Researchers said the hackers are compromising business process outsourcers and targeting help desk support.
Google has uncovered a financially motivated social engineering campaign targeting organizations across multiple industries, with attackers leveraging sophisticated tactics to infiltrate enterprise environments and extort payments. The campaign, identified by Google’s Threat Intelligence Group, highlights the growing risk posed by human-centric attack vectors that exploit trust and operational dependencies.
The threat cluster, tracked as UNC6783, has been actively compromising business process outsourcing (BPO) providers that support targeted organizations. By breaching these third-party partners, attackers are able to gain indirect access to enterprise systems, expanding their reach and increasing the likelihood of successful intrusion. The group is also believed to have potential links to an individual operating under the “Raccoon” persona.
In parallel, the attackers have been directly targeting internal support and help desk staff within organizations. By impersonating legitimate users or leveraging social engineering techniques, they establish trust with employees and manipulate them into revealing sensitive credentials or granting access to internal systems.
A key tactic used in the campaign involves directing employees to malicious Okta login pages via live chat interactions. These phishing pages are designed to closely mimic legitimate authentication portals, enabling attackers to capture login credentials. Advanced phishing kits are then deployed to bypass multifactor authentication, allowing threat actors to enroll their own devices and maintain persistent access within compromised environments.
In certain cases, attackers have also used fake security software as a lure, convincing employees to install remote access tools disguised as legitimate applications. Once installed, these tools provide attackers with deeper system control, facilitating data exfiltration and further lateral movement across networks.
Following successful infiltration, the attackers issue ransom demands using Proton email accounts, pressuring organizations to pay in exchange for preventing data leaks or further disruption. While specific victims have not been publicly disclosed, Google confirmed that dozens of organizations have been targeted as part of this campaign.
Due to similarities with earlier allegations made by a hacker known as “Mr. Raccoon,” who claimed to have participated in a social engineering attack on Adobe, the behavior has also garnered notice. Although Adobe has not made the incident public, the person claimed to have obtained and stolen a sizable amount of support-related data.
This campaign underscores the increasing sophistication of social engineering attacks, where threat actors combine psychological manipulation with technical evasion techniques to bypass traditional security controls. As attackers continue to exploit human vulnerabilities, organizations are being urged to strengthen their defenses by adopting phishing-resistant multifactor authentication and restricting access to unauthorized domains.
The emergence of UNC6783 signals a broader shift in the threat landscape, where attackers are prioritizing indirect entry points and trusted relationships to maximize impact while minimizing detection.
Recommended Cyber Technology News :
- Apple Users Targeted by Social Engineering Malware
- Doppel Strengthens AI Social Engineering Defense with NCSC Founder as Advisor
- KnowBe4 Launches Deepfake Training to Counter AI-Powered Social Engineering
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
