Welcome to BlackFile: Inside a Vishing Extortion Operation

    Wednesday, May 20, 2026 In: Threat Research Print

    Date: 05/20/2026

    Severity: High 

    Summary

    The team has been tracking a large-scale extortion campaign by UNC6671, operating under the “BlackFile” brand. The group targets organizations using advanced voice phishing (vishing) and single sign-on (SSO) compromise techniques. By applying adversary-in-the-middle (AiTM) methods, UNC6671 bypasses traditional defenses and multi-factor authentication (MFA). The attackers mainly focus on Microsoft 365 and Okta environments to gain deep access to cloud infrastructure. They use Python and PowerShell scripts to exfiltrate sensitive corporate data for extortion purposes. Since emerging in early 2026, UNC6671 has targeted dozens of organizations across North America, Australia, and the UK.

    Indicators of Compromise (IOC) List 

    Domains/URLs :

    accoesinternal.com

    alliantenergyinternal.com

    amwaterinternal.com

    applovinsso.com

    arvinasinternal.com

    avalonbayinternal.com

    avisonyounginternal.com

    ballinternal.com

    blacknbsxfdmjtx4yn533zzm4bemtdfl6dyopbmhg46ckhn4qy7i77id.onion

    blharbertinternal.com

    bluelinxinternal.com

    canforinternal.com

    cmsenergysso.com

    compassmineralsinternal.com

    dnowinternal.com

    drivenbrands-internal.com

    encovainternal.com

    encovasso.com

    finninginternal.com

    genesysinternal.com

    goeasyltdsso.com

    gustosso.com

    hearstinternal.com

    ironmountaininternal.com

    jonesdayinternal.com

    kennedywilsonsso.com

    lineageinternal.com

    mercuryinsurancesso.com

    methanexinternal.com

    methodesso.com

    mybwatersso.com

    mycathaysso.com

    mycovsso.com

    mydcohenandsteers.com

    myexprealtyinternal.com

    mygamestopsso.com

    myhightoweradvisors.com

    myhowardhughes.com

    myhremea.com

    myklinternal.com

    mymastecsso.com

    mymethanexsso.com

    myqesso.com

    myredfininternal.com

    myrwbaird.com

    mysecurianfinancial.com

    mysonosinternals.com

    mysteadfastsso.com

    mysurveymonkeysso.com

    mytpgsso.com

    mywinstonsso.com

    niggerpornniggercat329.com

    passkeyms.com

    pitneybowesinternal.com

    racetracinternal.com

    realpageinternal.com

    redfinsso.com

    semprainternal.com

    setupsso.com

    sunruninternal.com

    talenenergyinternal.com

    talenenergysso.com

    trimbleinternal.com

    trinetinternal.com

    uchealthinternal.com

    walkerdunlopinternal.com

    walkerdunlopsso.com

    IP Address : 

    1.145.148.38

    104.32.172.247

    104.63.116.119

    107.115.224.121

    108.54.252.199

    122.150.164.109

    122.150.164.190

    125.253.110.4

    141.154.50.191

    142.127.171.133

    143.105.1.157

    143.105.191.205

    148.76.46.73

    172.56.188.122

    172.56.223.45

    174.173.65.127

    179.43.185.226

    184.93.76.10

    185.193.127.130

    185.193.127.42

    185.231.32.34

    194.193.152.229

    198.52.166.197

    199.127.61.200

    206.170.208.23

    207.204.228.191

    208.80.178.207

    209.222.98.200

    216.131.72.178

    216.131.73.22

    216.131.73.47

    216.234.197.161

    216.86.133.54

    220.235.162.40

    23.125.120.89

    35.151.223.9

    37.15.73.132

    38.190.138.239

    45.144.115.194

    45.83.220.213

    47.145.181.53

    47.145.182.39

    65.21.62.56

    67.254.210.169

    67.86.139.117

    68.105.131.66

    68.109.1.225

    68.129.214.47

    68.73.213.196

    71.62.223.125

    71.62.44.153

    73.10.201.149

    73.148.113.242

    73.189.197.95

    73.199.236.230

    73.201.175.84

    73.253.0.185

    73.39.229.67

    74.101.94.238

    74.110.105.151

    74.110.120.63

    76.35.215.9

    76.64.54.159

    76.70.74.63

    80.78.23.74

    85.238.66.242

    96.245.102.137

    97.146.134.12

    98.116.225.9

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "trimbleinternal.com" or url like "trimbleinternal.com" or siteurl like "trimbleinternal.com" or domainname like "finninginternal.com" or url like "finninginternal.com" or siteurl like "finninginternal.com" or domainname like "mycovsso.com" or url like "mycovsso.com" or siteurl like "mycovsso.com" or domainname like "mygamestopsso.com" or url like "mygamestopsso.com" or siteurl like "mygamestopsso.com" or domainname like "arvinasinternal.com" or url like "arvinasinternal.com" or siteurl like "arvinasinternal.com" or domainname like "walkerdunlopsso.com" or url like "walkerdunlopsso.com" or siteurl like "walkerdunlopsso.com" or domainname like "mymastecsso.com" or url like "mymastecsso.com" or siteurl like "mymastecsso.com" or domainname like "mysonosinternals.com" or url like "mysonosinternals.com" or siteurl like "mysonosinternals.com" or domainname like "jonesdayinternal.com" or url like "jonesdayinternal.com" or siteurl like "jonesdayinternal.com" or domainname like "hearstinternal.com" or url like "hearstinternal.com" or siteurl like "hearstinternal.com" or domainname like "realpageinternal.com" or url like "realpageinternal.com" or siteurl like "realpageinternal.com" or domainname like "blharbertinternal.com" or url like "blharbertinternal.com" or siteurl like "blharbertinternal.com" or domainname like "compassmineralsinternal.com" or url like "compassmineralsinternal.com" or siteurl like "compassmineralsinternal.com" or domainname like "trinetinternal.com" or url like "trinetinternal.com" or siteurl like "trinetinternal.com" or domainname like "walkerdunlopinternal.com" or url like "walkerdunlopinternal.com" or siteurl like "walkerdunlopinternal.com" or domainname like "methanexinternal.com" or url like "methanexinternal.com" or siteurl like "methanexinternal.com" or domainname like "drivenbrands-internal.com" or url like "drivenbrands-internal.com" or siteurl like "drivenbrands-internal.com" or domainname like "myrwbaird.com" or url like "myrwbaird.com" or siteurl like "myrwbaird.com" or domainname like "pitneybowesinternal.com" or url like "pitneybowesinternal.com" or siteurl like "pitneybowesinternal.com" or domainname like "sunruninternal.com" or url like "sunruninternal.com" or siteurl like "sunruninternal.com" or domainname like "mercuryinsurancesso.com" or url like "mercuryinsurancesso.com" or siteurl like "mercuryinsurancesso.com" or domainname like "passkeyms.com" or url like "passkeyms.com" or siteurl like "passkeyms.com" or domainname like "gustosso.com" or url like "gustosso.com" or siteurl like "gustosso.com" or domainname like "mysteadfastsso.com" or url like "mysteadfastsso.com" or siteurl like "mysteadfastsso.com" or domainname like "alliantenergyinternal.com" or url like "alliantenergyinternal.com" or siteurl like "alliantenergyinternal.com" or domainname like "myhremea.com" or url like "myhremea.com" or siteurl like "myhremea.com"

    Detection Query 2 :

    domainname like "myredfininternal.com" or url like "myredfininternal.com" or siteurl like "myredfininternal.com" or domainname like "goeasyltdsso.com" or url like "goeasyltdsso.com" or siteurl like "goeasyltdsso.com" or domainname like "dnowinternal.com" or url like "dnowinternal.com" or siteurl like "dnowinternal.com" or domainname like "applovinsso.com" or url like "applovinsso.com" or siteurl like "applovinsso.com" or domainname like "cmsenergysso.com" or url like "cmsenergysso.com" or siteurl like "cmsenergysso.com" or domainname like "mysecurianfinancial.com" or url like "mysecurianfinancial.com" or siteurl like "mysecurianfinancial.com" or domainname like "ballinternal.com" or url like "ballinternal.com" or siteurl like "ballinternal.com" or domainname like "myexprealtyinternal.com" or url like "myexprealtyinternal.com" or siteurl like "myexprealtyinternal.com" or domainname like "bluelinxinternal.com" or url like "bluelinxinternal.com" or siteurl like "bluelinxinternal.com" or domainname like "mysurveymonkeysso.com" or url like "mysurveymonkeysso.com" or siteurl like "mysurveymonkeysso.com" or domainname like "mycathaysso.com" or url like "mycathaysso.com" or siteurl like "mycathaysso.com" or domainname like "niggerpornniggercat329.com" or url like "niggerpornniggercat329.com" or siteurl like "niggerpornniggercat329.com" or domainname like "mymethanexsso.com" or url like "mymethanexsso.com" or siteurl like "mymethanexsso.com" or domainname like "ironmountaininternal.com" or url like "ironmountaininternal.com" or siteurl like "ironmountaininternal.com" or domainname like "avisonyounginternal.com" or url like "avisonyounginternal.com" or siteurl like "avisonyounginternal.com" or domainname like "genesysinternal.com" or url like "genesysinternal.com" or siteurl like "genesysinternal.com" or domainname like "lineageinternal.com" or url like "lineageinternal.com" or siteurl like "lineageinternal.com" or domainname like "encovasso.com" or url like "encovasso.com" or siteurl like "encovasso.com" or domainname like "myhowardhughes.com" or url like "myhowardhughes.com" or siteurl like "myhowardhughes.com" or domainname like "encovainternal.com" or url like "encovainternal.com" or siteurl like "encovainternal.com" or domainname like "myqesso.com" or url like "myqesso.com" or siteurl like "myqesso.com" or domainname like "redfinsso.com" or url like "redfinsso.com" or siteurl like "redfinsso.com" or domainname like "kennedywilsonsso.com" or url like "kennedywilsonsso.com" or siteurl like "kennedywilsonsso.com" or domainname like "uchealthinternal.com" or url like "uchealthinternal.com" or siteurl like "uchealthinternal.com" or domainname like "setupsso.com" or url like "setupsso.com" or siteurl like "setupsso.com" or domainname like "talenenergysso.com" or url like "talenenergysso.com" or siteurl like "talenenergysso.com" or domainname like "mybwatersso.com" or url like "mybwatersso.com" or siteurl like "mybwatersso.com" or domainname like "avalonbayinternal.com" or url like "avalonbayinternal.com" or siteurl like "avalonbayinternal.com" or domainname like "semprainternal.com" or url like "semprainternal.com" or siteurl like "semprainternal.com" or domainname like "mytpgsso.com" or url like "mytpgsso.com" or siteurl like "mytpgsso.com" or domainname like "methodesso.com" or url like "methodesso.com" or siteurl like "methodesso.com" or domainname like "accoesinternal.com" or url like "accoesinternal.com" or siteurl like "accoesinternal.com" or domainname like "mydcohenandsteers.com" or url like "mydcohenandsteers.com" or siteurl like "mydcohenandsteers.com" or domainname like "amwaterinternal.com" or url like "amwaterinternal.com" or siteurl like "amwaterinternal.com" or domainname like "racetracinternal.com" or url like "racetracinternal.com" or siteurl like "racetracinternal.com" or domainname like "talenenergyinternal.com" or url like "talenenergyinternal.com" or siteurl like "talenenergyinternal.com" or domainname like "myhightoweradvisors.com" or url like "myhightoweradvisors.com" or siteurl like "myhightoweradvisors.com" or domainname like "myklinternal.com" or url like "myklinternal.com" or siteurl like "myklinternal.com" or domainname like "mywinstonsso.com" or url like "mywinstonsso.com" or siteurl like "mywinstonsso.com" or domainname like "canforinternal.com" or url like "canforinternal.com" or siteurl like "canforinternal.com" or domainname like "blacknbsxfdmjtx4yn533zzm4bemtdfl6dyopbmhg46ckhn4qy7i77id.onion" or url "like blacknbsxfdmjtx4yn533zzm4bemtdfl6dyopbmhg46ckhn4qy7i77id.onion" or siteurl like "blacknbsxfdmjtx4yn533zzm4bemtdfl6dyopbmhg46ckhn4qy7i77id.onion"

    Detection Query 3 :

    dstipaddress IN ("68.73.213.196","76.70.74.63","199.127.61.200","185.193.127.42","38.190.138.239","185.193.127.130","179.43.185.226","209.222.98.200","37.15.73.132","76.64.54.159","142.127.171.133","206.170.208.23","45.83.220.213","104.32.172.247","148.76.46.73","85.238.66.242","216.131.73.47","198.52.166.197","1.145.148.38","104.63.116.119","107.115.224.121","108.54.252.199","122.150.164.109","122.150.164.190","125.253.110.4","141.154.50.191","143.105.1.157","143.105.191.205","172.56.188.122","172.56.223.45","174.173.65.127","184.93.76.10","185.231.32.34","194.193.152.229","207.204.228.191","208.80.178.207","216.131.72.178","216.131.73.22","216.234.197.161","216.86.133.54","220.235.162.40","23.125.120.89","35.151.223.9","45.144.115.194","47.145.181.53","47.145.182.39","65.21.62.56","67.254.210.169","67.86.139.117","68.105.131.66","68.109.1.225","68.129.214.47","71.62.223.125","71.62.44.153","73.10.201.149","73.148.113.242","73.189.197.95","73.199.236.230","73.201.175.84","73.253.0.185","73.39.229.67","74.101.94.238","74.110.105.151","74.110.120.63","76.35.215.9","80.78.23.74","96.245.102.137","97.146.134.12","98.116.225.9") or srcipaddress IN ("68.73.213.196","76.70.74.63","199.127.61.200","185.193.127.42","38.190.138.239","185.193.127.130","179.43.185.226","209.222.98.200","37.15.73.132","76.64.54.159","142.127.171.133","206.170.208.23","45.83.220.213","104.32.172.247","148.76.46.73","85.238.66.242","216.131.73.47","198.52.166.197","1.145.148.38","104.63.116.119","107.115.224.121","108.54.252.199","122.150.164.109","122.150.164.190","125.253.110.4","141.154.50.191","143.105.1.157","143.105.191.205","172.56.188.122","172.56.223.45","174.173.65.127","184.93.76.10","185.231.32.34","194.193.152.229","207.204.228.191","208.80.178.207","216.131.72.178","216.131.73.22","216.234.197.161","216.86.133.54","220.235.162.40","23.125.120.89","35.151.223.9","45.144.115.194","47.145.181.53","47.145.182.39","65.21.62.56","67.254.210.169","67.86.139.117","68.105.131.66","68.109.1.225","68.129.214.47","71.62.223.125","71.62.44.153","73.10.201.149","73.148.113.242","73.189.197.95","73.199.236.230","73.201.175.84","73.253.0.185","73.39.229.67","74.101.94.238","74.110.105.151","74.110.120.63","76.35.215.9","80.78.23.74","96.245.102.137","97.146.134.12","98.116.225.9")

    Reference:    

    https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation                       


    Tags

    PythonNorth AmericaAustraliaUnited KingdomMalwareThreat ActorPhishingVishingAiTMExfiltrationExtortion

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.