At a glance
| Actor / group | Helix (suspected ties to BlackFile and ShinyHunters) |
| Activity type | Data extortion through identity-based intrusion |
| Targets / victims | Enterprises; high-visibility staff and executives |
| Scale | Multiple organizations; shared infrastructure across attacks |
| Law-enforcement status | No arrests reported; attribution unconfirmed |
| Source | ReliaQuest Threat Research Team |
TL;DR
ReliaQuest has uncovered a new data extortion crew named Helix. The group uses phone scams and stolen sign-in sessions to raid corporate SharePoint files. Its methods and infrastructure point back to the BlackFile and ShinyHunters ecosystem, though a firm link stays unproven.
What happened
Helix runs a multi-target extortion campaign. Notably, it relies on identity tricks rather than malware. First, an operator phones an employee with a convincing script. In some cases, the caller spoofed the victim’s own manager on caller ID.
Before each call, the operator did homework. The suspected attacker knew the org chart and named direct reports. Meanwhile, a residential proxy matched the target’s real city, so no impossible-travel alert fired.
How the attack works
Next, the operator walked the target through a device code phishing flow in Chrome. This step matters. The victim never typed a password. Instead, the attacker captured a valid session token and slipped past Conditional Access rules.
After the break-in, the group registered a new MFA app for persistence. Then it searched SharePoint using automated queries. Finally, it bulk-downloaded files from a single exfiltration server. ReliaQuest calls this automated stage the clearest sign of Helix activity. “Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint,” the researchers wrote.
Who is behind Helix
ReliaQuest stops short of firm attribution. Still, the overlaps are hard to ignore. The Helix data extortion kill chain mirrors the now-defunct BlackFile group, which shut down in April 2026.
The phishing domain used NICENIC, a registrar tied to both BlackFile and ShinyHunters. Moreover, Helix’s exfiltration server sat four addresses away from a confirmed BlackFile IP on the same host. As ReliaQuest puts it in its full threat spotlight on the group, “The links between Helix and the established BlackFile and ShinyHunters ecosystems stop short of confirmed attribution.”
So treat Helix as a suspected offshoot, not a proven successor. Indeed, BlackFile’s collapse already spawned other brands, including Pink and Redact.
Impact and scale
ReliaQuest confirmed shared infrastructure across attacks on several organizations. Helix favors high-value staff, including executives, because their accounts open wide access.
Dwell time varied a lot. One incident went from access to mass theft in under an hour. Another ran for more than a week. According to BleepingComputer, ShinyHunters-linked breaches recently hit firms such as Medtronic, Nissan, and Kodak, which shows how active this ecosystem remains. Those figures reflect claims by the actors, and no arrests tied to Helix have been reported.
What comes next and how to stay protected
Expect more rebrands from this crowd. Names change fast, but the Helix data extortion playbook stays the same.
ReliaQuest points to one fix above all others. “Disabling device code authentication is the single highest-impact action,” the team advised. Beyond that, restrict sensitive SaaS apps to managed devices only.
You should also block newly registered domains at the DNS layer. Finally, watch identity logs for fresh MFA sign-ups and odd SharePoint downloads. Quick session revocation still works. However, one operator tested containment within 40 minutes, per SecurityBrief, so speed matters.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.