Google has disclosed details of a financially motivated threat cluster that it said "specializes" in voice phishing (aka vishing) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion.
The tech giant's threat intelligence team is tracking the activity under the moniker UNC6040, which it said exhibits characteristics that align with threat groups with ties to an online cybercrime collective known as The Com.
"Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements," the company said in a report shared with The Hacker News.
This approach, Google's Threat Intelligence Group (GTIG) added, has had the benefit of tricking English-speaking employees into performing actions that give the threat actors access or lead to the sharing of valuable information such as credentials, which are then used to facilitate data theft.
A noteworthy aspect of UNC6040's activities involves the use of a modified version of Salesforce's Data Loader that victims are deceived into authorizing so as to connect to the organization's Salesforce portal during the vishing attack. Data Loader is an application used to import, export, and update data in bulk within the Salesforce platform.
Specifically, the attackers guide the target to visit Salesforce's connected app setup page and approve the modified version of the Data Loader app that carries a different name or branding (e.g., "My Ticket Portal") from its legitimate counterpart. This action grants them unauthorized access to the Salesforce customer environments and exfiltrate data.
Beyond data loss, the attacks serve as a stepping stone for UNC6040 to move laterally through the victim's network, and then access and harvest information from other platforms such as Okta, Workplace, and Microsoft 365.
Select incidents have also involved extortion activities, but only "several months" after the initial intrusions were observed, indicating an attempt to monetize and profit off the stolen data presumably in partnership with a second threat actor.
"During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims," Google said.
UNC6040's overlaps with groups linked to The Com stem from the targeting of Okta credentials and the use of social engineering via IT support, a tactic that has been embraced by Scattered Spider, another financially motivated threat actor that's part of the loose-knit organized collective.
Google-owned Mandiant, in a technical overview of vishing and the social engineering attacks, pointed out the distinct objectives of Scattered Spider and UNC6040 – i.e., the former's focus on account takeover for broad network access versus UNC6040's targeted theft of Salesforce data – underscore the "diverse risks" stemming from vishing.
The company said the threat actors conducting vishing campaigns also weaponize automated phone systems that have pre-recorded messages and interactive menus to glean more information about the targets they are looking to penetrate.
These phone services enable an attacker to "anonymously" identify common issues faced by end users, names of internal applications, additional phone numbers for specific support teams, and, sometimes, alerts about company-wide technical issues.
"Effective social engineering campaigns are built upon extensive reconnaissance," Nick Guttilla from the Mandiant Incident Response team said. "Prevalence of in-person social interactions has diminished and remote IT structures, such as an outsourced service desk, has normalized employees' engagement with external or less familiar personnel. As a result, threat actors continue to use social engineering tactics"
The vishing campaign hasn't gone unnoticed by Salesforce, which, in March 2025, warned of threat actors using social engineering tactics to impersonate IT support personnel over the phone and trick its customers' employees into giving away their credentials or approving the modified Data Loader app.
"They have been reported luring our customers' employees and third-party support workers to phishing pages designed to steal credentials and MFA tokens or prompting users to navigate to the login.salesforce[.]com/setup/connect page in order to add a malicious connected app," the company said.
"In some cases, we have observed that the malicious connected app is a modified version of the Data Loader app published under a different name and/or branding. Once the threat actor gains access to a customer's Salesforce account or adds a connected app, they use the connected app to exfiltrate data."
The development not only highlights the continued sophistication of social engineering campaigns, but also shows how IT support staff are being increasingly targeted as a way to gain initial access.
"The success of campaigns like UNC6040's, leveraging these refined vishing tactics, demonstrates that this approach remains an effective threat vector for financially motivated groups seeking to breach organizational defenses," Google said.
"Given the extended time frame between initial compromise and extortion, it is possible that multiple victim organizations and potentially downstream victims could face extortion demands in the coming weeks or months."
Update
In a statement shared with The Hacker News, Salesforce said all the observed incidents relied on manipulating end users, and that it did not involve the exploitation of any security vulnerability in its systems.
Salesforce has enterprise-grade security built into every part of our platform, and there’s no indication the issue described stems from any vulnerability inherent to our services. Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.
Security is a shared responsibility, and we provide customers with tools, guidance, and security features like Multi-Factor Authentication and IP restrictions to help defend against evolving threats. For full details, please see our blog on how customers can protect their Salesforce environments from social engineering: https://www.salesforce.com/blog/protect-against-social-engineering/.
(The story was updated after publication to include a response from Salesforce.)
