cstromblad.com Christoffer Strömblad Wednesday, August 27, 2025 -
In this multi-source analysis I’ve attempted to fuse publicly available information about the UNC6040 group into one report and analysis to provide a better view of the activity cluster named UNC6040 (Google/Mandiant naming).

Executive Summary
UNC6040 represents a sophisticated financially motivated threat group that has emerged as a significant threat to organizations utilizing cloud-based customer relationship management systems. First identified by Google’s Threat Intelligence Group1, this actor has been conducting voice phishing campaigns since at least December 20242 to compromise Salesforce environments for large-scale data theft and extortion purposes.

The group has successfully breached approximately 20 organizations across hospitality, retail, and education sectors3, demonstrating a clear preference for targets with substantial customer databases and valuable personally identifiable information. Perhaps most notably, the group successfully compromised Google’s own Salesforce environment through sophisticated OAuth token abuse4, highlighting their capability to breach even well-defended organizations.

What distinguishes UNC6040 from traditional threat actors is their primary reliance on social engineering rather than technical exploitation. By impersonating IT support personnel through voice calls, they guide victims to authorize malicious connected apps, specifically modified versions of Salesforce’s Data Loader tool1. This approach effectively bypasses traditional security controls including multi-factor authentication, representing a fundamental shift in the threat landscape that security teams must address.

Threat Actor Profile and Victimology
UNC6040’s targeting reveals a calculated approach to victim selection. The group primarily focuses on luxury retailers, hospitality organizations, and educational institutions3, with additional confirmed targeting of aviation, financial services, and technology companies2. This sector preference suggests a clear understanding of where high-value customer data concentrates and where cloud CRM adoption is mature.

The threat actor demonstrates varying levels of technical proficiency across different intrusions, with some operations achieving complete data extraction while others result in only partial exfiltration before detection1. This inconsistency may indicate either multiple operators with different skill levels or an evolving tradecraft as the group refines their techniques.

Intelligence suggests potential collaboration with other threat actors, particularly the ShinyHunters collective4. UNC6040 may engage in partnership models where initial compromise and data theft are followed by collaboration with specialized extortion groups months after the initial breach1. This delayed monetization strategy complicates attribution and incident response efforts.

Operational Capabilities and Techniques
The group’s attack methodology begins with extensive reconnaissance through automated phone systems and live calls where operators impersonate IT support staff53. This initial intelligence gathering phase allows them to understand organizational structures, identify key personnel, and develop credible pretexts for their social engineering approaches.

The technical implementation involves guiding victims to Salesforce’s connected app setup page where they authorize malicious applications using connection codes1. These modified Data Loader applications are often disguised with legitimate-sounding names such as “My Ticket Portal” to align with the social engineering narrative13. Once authorized, these applications provide API-level access enabling bulk data exfiltration through legitimate platform features.

Post-compromise activities extend beyond the initial Salesforce environment. The group demonstrates capability for lateral movement, targeting Okta, Microsoft 365, and Workplace environments to harvest additional credentials and expand their access32. They employ test queries before conducting full data extraction1, suggesting a methodical approach to validating access and identifying high-value datasets.

The group’s data exfiltration focuses on customer PII including names, dates of birth, addresses, phone numbers, and account metadata2. By avoiding custom malware and instead relying on legitimate tools and platform features, they maintain a minimal forensic footprint that complicates detection and attribution efforts2.

Infrastructure and Operational Security
UNC6040 demonstrates strong operational security practices, primarily accessing victim environments through Mullvad VPN IP addresses1. This VPN usage provides anonymity and complicates law enforcement efforts to track the group’s activities. The threat actors also utilize Okta phishing panels hosted on the same infrastructure as their vishing operations1, suggesting a centralized approach to their technical infrastructure.

The group’s infrastructure choices reflect an understanding of modern detection capabilities and a deliberate effort to blend malicious activity with legitimate traffic patterns. By leveraging standard Salesforce API calls and OAuth workflows4, they avoid triggering traditional security alerts focused on malware or anomalous network traffic.

Strategic Outlook and Future Developments
The success of UNC6040’s operations, including the high-profile breach of Google’s Salesforce environment4, will likely inspire both evolution of their own tactics and adoption of similar techniques by other threat actors. In the near term, we assess with moderate confidence that the group will expand their targeting to additional cloud CRM platforms as organizations increase security awareness around Salesforce-specific threats.

The demonstrated collaboration between UNC6040 and groups like ShinyHunters4 suggests a maturing criminal ecosystem where specialized actors collaborate to maximize the value extracted from compromised organizations. This partnership model is likely to expand, with UNC6040 potentially serving as an initial access broker for ransomware operations or other extortion groups.

The fundamental challenge posed by UNC6040 lies not in their technical sophistication but in their exploitation of human trust and legitimate platform features. As organizations implement phishing-resistant MFA and enhanced monitoring capabilities5, the group will likely evolve their social engineering tactics and potentially shift toward supply chain targeting through managed service providers and cloud service integrators.

Looking forward, the convergence of voice-based social engineering with OAuth abuse and API-level data access represents a maturation of the threat landscape that traditional perimeter-based security models are poorly equipped to address. Organizations must anticipate continued activity from UNC6040 and similar groups, with potential escalation in both the scale of operations and the sophistication of social engineering techniques employed.

The shift from technical exploitation to identity-based attacks demonstrated by UNC6040 requires a fundamental reconsideration of security architectures. As legitimate platform features become the primary vector for data exfiltration, the distinction between authorized and malicious activity becomes increasingly nuanced, demanding behavioral analytics and continuous monitoring capabilities that many organizations currently lack.

https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

https://unit42.paloaltonetworks.com/retail-hospitality-heists-in-the-digital-age/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

https://www.varonis.com/blog/salesforce-vishing-threat-unc604 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

https://guardz.com/blog/from-vishing-to-oauth-abuse-how-shinyhunters-compromised-the-cloud/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

https://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/ ↩︎ ↩︎

arstechnica.com - Disclosure comes two months after Google warned the world of ongoing spree.
In June, Google said it unearthed a campaign that was mass-compromising accounts belonging to customers of Salesforce. The means: an attacker pretending to be someone in the customer's IT department feigning some sort of problem that required immediate access to the account. Two months later, Google has disclosed that it, too, was a victim.

The series of hacks are being carried out by financially motivated threat actors out to steal data in hopes of selling it back to the targets at sky-high prices. Rather than exploiting software or website vulnerabilities, they take a much simpler approach: calling the target and asking for access. The technique has proven remarkably successful. Companies whose Salesforce instances have been breached in the campaign, Bleeping Computer reported, include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

Better late than never
The attackers abuse a Salesforce feature that allows customers to link their accounts to third-party apps that integrate data with in-house systems for blogging, mapping tools, and similar resources. The attackers in the campaign contact employees and instruct them to connect an external app to their Salesforce instance. As the employee complies, the attackers ask the employee for an eight-digit security code that the Salesforce interface requires before a connection is made. The attackers then use this number to gain access to the instance and all data stored in it.

Google said that its Salesforce instance was among those that were compromised. The breach occurred in June, but Google only disclosed it on Tuesday, presumably because the company only learned of it recently.

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” the company said.

Data retrieved by the attackers was limited to business information such as business names and contact details, which Google said was “largely public” already.

Google initially attributed the attacks to a group traced as UNC6040. The company went on to say that a second group, UNC6042, has engaged in extortion activities, “sometimes several months after” the UNC6040 intrusions. This group brands itself under the name ShinyHunters.

“In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google said. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”

With so many companies falling to this scam—including Google, which only disclosed the breach two months after it happened—the chances are good that there are many more we don’t know about. All Salesforce customers should carefully audit their instances to see what external sources have access to it. They should also implement multifactor authentication and train staff how to detect scams before they succeed.

UNC6040 uses vishing to impersonate IT support, deceiving victims into granting access to their Salesforce instances.

Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion. Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements. This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.

A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce. During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments. This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats.

In some instances, extortion activities haven't been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims.