A threat group known as UNC6783 is targeting business process outsourcing companies to break into larger organizations across different industries, according to findings from Google’s Threat Intelligence team.
By compromising these third-party service providers, the attackers have been able to access multiple high-value corporate targets and steal sensitive data for extortion.
Google’s principal threat analyst Austin Larsen said the group mainly relies on phishing and social engineering tactics to infiltrate BPO firms that work closely with the intended victims. In some cases, the attackers have gone a step further by directly contacting support and helpdesk teams within organizations, attempting to trick staff into granting them access.
Researchers believe UNC6783 may be connected to a persona known as Raccoon, which has previously targeted several outsourcing firms serving large enterprises. During these attacks, the hackers often use live chat to guide support employees toward fake Okta login pages. These phishing pages are hosted on domains designed to look legitimate, following patterns that closely mimic official company support portals.
The phishing setup used in these campaigns is designed to capture login credentials and even access clipboard data, allowing attackers to bypass multi-factor authentication and register their own devices within the targeted organization’s systems.
In addition to phishing, Google has also observed cases where the attackers distributed fake security updates that installed remote access malware on victims’ machines. Once inside, the group extracts sensitive information and later contacts victims through ProtonMail to demand payment.
Although Google did not provide detailed information about the Raccoon persona, a threat intelligence account recently reported that someone using the name “Mr. Raccoon” claimed responsibility for a breach involving Adobe. The company has not confirmed the incident.
According to those claims, the attacker gained access by compromising an India-based outsourcing provider working with Adobe. The intrusion reportedly involved deploying a remote access trojan on an employee’s system, followed by a phishing attack targeting the employee’s manager.
The attacker alleged that around 13 million support tickets were stolen, including personal information, internal documents, employee data, and submissions from the HackerOne platform. In separate discussions, the same individual also claimed involvement in the CrunchyRoll breach, though no proof was provided.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
To defend against these types of attacks, Google’s Mandiant team recommends stronger authentication methods such as FIDO2 security keys, monitoring live chat systems for suspicious activity, blocking domains that mimic Zendesk-style support pages, and regularly reviewing devices connected through multi-factor authentication.
