Google has disclosed details of a financially motivated threat cluster that it said “specialises” in voice phishing (aka vishing) campaigns designed to breach organizations’ Salesforce instances for large-scale data theft and subsequent extortion.
The tech giant’s threat intelligence team is tracking the activity under the moniker UNC6040, which it said exhibits characteristics that align with threat groups with ties to an online cybercrime collective known as The Com.
“Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements,” the company said in a report shared with The Hacker News.
This approach, Google’s Threat Intelligence Group (GTIG) added, has had the benefit of tricking English-speaking employees into performing actions that give the threat actors access or lead to the sharing of valuable information such as credentials, which are then used to facilitate data theft.
A noteworthy aspect of UNC6040’s activities involves the use of a modified version of Salesforce’s Data Loader that victims are deceived into authorizing so as to connect to the organization’s Salesforce portal during the vishing attack. Data Loader is an application used to import, export, and update data in bulk within the Salesforce platform.
Specifically, the attackers guide the target to visit Salesforce’s connected app setup page and approve the modified version of the Data Loader app that carries a different name or branding (e.g., “My Ticket Portal”) from its legitimate counterpart. This action grants them unauthorized access to the Salesforce customer environments and exfiltrate data.
Beyond data loss, the attacks serve as a stepping stone for UNC6040 to move laterally through the victim’s network, and then access and harvest information from other platforms such as Okta, Workplace, and Microsoft 365.
Select incidents have also involved extortion activities, but only “several months” after the initial intrusions were observed, indicating an attempt to monetize and profit off the stolen data presumably in partnership with a second threat actor.
“During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims,” Google said.
UNC6040’s overlaps with groups linked to The Com stem from the targeting of Okta credentials and the use of social engineering via IT support, a tactic that has been embraced by Scattered Spider, another financially motivated threat actor that’s part of the loose-knit organized collective.
The vishing campaign hasn’t gone unnoticed by Salesforce, which, in March 2025, warned of threat actors using social engineering tactics to impersonate IT support personnel over the phone and trick its customers’ employees into giving away their credentials or approving the modified Data Loader app.
“They have been reported luring our customers’ employees and third-party support workers to phishing pages designed to steal credentials and MFA tokens or prompting users to navigate to the login.salesforce[.]com/setup/connect page in order to add a malicious connected app,” the company said.
“In some cases, we have observed that the malicious connected app is a modified version of the Data Loader app published under a different name and/or branding. Once the threat actor gains access to a customer’s Salesforce account or adds a connected app, they use the connected app to exfiltrate data.”
The development not only highlights the continued sophistication of social engineering campaigns, but also shows how IT support staff are being increasingly targeted as a way to gain initial access.
“The success of campaigns like UNC6040’s, leveraging these refined vishing tactics, demonstrates that this approach remains an effective threat vector for financially motivated groups seeking to breach organizational defenses,” Google said.
“Given the extended time frame between initial compromise and extortion, it is possible that multiple victim organizations and potentially downstream victims could face extortion demands in the coming weeks or months.”
