Google Threat Intelligence researchers have identified a new extortion group, tracked as UNC6783, targeting dozens of major corporations through sophisticated helpdesk social engineering and credential-harvesting phishing campaigns.

Key Points

• Google identified the threat actor UNC6783, which targets call centers and business process outsourcers to gain unauthorized access to larger corporate IT environments.
• Attackers use spoofed Okta login pages and custom phishing kits designed to bypass multi-factor authentication by stealing session data.
• The group employs social engineering via live chat and fake security software updates to deploy remote access malware on employee devices.
• Researchers suspect a potential link between UNC6783 and the "Mr. Raccoon" persona, who recently claimed responsibility for a significant data breach at Adobe.
• Stolen data is leveraged for extortion, with the group delivering ransom demands to victims via encrypted Proton Mail accounts.

Why it Matters

This campaign highlights the growing vulnerability of third-party business process outsourcers as a primary entry point for attackers targeting larger enterprises. By compromising helpdesk staff, these criminals can bypass traditional security perimeters and gain persistent access to sensitive corporate data.