Security researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since February 2026.

Palo Alto Networks’ Unit 42 teamed up with the Retail and Hospitality Information Security and Analysis Center (RH-ISAC) to publish a new report on April 23, Extortion in the Enterprise: Defending Against BlackFile Attacks.

It detailed financially-motivated activity linked to the activity cluster CL-CRI-1116, which the authors said overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider, and is likely to be associated with notorious collective “The Com...”