Google has disclosed particulars of a financially motivated menace cluster that it mentioned “specialises” in voice phishing (aka vishing) campaigns designed to breach organizations’ Salesforce situations for large-scale knowledge theft and subsequent extortion.
The tech large’s menace intelligence staff is monitoring the exercise beneath the moniker UNC6040, which it mentioned reveals traits that align with menace teams with ties to an internet cybercrime collective often called The Com.
“Over the previous a number of months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT assist personnel in convincing telephone-based social engineering engagements,” the corporate mentioned in a report shared with The Hacker Information.
This strategy, Google’s Menace Intelligence Group (GTIG) added, has had the advantage of tricking English-speaking staff into performing actions that give the menace actors entry or result in the sharing of useful data comparable to credentials, that are then used to facilitate knowledge theft.
A noteworthy facet of UNC6040’s actions entails using a modified model of Salesforce’s Data Loader that victims are deceived into authorizing in order to connect with the group’s Salesforce portal in the course of the vishing assault. Data Loader is an utility used to import, export, and replace knowledge in bulk inside the Salesforce platform.
Particularly, the attackers information the goal to go to Salesforce’s related app setup web page and approve the modified model of the Data Loader app that carries a special title or branding (e.g., “My Ticket Portal”) from its legit counterpart. This motion grants them unauthorized entry to the Salesforce buyer environments and exfiltrate knowledge.
Past knowledge loss, the assaults function a stepping stone for UNC6040 to maneuver laterally by means of the sufferer’s community, after which entry and harvest data from different platforms comparable to Okta, Office, and Microsoft 365.
Choose incidents have additionally concerned extortion actions, however solely “a number of months” after the preliminary intrusions had been noticed, indicating an try to monetize and revenue off the stolen knowledge presumably in partnership with a second menace actor.
“Throughout these extortion makes an attempt, the actor has claimed affiliation with the well-known hacking group ShinyHunters, possible as a technique to extend strain on their victims,” Google mentioned.
UNC6040’s overlaps with teams linked to The Com stem from the focusing on of Okta credentials and using social engineering through IT assist, a tactic that has been embraced by Scattered Spider, one other financially motivated menace actor that is a part of the loose-knit organized collective.
The vishing marketing campaign hasn’t gone unnoticed by Salesforce, which, in March 2025, warned of menace actors utilizing social engineering techniques to impersonate IT assist personnel over the cellphone and trick its prospects’ staff into gifting away their credentials or approving the modified Data Loader app.
“They’ve been reported luring our prospects’ staff and third-party assist staff to phishing pages designed to steal credentials and MFA tokens or prompting customers to navigate to the login.salesforce[.]com/setup/join web page with a purpose to add a malicious related app,” the corporate mentioned.
“In some circumstances, we’ve noticed that the malicious related app is a modified model of the Data Loader app printed beneath a special title and/or branding. As soon as the menace actor features entry to a buyer’s Salesforce account or provides a related app, they use the related app to exfiltrate knowledge.”
The event not solely highlights the continued sophistication of social engineering campaigns, but additionally exhibits how IT assist employees are being more and more focused as a solution to achieve preliminary entry.
“The success of campaigns like UNC6040’s, leveraging these refined vishing techniques, demonstrates that this strategy stays an efficient menace vector for financially motivated teams searching for to breach organizational defenses,” Google mentioned.
“Given the prolonged time-frame between preliminary compromise and extortion, it’s potential that a number of sufferer organizations and doubtlessly downstream victims may face extortion calls for within the coming weeks or months.”
