{ "type": "IPv4", "indicator": "136.158.27.72", "general": { "whois": "http://whois.domaintools.com/136.158.27.72", "reputation": 0, "indicator": "136.158.27.72", "type": "IPv4", "type_title": "IPv4", "base_indicator": { "id": 4330778195, "indicator": "136.158.27.72", "type": "IPv4", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69ef8ab862c07db686ca4572", "name": "Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with \"The Com\" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives.", "modified": "2026-05-27T16:16:49.504000", "created": "2026-04-27T16:11:35.928000", "tags": [ "blackfile", "data exfiltration", "saas attacks", "unc6671", "extortion", "cordial spider", "the com", "credential theft", "vishing" ], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "CL-CRI-1116", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail", "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f2b7da2b32f58433883c58", "name": "Malware Filter - Botnet List - 29-04-2026 (Part 2)", "description": "", "modified": "2026-05-30T02:01:40.425000", "created": "2026-04-30T02:00:58.164000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69efa30a6b862f4e2f69c2c1", "name": "Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "Unit 42 has responded to numerous incidents since February 2026 involving data theft and extortion across various industries. We attribute a specific portion of this financially-motivated activity with moderate confidence to the activity cluster CL-CRI-1116, which overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider. \n\nThis blog is designed to provide RH-ISAC members with unique insights from Unit 42 investigations, along with defensive recommendations to counter this emerging threat activity.", "modified": "2026-05-27T17:07:38.187000", "created": "2026-04-27T17:55:22.771000", "tags": [], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69efa30b1bac64f58a8bddad", "name": "Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "Unit 42 has responded to numerous incidents since February 2026 involving data theft and extortion across various industries. We attribute a specific portion of this financially-motivated activity with moderate confidence to the activity cluster CL-CRI-1116, which overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider. \n\nThis blog is designed to provide RH-ISAC members with unique insights from Unit 42 investigations, along with defensive recommendations to counter this emerging threat activity.", "modified": "2026-05-27T17:07:38.187000", "created": "2026-04-27T17:55:23.959000", "tags": [], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f026e8e8bb8c0623d7e55d", "name": "IOC - Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "", "modified": "2026-05-27T16:16:49.504000", "created": "2026-04-28T03:18:00.867000", "tags": [ "blackfile", "data exfiltration", "saas attacks", "unc6671", "extortion", "cordial spider", "the com", "credential theft", "vishing" ], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "CL-CRI-1116", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail", "Hospitality" ], "TLP": "white", "cloned_from": "69ef8ab862c07db686ca4572", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f19280b40f8e3963b06b38", "name": "Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "", "modified": "2026-05-27T16:16:49.504000", "created": "2026-04-29T05:09:20.418000", "tags": [ "blackfile", "data exfiltration", "saas attacks", "unc6671", "extortion", "cordial spider", "the com", "credential theft", "vishing" ], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "CL-CRI-1116", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail", "Hospitality" ], "TLP": "white", "cloned_from": "69ef8ab862c07db686ca4572", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "references": [ "https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt", "IOCs.2026.csv", "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "related": { "alienvault": { "adversary": [ "CL-CRI-1116" ], "malware_families": [], "industries": [ "Hospitality", "Retail" ] }, "other": { "adversary": [ "CL-CRI-1116", "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [ "Hospitality", "Retail" ] } } }, "false_positive": [], "validation": [], "asn": "AS17639 converge ict solutions inc.", "city_data": true, "city": "City of Muntinglupa", "region": "40", "continent_code": "AS", "country_code3": "PHL", "country_code2": "PH", "subdivision": "RIZ", "latitude": 14.4069, "postal_code": "1772", "longitude": 121.0306, "accuracy_radius": 5, "country_code": "PH", "country_name": "Philippines", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/ph.png", "flag_title": "Philippines", "sections": [ "general", "geo", "reputation", "url_list", "passive_dns", "malware", "nids_list", "http_scans" ] }, "geo": { "asn": "AS17639 converge ict solutions inc.", "city_data": true, "city": "City of Muntinglupa", "region": "40", "continent_code": "AS", "country_code3": "PHL", "country_code2": "PH", "subdivision": "RIZ", "latitude": 14.4069, "postal_code": "1772", "longitude": 121.0306, "accuracy_radius": 5, "country_code": "PH", "country_name": "Philippines", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/ph.png", "flag_title": "Philippines" }, "geo_ipapicom": { "country": "Philippines", "country_code": "PH", "region": "Metro Manila", "city": "Paranaque City", "zip": "1700", "latitude": 14.5051, "longitude": 121.0272, "timezone": "Asia/Manila", "isp": "ComClark Network & Technology Corp", "org": "Convergeict", "asn": "AS17639 Converge ICT Solutions Inc.", "asn_name": "CONVERGE-AS", "is_proxy": false, "is_hosting": false, "source": "ip-api.com" }, "pulse_count": 7, "pulses": [ { "id": "69ef8ab862c07db686ca4572", "name": "Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with \"The Com\" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives.", "modified": "2026-05-27T16:16:49.504000", "created": "2026-04-27T16:11:35.928000", "tags": [ "blackfile", "data exfiltration", "saas attacks", "unc6671", "extortion", "cordial spider", "the com", "credential theft", "vishing" ], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "CL-CRI-1116", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail", "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f2b7da2b32f58433883c58", "name": "Malware Filter - Botnet List - 29-04-2026 (Part 2)", "description": "", "modified": "2026-05-30T02:01:40.425000", "created": "2026-04-30T02:00:58.164000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69efa30a6b862f4e2f69c2c1", "name": "Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "Unit 42 has responded to numerous incidents since February 2026 involving data theft and extortion across various industries. We attribute a specific portion of this financially-motivated activity with moderate confidence to the activity cluster CL-CRI-1116, which overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider. \n\nThis blog is designed to provide RH-ISAC members with unique insights from Unit 42 investigations, along with defensive recommendations to counter this emerging threat activity.", "modified": "2026-05-27T17:07:38.187000", "created": "2026-04-27T17:55:22.771000", "tags": [], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69efa30b1bac64f58a8bddad", "name": "Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "Unit 42 has responded to numerous incidents since February 2026 involving data theft and extortion across various industries. We attribute a specific portion of this financially-motivated activity with moderate confidence to the activity cluster CL-CRI-1116, which overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider. \n\nThis blog is designed to provide RH-ISAC members with unique insights from Unit 42 investigations, along with defensive recommendations to counter this emerging threat activity.", "modified": "2026-05-27T17:07:38.187000", "created": "2026-04-27T17:55:23.959000", "tags": [], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f026e8e8bb8c0623d7e55d", "name": "IOC - Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "", "modified": "2026-05-27T16:16:49.504000", "created": "2026-04-28T03:18:00.867000", "tags": [ "blackfile", "data exfiltration", "saas attacks", "unc6671", "extortion", "cordial spider", "the com", "credential theft", "vishing" ], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "CL-CRI-1116", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail", "Hospitality" ], "TLP": "white", "cloned_from": "69ef8ab862c07db686ca4572", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f19280b40f8e3963b06b38", "name": "Extortion in the Enterprise: Defending Against BlackFile Attacks", "description": "", "modified": "2026-05-27T16:16:49.504000", "created": "2026-04-29T05:09:20.418000", "tags": [ "blackfile", "data exfiltration", "saas attacks", "unc6671", "extortion", "cordial spider", "the com", "credential theft", "vishing" ], "references": [ "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/" ], "public": 1, "adversary": "CL-CRI-1116", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail", "Hospitality" ], "TLP": "white", "cloned_from": "69ef8ab862c07db686ca4572", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "136.158.27.72", "type": "IPv4" }, "abuseipdb": { "error": "AbuseIPDB daily limit reached (1,000/day).", "indicator": "136.158.27.72" }, "urlhaus": { "indicator": "136.158.27.72", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173621.376604 }