Threat Analysis: BlackFile Extortion, ShinyHunters Data Theft, and the Voice Phishing Wave Hitting UK Businesses
Hello, Mauven here. This is your Daily Threat Analysis for 28th May 2026.
Two financially-motivated threat groups are running active campaigns today, and between them they cover the two most reliable ways criminals get into UK businesses: talking your staff into it, and buying their way in using someone else’s breached data. Neither requires a sophisticated zero-day. Both are working right now.
BlackFile: When the Attacker Rings Your Helpdesk
Since February 2026, a threat cluster tracked under multiple names, BlackFile, UNC6671, and Cordial Spider, has been conducting targeted data theft and extortion operations against enterprises and their supply chains. The group is assessed as financially motivated and has probable associations with “The Com” collective, the loosely affiliated network of English-speaking threat actors that has been responsible for a string of high-profile breaches over the past several years.
The entry vector is voice phishing, vishing, in the trade. Attackers ring employees directly, impersonating IT support staff or helpdesk personnel. The calls are convincing. They use information gathered from open sources about the target organisation to sound credible: internal terminology, names of real colleagues, accurate descriptions of IT systems. The goal is to persuade the employee to provide credentials, approve a multi-factor authentication prompt, or navigate to a fraudulent login page where their credentials are harvested.
What happens next is straightforward and unpleasant. The attackers move laterally through the environment, identify valuable data, customer records, financial information, contracts, strategic documents, exfiltrate it, and then issue an extortion demand. In some documented incidents the attackers have made contact directly with an organisation’s customers or partners to increase pressure.
What the reporting is not saying explicitly: The NCSC published guidance on defending against social engineering, including vishing, years ago. The fact that voice phishing remains the primary initial access vector for BlackFile in 2026 tells you something about how consistently that guidance has been implemented. The technique is not new. The actor is not particularly technically sophisticated at the entry point. The reason it works is that organisations have invested in perimeter security and not nearly enough in the humans answering the phone.
For UK SMBs, the specific risk looks like this. You may not be the direct target. You may be the supplier, the accountant, the solicitor, the IT provider. BlackFile’s intelligence gathering does not stop at large enterprises, anyone with access to a target’s systems or data is a potential route in. If you provide managed services, bookkeeping, legal work, or HR support to larger organisations, your staff are a potential entry point into those clients.
What to do about BlackFile
- Brief your staff on vishing this week. Not a policy document. A five-minute conversation about what the call sounds like, what they should never do on an unexpected call (approve MFA prompts, provide passwords, navigate to links), and who they should contact if something feels wrong.
- Implement a callback verification procedure. If someone rings claiming to be IT support and asks for access or credentials, staff should hang up and call back on a number they sourced independently, not one provided by the caller.
- Review privileged access. If an attacker gains one set of credentials, how far can they move? Least-privilege access principles limit the blast radius.
- Check your MFA configuration. Number matching and additional context requirements significantly reduce the effectiveness of MFA prompt-bombing, which is a common follow-on technique after credential harvesting.
ShinyHunters: Six Million Records and the Downstream Flood
Carnival Corporation, the world’s largest cruise line operator, confirmed today that a data breach affecting nearly 6 million individuals occurred in April 2026. The breach was claimed by ShinyHunters, a prolific extortion group that has been attributed to a string of large-scale data theft operations over recent years.
The stolen data includes names, addresses, dates of birth, email addresses, phone numbers, and in some cases passport details and loyalty account information. Carnival has confirmed the incident and is in the process of notifying affected individuals.
ShinyHunters is not a new actor. The group has been active since at least 2020 and has claimed responsibility for breaches of numerous large organisations including Ticketmaster, AT&T, and others. The Carnival breach is consistent with their established methodology: targeting SaaS-connected environments, exploiting exposed credentials or misconfigured cloud storage, and then either selling the data or using it as leverage for extortion.
What the press coverage is not saying: Six million records is not just a Carnival problem. Those records are now in circulation. The data will be packaged, sold on cybercriminal forums, and used to fuel the next wave of attacks. Credential stuffing campaigns will test those email and password combinations against other services. Phishing campaigns will use the personal details to craft convincing lures. Business email compromise attacks will reference booking details and loyalty numbers to appear legitimate.
If your customers include anyone who has ever booked a cruise, and that is a significant portion of the UK adult population, some of their personal information may now be available to attackers. That matters for your business even if you had no involvement in the Carnival breach, because those customers may now be more susceptible to impersonation attacks that reference their travel history or personal details.
There is also a UK GDPR dimension worth noting here. Carnival operates in the UK and the breach affects UK customers. The ICO will be watching how the notification process unfolds. For any UK business that stores customer data, this is a timely reminder that breach notification timelines under UK GDPR are 72 hours to the ICO from when you become aware of a breach that is likely to result in risk to individuals. That clock does not start when you have a full picture of the incident. It starts when you reasonably know a breach has occurred.
What to do about ShinyHunters-related downstream risk
- Run your business and staff email addresses through a breach checking service (Have I Been Pwned is the standard reference). If any appear in known datasets, enforce a password reset and review MFA coverage.
- Brief your customer-facing staff on the likelihood of increased phishing and vishing attempts targeting your customers in the coming weeks, particularly anything referencing travel bookings or loyalty accounts.
- Review your own incident response plan. If you have customer data, how quickly could you identify a breach? Do you have documented procedures for the 72-hour ICO notification requirement?
One More Thing: The PureLogs Campaign
Fortinet’s threat research team published analysis today of an active phishing campaign distributing a variant of the PureLogs infostealer. The delivery method is a purchase order email containing a malicious JavaScript file. When executed, the script runs PowerShell, which uses process hollowing to inject a .NET module into a legitimate Windows process and then communicates with command-and-control infrastructure.
PureLogs targets saved credentials, browser session cookies, and cryptocurrency wallet data. The purchase order lure is a direct hit on SMBs, finance teams and small business owners open purchase order emails as a matter of course. If your accounts payable process involves opening attachments from external parties, this campaign is directly relevant.
The mitigation here is not complicated. Email filtering that strips or sandboxes JavaScript files (.js) as attachments removes a significant portion of this delivery vector. The NCSC’s guidance on email security covers this. If your IT provider has not already implemented this, ask why.
The Pattern
Looking at the three threats reported today, BlackFile’s voice phishing, ShinyHunters’ data monetisation, and the PureLogs purchase order campaign, the common thread is not technical sophistication. It is the exploitation of ordinary business processes: answering the phone, processing purchase orders, managing customer accounts.
Organisations that focus exclusively on technical controls and do not invest equivalently in staff awareness and process hardening will keep having this conversation. The NCSC has been publishing guidance on exactly these vectors for years. The question is not whether the guidance exists.