Inside UNC6671’s “BlackFile” Cloud Extortion Campaigns

A sophisticated identity-centric threat actor operating under the brand “BlackFile” has spent the early months of 2026 disrupting corporate cloud environments across the globe.

A detailed technical intelligence report from the Google Threat Intelligence Group (GTIG) has pulled back the curtain on this aggressive cluster, tracked as UNC6671. By bypassing standard perimeter defenses through a potent mix of human engineering and modern technical exploitation, the group has successfully compromised dozens of organizations across North America, Australia, and the United Kingdom.

Unlike traditional hacking groups that search for unpatched software vulnerabilities to breach a network, UNC6671 targets the human element at the identity perimeter. The group utilizes highly coordinated voice phishing (vishing) campaigns to trick corporate employees into interacting with malicious infrastructure.

The true technical danger lies in how they process these stolen credentials. UNC6671 leverages sophisticated adversary-in-the-middle (AiTM) techniques. When an unsuspecting employee enters their login information, the attacker’s proxy intercept platform captures the authentication stream in real-time, pulling down valid active session cookies.

This allows the threat actor to seamlessly defeat standard multi-factor authentication (MFA) implementations. The report outlines the primary vectors targeted during these intrusions:

“By leveraging adversary-in-the-middle (AiTM) techniques to bypass traditional perimeter defenses and multi-factor authentication (MFA), UNC6671 gains deep access to cloud environments. The group primarily targets Microsoft 365 and Okta infrastructure, leveraging Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data for subsequent extortion attempts.”

The rapid emergence of the BlackFile brand initially created confusion among threat intelligence analysts due to distinct tactical overlaps with other notable extortion rings. Specifically, researchers noticed similarities in how the group systematically steals data out of Software-as-a-Service (SaaS) environments.

At one point, UNC6671 even intentionally co-opted the branding of the prominent cybercriminal syndicate ShinyHunters (UNC6240) to add immediate weight to their extortion demands. However, GTIG’s underlying forensic telemetry indicates that the BlackFile campaign is entirely self-contained:

“While UNC6671 has co-opted the ShinyHunters brand in at least one instance to inject artificial credibility into their threats, GTIG assesses that the operations are independent. This distinction is supported by UNC6671’s use of separate TOX communication channels, unique domain registration patterns, and distinct negotiation styles.”

After maintaining an incredibly high operational cadence throughout the beginning of the year, the BlackFile extortion infrastructure underwent a sudden, unexpected transformation.

According to GTIG’s timeline, the group’s primary dedicated Data Leak Site (DLS)—where they historically listed compromised companies and published samples of stolen corporate data—abruptly dropped offline in late April 2026.

Then, on May 11, 2026, the portal briefly flickered back to life, displaying an explicit farewell message to the cybersecurity community before winding down its infrastructure completely. The group posted an official “Final Notice” stating:

“After careful consideration, BlackFile is shutting down. We are no longer operating services, negotiations, or outreach under this name. Our public presence ends and infrastructure will wind down in an orderly way.”

In a fascinating display of criminal honor, the group’s final web statement even featured a diagram detailing their data destruction pipeline, claiming that they were leveraging utility commands like GNU shred to securely wipe out their stolen data caches so victims wouldn’t face double-extortion from third-party brokers. They concluded with a stark warning to their victims: “Do not pay anyone who contacts you claiming to represent BlackFile or using our name.”

While the BlackFile brand has effectively dissolved, the underlying technical methods perfected by UNC6671 remain a massive blueprint for active threat clusters. The group themselves hinted at a future rebrand, noting that they were simply stopping operations “under this name.”

For enterprise security leaders, this campaign highlights that identity infrastructure is the primary target. Security teams must move beyond basic password policies and legacy MFA.

To protect against active AiTM and vishing threats, organizations should aggressively shift toward phishing-resistant authentication methods—such as FIDO2/WebAuthn standard keys—implement strict conditional access policies that evaluate device compliance before permitting SSO access, and deploy robust monitoring tools capable of identifying rapid, programmatic SaaS data-dumping behaviors.