emergency calls designed to provoke armed law enforcement responses at victims' locations. This tactic appears to serve as a secondary pressure mechanism to compel compliance with extortion demands.

Incident response firm Mandiant confirmed to security media outlet BleepingComputer that its teams are currently engaged in responding to multiple vishing-related cases involving data theft and extortion. At least one of these incidents was directly connected to a BlackFile-operated victim-shaming website, which has since been taken offline.

In response to the growing threat posed by BlackFile and similar groups, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) has outlined a series of defensive recommendations for organizations. These include overhauling internal call-handling procedures, implementing strict multifactor identity verification protocols for any caller requesting sensitive actions, and deploying simulation-based social engineering training programs targeted specifically at frontline personnel who are most likely to be the initial point of contact in such attacks.

Security researchers have raised serious alarms after an artificial intelligence system successfully chained together four previously unknown zero-day vulnerabilities into a single, cohesive exploit capable of bypassing both renderer-level and operating system-level sandboxes simultaneously.

The development marks a significant turning point in the threat landscape, as it demonstrates that AI is no longer simply a tool for defenders — it has become a potent force for offensive security operations as well.

Sandbox bypass techniques have historically required deep expertise and considerable time investment from skilled human researchers. The ability of an AI to autonomously discover and link multiple zero-days into one functional attack chain signals that the barrier to creating sophisticated exploits may be dropping at an alarming rate.

Security professionals warn that this is not an isolated incident, and that a broader surge of AI-assisted exploit development is likely on the horizon. The implications for enterprise security teams, software vendors, and critical infrastructure operators are profound.

In response to this evolving threat environment, security experts are calling for more advanced and continuous validation strategies — ones capable of keeping pace with autonomous offensive capabilities.

The upcoming Autonomous Validation Summit, scheduled across May 12 and May 14, is set to address these pressing concerns head-on. Attendees will explore how autonomous, context-aware validation techniques can identify genuinely exploitable weaknesses within complex environments, verify whether existing security controls are effectively holding up under pressure, and ensure that remediation efforts are completed and confirmed rather than simply initiated.

The summit represents a timely gathering for security practitioners seeking to understand and adapt to a new era where AI-driven threats demand equally intelligent and dynamic defensive responses.

Why People Need VPN Services to Unblock Porn

People need VPN services to unblock porn due to various restrictions and concerns surrounding online privacy. A VPN not only helps in bypassing these geo-restrictions, allowing users to access sites that offer adult content but also ensures their anonymity while browsing. This way, individuals can effectively unblock porn while keeping their online activities safe from prying eyes.

Why Choose SafeShell VPN to Access Adult Content

If you are looking to access region-restricted adult content and want to unblock porn sites without compromising your privacy or security, SafeShell VPN might be exactly the solution you need. Unlike conventional browsing methods that leave your digital footprint exposed, SafeShell VPN creates a secure and anonymous tunnel for all your online activities, ensuring that neither your internet service provider nor any third party can monitor what you are doing. With an extensive network of servers spread across multiple countries, it becomes effortless to bypass geographical barriers and gain access to content that would otherwise be unavailable in your location. The platform's exclusive ShellGuard protocol takes security a step further by employing advanced encryption that remains virtually undetectable by even the most sophisticated monitoring systems, giving you complete peace of mind during every browsing session.

Beyond just helping you unblock porn sites, SafeShell VPN brings a wealth of additional advantages that make it a truly comprehensive online protection tool. Its unique App Mode feature allows users to simultaneously access content from different regions without the tedious process of constantly switching between servers, making multi-region browsing smoother than ever. Speed is another area where SafeShell VPN truly excels, delivering consistently fast connections that support seamless high-definition streaming without any frustrating buffering interruptions. Furthermore, the platform supports up to five devices at once, covering a broad spectrum of operating systems including Windows, macOS, iOS, Android, and even Apple Vision Pro, ensuring that every device you own benefits from the same robust protection and unrestricted access.

How to Use SafeShell VPN to Unlock Porn Sites

To access adult content from any region using SafeShell VPN, begin by visiting the official SafeShell VPN website and selecting a subscription plan that suits your requirements. Once you have completed the registration process, proceed to download and install the SafeShell VPN application on your preferred device, whether it be a smartphone, tablet, or computer. After installation, launch the application and navigate to the settings where you will find the App Mode option — enable this feature to maximize your browsing flexibility and ensure the broadest possible access to region-restricted content. This mode is particularly useful for bypassing geographical restrictions placed on adult platforms.

With SafeShell VPN properly configured, the next step is to browse through the extensive list of global servers available within the application and select a server located in the region whose content you wish to access. For example, if you want to view adult content available in a specific country, simply connect to a server based in that location. Once connected, SafeShell VPN will mask your actual IP address and replace it with one from your chosen region, granting you seamless access to otherwise restricted adult websites. Throughout your entire browsing session, your personal identity and online activity remain fully encrypted and protected, allowing you to explore content from any corner of the world with complete peace of mind and privacy.