← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Extortion in the Enterprise: Defending Against BlackFile Attacks
Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with "The Com" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives.
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| IPv4 | 112.209.151.78 | — | 2026-04-27 | |
| IPv4 | 111.235.93.125 | — | 2026-04-27 | |
| IPv4 | 112.207.101.227 | — | 2026-04-27 | |
| IPv4 | 112.207.108.30 | — | 2026-04-27 | |
| IPv4 | 119.111.248.227 | — | 2026-04-27 | |
| IPv4 | 136.158.24.160 | — | 2026-04-27 | |
| IPv4 | 136.158.27.101 | — | 2026-04-27 | |
| IPv4 | 136.158.27.72 | — | 2026-04-27 | |
| IPv4 | 136.32.210.197 | — | 2026-04-27 | |
| IPv4 | 136.35.103.90 | — | 2026-04-27 | |
| IPv4 | 184.93.0.17 | — | 2026-04-27 | |
| IPv4 | 185.193.127.130 | — | 2026-04-27 | |
| IPv4 | 185.231.33.62 | — | 2026-04-27 | |
| IPv4 | 24.177.37.97 | — | 2026-04-27 | |
| IPv4 | 35.139.72.161 | — | 2026-04-27 | |
| IPv4 | 72.180.124.192 | — | 2026-04-27 |