BlackFile Shutdown Masks Vishing Surge; Cisco Zero-Day Under Active Attack

Summary

Today's threat landscape is defined by a paradox: the apparent shutdown of the BlackFile vishing extortion brand may signal a rebranding or operational pause rather than a cessation of activity, while a Cisco SD-WAN zero-day is under active exploitation by a persistent threat group. The volume of critical data exposure events remains elevated, with 63 breaches or leaks tracked, spanning financial services, healthcare, government, and critical infrastructure across 18 victim countries. Defenders should prioritize patching Cisco SD-WAN systems and hardening identity infrastructure against adversary-in-the-middle (AiTM) vishing tactics.

Today's developments

BlackFile (UNC6671) brand goes dark but operational risks persist. Google Threat Intelligence Group (GTIG) published a detailed analysis of the UNC6671 vishing extortion operation, which operates under the "BlackFile" brand. The group targets organizations via sophisticated voice phishing calls that bypass multi-factor authentication (MFA) through real-time credential harvesting and session hijacking. GTIG notes that the BlackFile data leak site (DLS) went offline in late April 2026, briefly reappeared on May 11 to announce a shutdown "under this name," and is now inaccessible. However, GTIG assesses this as a likely transition phase rather than permanent cessation, noting that threat clusters commonly rebrand following disruption. The group's techniques -- focusing on data theft from Microsoft 365 and Okta environments via programmatic exfiltration using Python and PowerShell scripts -- remain highly effective and are being adopted by other actors.

Cisco SD-WAN zero-day under active exploitation. A new zero-day vulnerability, CVE-2026-20182, is being exploited in targeted attacks by a sophisticated threat actor identified as UAT-8616. This marks the sixth exploited SD-WAN zero-day in 2026. CISA has ordered all federal agencies to patch by Sunday. Security reporters note that the same threat group behind this zero-day is linked to a series of recently disclosed vulnerabilities in Cisco firewalls and SD-WAN systems. Separately, Microsoft warned of an Exchange Server zero-day (CVE-2026-42897) being exploited in the wild, with mitigations available pending a permanent patch.

Major data breach allegations span multiple sectors and geographies. Notable incidents include:

• Coinbase (United States, Financial Services) -- Actor Meowl claims a data breach of the cryptocurrency exchange.
• Eli Lilly and Company (United States, Healthcare & Pharmaceuticals) -- Actor TeamPCP claims to have breached codebases and clinical development data. TeamPCP also released the source code for the Shai-Hulud worm used in the TanStack supply chain attack, which impacted two OpenAI employee devices.
• U.S. Department of Energy (United States, Energy & Utilities) -- Actor mosad claims a data breach.
• Kyiv City State Administration (Ukraine, Government) -- Actor ALFANET claims a breach of the Ukrainian capital's government.
• Argentina BCRA / IOMA / GDEBA (Argentina, Financial Services & Government) -- Actor Skull1172 claims a breach of the central bank and provincial government systems.
• Indonesia Police Database (Indonesia, Government) -- Actor whoare claims a breach of the Indonesian National Police (POLRI).
• Ethiopian Food and Drug Administration (Ethiopia, Government) -- Actor 404Crew Cyber Team claims a breach.
• Bangladesh Customs (Bangladesh, Government) -- Actor vicmeow claims a data leak.
• Uganda's Tax Appeals Tribunal (Uganda, Government) -- Actor my_cnf claims unauthorized access.
• PagesJaunes (France, Telecommunications) -- Actor arpanet7444 claims a data leak of the French directory service.
• Meetic Database 7M (France, Technology) -- Actor codemane claims a breach of the dating platform.
• 10.3M esky.com (Delta Airlines BR Travelers) (Poland, Travel) -- Actor MDGhost claims a breach affecting Brazilian travelers.
• Aviso Wealth (Canada, Financial Services) -- Actor lowiqq claims a breach of the wealth management firm.
• WholeHealth Chicago (United States, Medical Practice) -- Actor CMD Organization claims a breach.
• Houston Eye Associates (United States, Medical Practice) -- Actor CMD Organization also claims a breach of this ophthalmology practice.

Supply chain and infostealer activity continues. The TanStack supply chain attack (Mini Shai-Hulud worm) impacted two OpenAI employee devices, though OpenAI states no user data or production systems were compromised. Unit 42 published analysis on Gremlin Stealer's evolved tactics, which now uses advanced obfuscation, crypto clipping, and session hijacking. Researchers also disclosed four OpenClaw vulnerabilities (Claw Chain) that could enable data theft and privilege escalation.

Threat landscape signals

Actor concentration and geographic targeting. The most active threat actors today -- Pharaoh's Team Channel (16 events), DieNet (15), JAX7 (14), NoName057(16) (10), and INFERNALIS (9) -- show a mix of hacktivist and financially motivated groups. The United States and Chile each recorded 18 events, followed by Israel (13), Ethiopia (10), and Brazil (9). The high volume of events targeting Chile and Ethiopia suggests coordinated campaigns, possibly hacktivist in nature.

Ransomware and extortion shifts. While ransomware events remain relatively low (13), the BlackFile analysis underscores that vishing-based extortion is a growing vector that bypasses traditional MFA. The group's shift from Tox to Session communication, use of hijacked internal email accounts, and aggressive spam/swatting tactics represent an escalation in pressure techniques. The shutdown of the BlackFile DLS may indicate a rebranding, but the underlying TTPs will likely persist under a new name.

Critical infrastructure and government targeting. The breadth of government breaches -- from Kyiv to Argentina to Indonesia to Uganda -- suggests that state and local government entities remain soft targets. The U.S. Department of Energy breach allegation, if confirmed, would represent a significant compromise of energy sector infrastructure. The Cisco SD-WAN zero-day exploitation further highlights the vulnerability of network infrastructure devices as initial access vectors.