ctipilot.ch

UNC6671 / BlackFile

actor · actor:unc6671

UNC6671 / BlackFile — vishing-driven AiTM extortion with programmatic SharePoint exfiltration (GTIG 2026-05-15)

Coverage timeline
1
first 2026-05-16 → last 2026-05-25
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
weekly-long-running
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-25UNC6671 / BlackFile — GTIG publishes the full profile; group announced shutdown "under this name", rebrand probable
    weekly-long-runningUNC6671 / BlackFile — GTIG publishes the full profile; group announced shutdown "under this name", rebrand probable

Where this entity is cited

  • weekly-long-running1

Source distribution

  • cloud.google.com1 (50%)
  • cyberscoop.com1 (50%)

Entries about UNC6671 / BlackFile (1)

2026-05-25 · view entry permalink →

UNC6671 / BlackFile — GTIG publishes the full profile; group announced shutdown "under this name", rebrand probable

notable synthesis discovered 2026-05-25 05:00 UTC

Resolving a W21 carry-forward watch item: GTIG published a definitive UNC6671 / BlackFile profile in mid-May 2026, characterising the operation as an adversary-in-the-middle vishing specialist targeting Microsoft 365 and Okta SSO environments in retail and hospitality (vishing impersonating IT support → MFA-bypass / credential grant → AiTM session-token harvest → exfiltration → extortion over the Session messenger). The leak-site went offline in late April, briefly resumed on 2026-05-11 to announce "BlackFile is shutting down… under this name," and went dark again — GTIG's phrasing and the qualifier point to a probable rebrand rather than a genuine exit. Defenders should keep the AiTM-vishing → rogue-MFA → SSO-token-theft TTP set on watch under any new brand; the tradecraft, not the name, is the durable indicator.

organized-crime identity phishing global europe