Cyber Incident Victim: Google
Date:
Jun 2025
Location:
United States of America
Summary
UNC6040 conducts voice phishing calls that pose as IT support to trick employees into approving malicious Salesforce Data Loader applications, granting the attackers access to corporate data. The stolen information, which can include business contact details, is later used in extortion attempts that demand Bitcoin payments within a short timeframe, sometimes months after the initial breach. To conceal their activity, the group routes traffic through Mullvad VPN and Tor networks and has evolved from using the official Data Loader tool to custom Python scripts for exfiltration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 4 2025 Google Threat Intelligence Group published a blog detailing the activity of a financially motivated threat cluster tracked as UNC6040. The group specializes in voice phishing campaigns that target Salesforce instances to steal data for extortion. Attackers impersonate IT support staff over the phone, convincing employees to approve malicious Salesforce Data Loader applications, which then grant the attackers access to sensitive corporate data. Once inside, the attackers exfiltrate information such as business contact details and later use that data in extortion attempts, often claiming affiliation with the ‘ShinyHunters’ brand and demanding Bitcoin payments within a 72‑hour window. Over time UNC6040 evolved from relying solely on Salesforce Data Loader to employing custom Python scripts and routing traffic through Mullvad VPN and TOR exit nodes to obscure their origins, with some extortion demands occurring months after the initial breach.
The attackers’ tactics include social engineering IT personnel using pretexts such as ‘My Ticket Portal’ to lure them into approving malicious OAuth‑connected applications, abusing those connected apps for data exfiltration, and combining voice phishing with credential‑harvesting techniques to deepen their access. These methods enable the threat actors to maintain persistence within Salesforce environments while avoiding detection through conventional security controls. The stolen data is subsequently leveraged in follow‑up voice calls that pressure victims to pay ransoms, with the threat of public disclosure or further misuse if demands are not met.
In response to the observed activity Google Threat Intelligence Group released the aforementioned blog post to inform the broader security community about UNC6040’s methods, infrastructure, and impact. The disclosure outlines the observed evolution of the group’s tooling, the use of anonymizing networks, and the temporal pattern of extortion attempts. By publishing these details GTIG aims to increase awareness of the specific vishing‑based data theft and extortion campaign without issuing prescriptive guidance.