Unit 42 has responded to numerous incidents since February 2026 involving data theft and extortion across various industries. We attribute a specific portion of this financially-motivated activity with moderate confidence to the activity cluster CL-CRI-1116, which overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider. This blog is designed to provide RH-ISAC members with unique insights from Unit 42 investigations, along with defensive recommendations to counter this emerging threat activity.