Ddos 
The victim needs to enter a code to connect the threat actor controlled Data Loader | Image: GTIG
Google Threat Intelligence Group (GTIG) has sounded the alarm on UNC6040, a financially motivated threat cluster waging a calculated voice phishing (vishing) campaign to breach Salesforce environments. With a mix of convincing social engineering and app abuse, this operation reveals a troubling evolution in credential theft and enterprise data exfiltration.
GTIG’s report highlights UNC6040’s methodical reliance on impersonating IT support personnel:
“Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements.”
These calls target employees—primarily within English-speaking branches of multinational companies—and coax them into granting access or disclosing credentials without exploiting any Salesforce vulnerability directly.
At the main of the campaign is Salesforce’s Data Loader, a legitimate tool for bulk data management. UNC6040 manipulates this process:
“A prevalent tactic… involves deceiving victims into authorizing a malicious connected app to their organization’s Salesforce portal.”
These apps, often disguised with deceptive branding such as “My Ticket Portal”, give attackers powerful API access. In one case, the malicious app used small chunk sizes to avoid detection while siphoning data. Once enough reconnaissance was complete, the actor escalated to full-table extractions.
UNC6040 doesn’t stop at Salesforce. The attackers also pivot laterally:
“UNC6040 was observed leveraging end-user credentials obtained through credential harvesting or vishing to move laterally… accessing and exfiltrating data from other cloud platforms such as Okta and Microsoft 365.”
To execute these operations, UNC6040:
- Hosted Okta phishing panels
- Requested MFA codes in real-time
- Used Mullvad VPN IPs to obscure attacker locations
This sophistication aligns UNC6040 with tactics seen in other threat groups under the umbrella of “The Com”, though GTIG notes the overlap may stem from shared communities rather than direct affiliations.
A delayed extortion phase distinguishes UNC6040’s operations. GTIG reports:
“Extortion activities haven’t been observed until several months after the initial UNC6040 intrusion… the actor has claimed affiliation with… ShinyHunters, likely as a method to increase pressure on their victims.”
This prolonged timeline suggests UNC6040 may resell or collaborate with third parties for monetization, posing prolonged risks to already compromised organizations.
GTIG concludes:
“The success of campaigns like UNC6040’s, leveraging these refined vishing tactics, demonstrates that this approach remains an effective threat vector for financially motivated groups.”
Donate