Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

UNC6040 Vishing Group Target Salesforce Data

June 5, 2025
Reading Time: 3 mins read
in Alerts
UNC6040 Vishing Group Target Salesforce Data

Google has disclosed details of a financially motivated threat cluster it tracks as UNC6040, which notably specializes in voice phishing campaigns. These vishing attacks are specifically designed to breach organizations’ Salesforce instances, facilitating large-scale data theft and also subsequent extortion attempts. This particular threat group exhibits characteristics that clearly align with other cybercrime collectives, such as the notorious group known by the name “The Com”. Over the past several months, UNC6040 has unfortunately demonstrated repeated success in breaching various corporate networks through convincingly executed telephone-based social engineering. Its operators skillfully impersonate IT support personnel, effectively tricking English-speaking employees into actions that grant unauthorized system access or share valuable credentials.

A noteworthy aspect of UNC6040’s extensive activities involves their clever use of a modified version of Salesforce’s own Data Loader tool. Victims are often deceived into authorizing this significantly altered application during the vishing attack to connect to their organization’s Salesforce portal. Attackers typically guide the targeted employee to visit Salesforce’s connected app setup page and then approve the identified malicious Data Loader application. This counterfeit application usually carries a completely different name or branding, such as “My Ticket Portal,” from its legitimate Salesforce counterpart. This deceptive action then grants the attackers full unauthorized access to the Salesforce customer environments, allowing them to exfiltrate large volumes of data.

This particular threat group exhibits characteristics that clearly align with other cybercrime collectives, such as the notorious group known by the name “The Com”.

Beyond the initial significant data loss from the compromised Salesforce instances, these sophisticated attacks often serve as a dangerous stepping stone. The UNC6040 threat actors frequently attempt to move laterally through the victim’s now compromised network to access and harvest additional valuable information. These other targeted platforms can include Okta for identity management, Workplace by Facebook for internal corporate communications, and also Microsoft 365 cloud services. Select past incidents have also involved subsequent extortion activities conducted by the group, but these typically occur several months after the initial intrusions. During these extortion attempts, the actor has frequently claimed a direct affiliation with the well-known hacking group ShinyHunters, likely to increase psychological pressure.

Salesforce had previously warned its numerous customers in March 2025 about threat actors actively using similar social engineering tactics over the phone. These attackers consistently impersonated IT support personnel to trick employees into giving away their login credentials or approving a modified Data Loader application. Salesforce emphasized that these observed incidents primarily relied on manipulating end users and did not involve any Salesforce system platform vulnerabilities. The continuing success of campaigns like UNC6040’s demonstrates that refined vishing tactics remain a highly effective threat vector for many financially motivated groups.

Reference:

  • The Cost of a Call: From Voice Phishing to Data Extortion
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJune 2025
ADVERTISEMENT

Related Posts

Fake Firms Push Malware on Crypto Users

Fake Sites Push Investment Scams

July 11, 2025
Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

July 11, 2025
Fake Firms Push Malware on Crypto Users

Fake Firms Push Malware on Crypto Users

July 11, 2025
Hackers Revive SEO Poisoning

Hackers Revive SEO Poisoning

July 10, 2025
Hackers Revive SEO Poisoning

RondoDox Botnet Exploits Router Flaws

July 10, 2025
Hackers Revive SEO Poisoning

ServiceNow Data Exposure via ACLs

July 10, 2025

Latest Alerts

Fake Sites Push Investment Scams

Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

RondoDox Botnet Exploits Router Flaws

ServiceNow Data Exposure via ACLs

Hackers Revive SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Microsoft’s Outlook Long Outage

    Avantic Lab Affected By Ransomware

    $40M+ Stolen from GMX Crypto Platform

    Bitcoin Depot Breach Exposes Data

    McDonald’s AI Hiring Bot Exposes Data

    Nippon Steel Solutions Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial