Google has disclosed details of a financially motivated threat cluster it tracks as UNC6040, which notably specializes in voice phishing campaigns. These vishing attacks are specifically designed to breach organizations’ Salesforce instances, facilitating large-scale data theft and also subsequent extortion attempts. This particular threat group exhibits characteristics that clearly align with other cybercrime collectives, such as the notorious group known by the name “The Com”. Over the past several months, UNC6040 has unfortunately demonstrated repeated success in breaching various corporate networks through convincingly executed telephone-based social engineering. Its operators skillfully impersonate IT support personnel, effectively tricking English-speaking employees into actions that grant unauthorized system access or share valuable credentials.
A noteworthy aspect of UNC6040’s extensive activities involves their clever use of a modified version of Salesforce’s own Data Loader tool. Victims are often deceived into authorizing this significantly altered application during the vishing attack to connect to their organization’s Salesforce portal. Attackers typically guide the targeted employee to visit Salesforce’s connected app setup page and then approve the identified malicious Data Loader application. This counterfeit application usually carries a completely different name or branding, such as “My Ticket Portal,” from its legitimate Salesforce counterpart. This deceptive action then grants the attackers full unauthorized access to the Salesforce customer environments, allowing them to exfiltrate large volumes of data.
This particular threat group exhibits characteristics that clearly align with other cybercrime collectives, such as the notorious group known by the name “The Com”.
Beyond the initial significant data loss from the compromised Salesforce instances, these sophisticated attacks often serve as a dangerous stepping stone. The UNC6040 threat actors frequently attempt to move laterally through the victim’s now compromised network to access and harvest additional valuable information. These other targeted platforms can include Okta for identity management, Workplace by Facebook for internal corporate communications, and also Microsoft 365 cloud services. Select past incidents have also involved subsequent extortion activities conducted by the group, but these typically occur several months after the initial intrusions. During these extortion attempts, the actor has frequently claimed a direct affiliation with the well-known hacking group ShinyHunters, likely to increase psychological pressure.
Salesforce had previously warned its numerous customers in March 2025 about threat actors actively using similar social engineering tactics over the phone. These attackers consistently impersonated IT support personnel to trick employees into giving away their login credentials or approving a modified Data Loader application. Salesforce emphasized that these observed incidents primarily relied on manipulating end users and did not involve any Salesforce system platform vulnerabilities. The continuing success of campaigns like UNC6040’s demonstrates that refined vishing tactics remain a highly effective threat vector for many financially motivated groups.
Reference:
