Pink Extortion Group Linked to UNC6671 and The Com Uses Vishing and Fake Helpdesk Calls to Target Enterprise Data
Published
Key Takeaways
- New Extortion Brand: Pink, a likely rebrand of BlackFile, uses vishing and fake IT helpdesk calls to steal credentials and extort victims.
- Unit 42 Discovery: Palo Alto Networks' Unit 42 tracks the group as CL-CRI-1147 and reported its data-leak site went live on May 31.
- Com-Affiliated Actor: Incident responders, including Google Mandiant and Unit 42, assess that this latest cluster is likely affiliated with The Com.
A new extortion brand called Pink has emerged, using voice phishing and fake helpdesk calls to infiltrate organizations, steal sensitive data, and demand payment under threat of public exposure. Palo Alto Networks' Unit 42 first identified the group, tracking it as CL-CRI-1147, and confirmed its data-leak site went live on May 31.
Pink Tactics: Vishing, IT Impersonation, and Cloud Data Theft
Unit 42 described Pink's core method as using vishing and IT impersonation to phish employee credentials and bypass MFA, Palo Alto Networks Unit 42 announced on LinkedIn. Once inside, the attackers search platforms including SharePoint and OneDrive for valuable corporate and customer data.
After exfiltrating the stolen files, Pink operators use compromised victim accounts and internal Teams messages to pressure companies into paying, offering a 72-hour deadline before their data is leaked publicly.
Google Threat Intelligence Group (GTIG) assessed that after retiring the BlackFile brand in May 2026, the group launched a brand called Redact and may now have surfaced as Pink.
The following phishing domains were identified as indicators of compromise:
- passkeyadd[.]com,
- passkeydeploy[.]com,
- deploypasskey[.]com.
A Familiar Playbook Linked to The Com
Phone-based intrusions were also seen in Lapsus$, Scattered Spider, and ShinyHunters. Incident responders, including Google Mandiant and Unit 42, link many of these criminal groups to The Com. Unit 42 assesses that this latest cluster is also likely a Com-affiliated actor.
The operation exhibits hallmarks of UNC6671, including similar credential-harvesting infrastructure, a data leak site, and recurring messaging claiming to improve the security of victims who pay. GTIG also attributed the Pink domains published by Unit 42 to UNC6671.
A Mandiant said GTIG tracks distinct threat clusters UNC6661, UNC6671, and UNC6240 in a February report on ShinyHunters extortion tactics, vishing, and SSO compromise targeting cloud environments to harvest single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
In February, Europol announced 30 arrests and over 170 identifications related to The Com.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular