Google has disclosed particulars of a financially motivated risk cluster that it stated “specialises” in voice phishing (aka vishing) campaigns designed to breach organizations’ Salesforce situations for large-scale information theft and subsequent extortion.
The tech large’s risk intelligence staff is monitoring the exercise below the moniker UNC6040, which it stated displays traits that align with risk teams with ties to a web-based cybercrime collective generally known as The Com.
“Over the previous a number of months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT help personnel in convincing telephone-based social engineering engagements,” the corporate stated in a report shared with The Hacker Information.
This strategy, Google’s Menace Intelligence Group (GTIG) added, has had the advantage of tricking English-speaking staff into performing actions that give the risk actors entry or result in the sharing of beneficial info corresponding to credentials, that are then used to facilitate information theft.
A noteworthy side of UNC6040’s actions includes using a modified model of Salesforce’s Knowledge Loader that victims are deceived into authorizing in order to hook up with the group’s Salesforce portal throughout the vishing assault. Knowledge Loader is an software used to import, export, and replace information in bulk throughout the Salesforce platform.
Particularly, the attackers information the goal to go to Salesforce’s linked app setup web page and approve the modified model of the Knowledge Loader app that carries a unique identify or branding (e.g., “My Ticket Portal”) from its respectable counterpart. This motion grants them unauthorized entry to the Salesforce buyer environments and exfiltrate information.
Past information loss, the assaults function a stepping stone for UNC6040 to maneuver laterally by the sufferer’s community, after which entry and harvest info from different platforms corresponding to Okta, Office, and Microsoft 365.
Choose incidents have additionally concerned extortion actions, however solely “a number of months” after the preliminary intrusions had been noticed, indicating an try and monetize and revenue off the stolen information presumably in partnership with a second risk actor.
“Throughout these extortion makes an attempt, the actor has claimed affiliation with the well-known hacking group ShinyHunters, possible as a technique to extend stress on their victims,” Google stated.
UNC6040’s overlaps with teams linked to The Com stem from the focusing on of Okta credentials and using social engineering through IT help, a tactic that has been embraced by Scattered Spider, one other financially motivated risk actor that is a part of the loose-knit organized collective.
The vishing marketing campaign hasn’t gone unnoticed by Salesforce, which, in March 2025, warned of risk actors utilizing social engineering ways to impersonate IT help personnel over the telephone and trick its clients’ staff into giving freely their credentials or approving the modified Knowledge Loader app.
“They’ve been reported luring our clients’ staff and third-party help employees to phishing pages designed to steal credentials and MFA tokens or prompting customers to navigate to the login.salesforce[.]com/setup/join web page in an effort to add a malicious linked app,” the corporate stated.
“In some instances, we’ve noticed that the malicious linked app is a modified model of the Knowledge Loader app printed below a unique identify and/or branding. As soon as the risk actor positive factors entry to a buyer’s Salesforce account or provides a linked app, they use the linked app to exfiltrate information.”
The event not solely highlights the continued sophistication of social engineering campaigns, but in addition reveals how IT help workers are being more and more focused as a option to achieve preliminary entry.
“The success of campaigns like UNC6040’s, leveraging these refined vishing ways, demonstrates that this strategy stays an efficient risk vector for financially motivated teams searching for to breach organizational defenses,” Google stated.
“Given the prolonged timeframe between preliminary compromise and extortion, it’s attainable that a number of sufferer organizations and doubtlessly downstream victims may face extortion calls for within the coming weeks or months.”
