A financially motivated cybercriminal group known as UNC6040 has been implicated in a global voice phishing (or “vishing”) campaign that targets companies using Salesforce, according to newly published research from Google Cloud’s Threat Intelligence Group (GTIG). The attackers are not exploiting software vulnerabilities—instead, they are manipulating people.
UNC6040 has been contacting employees under the guise of internal IT support, persuading them over the phone to install fake Salesforce-connected applications. These malicious apps, often disguised as legitimate tools like Salesforce Data Loader, give the attackers unauthorized access to sensitive corporate data and the ability to move laterally across company networks and cloud services.
GTIG emphasized that the campaign does not involve any breach or flaw in Salesforce itself. The threat actors are relying entirely on social engineering tactics, exploiting trust and human error rather than technical weaknesses in the software platform.
The campaign appears to be ongoing and relatively limited in scope so far. GTIG’s current assessment indicates that approximately 20 organizations have been affected across the Americas and Europe. The group has not focused on any particular industry but has opportunistically targeted a broad range of sectors, including hospitality, retail, and education.
Once inside a company’s systems, UNC6040 has reportedly exfiltrated data using VPN services such as Mullvad and employed phishing infrastructure to obtain multi-factor authentication credentials from users. In some cases, the group has returned months after the initial breach to demand extortion payments, suggesting collaboration with other criminal actors who specialize in monetizing stolen data.
During some extortion efforts, the group has claimed ties to well-known hacking collectives such as ShinyHunters, possibly in an effort to heighten pressure on their victims. GTIG’s intelligence points to overlaps between UNC6040’s methods and those used by members of “The Com,” a loosely affiliated network of cybercriminal groups that includes UNC3944 and Scattered Spider.
Salesforce has previously issued guidance warning users about the risks associated with installing unauthorized connected apps, especially those mimicking tools like Data Loader. The GTIG report reinforces that companies should be cautious not only about technical defenses but also about training their staff to resist deceptive social engineering efforts.
This incident underscores a growing trend in cybercrime, where attackers bypass technical barriers not with code, but with conversation. As companies fortify their systems, criminals are increasingly focusing on the people who use them, often the most vulnerable part of any network.
Editor’s note: This article was initially written by ChatGPT-4o based on the author’s specific instructions, which included news judgment, fact-checking, and thorough editing before publication.
Related story: Scammers exploit breached data in $520K crypto theft
South Korean police say they have uncovered a cryptocurrency fraud scheme where stolen victim data, acquired through the messaging app Telegram, was used to target unsuspecting individuals.
The Incheon Jungbu Police have arrested seven members of a cryptocurrency scam ring, according to Senior Inspector Choi Jae-hwang of the station’s Intelligent Crime Investigation unit. The group is accused of defrauding 69 victims of around $520,000 (710 million won) between February 14 and March 4. The scam involved a fake cryptocurrency website, Choi revealed at a press briefing.
According to police, the criminals targeted individuals who had already fallen victim to cryptocurrency or investment scams. The scammers used phone calls and texts to tempt these victims, promising to recover all their lost funds. They then directed them to a fake crypto mining website that supposedly collected cryptocurrencies and offered unrealistic daily earnings of 4 million won. However, authorities stressed that the website was designed to be a dead end, preventing victims from ever obtaining any revenue. READ MORE
Editor’s note: Due to the South Korean holiday on June 6, this article replaces this week’s Weekend Briefing.