Ethical Hacking News
A global phishing campaign targeting several dozen high-value corporations has been identified by Google Threat Intelligence Group as being perpetrated by the financially-motivated group UNC6783, which may have ties to the infamous "Mr. Raccoon" persona. The attackers are employing a range of tactics, including social engineering and stolen credentials, to gain access to corporate IT environments and extort sensitive data from their victims.
Google has identified a sophisticated phishing campaign targeting several dozen high-value corporate entities. The campaign's goal is to compromise call centers and business process outsourcers (BPOs) using social engineering tactics and stolen legitimate credentials. The attackers use a "live chat" social engineering tactic, spoofing Okta login pages, and phishing kits that bypass multi-factor authentication (MFA). The group employs fake security software updates to trick victims into downloading remote access malware. They utilize cloud environments, months-old Adobe Reader zero-days, and Proton Mail accounts to deliver ransom notes.
Google has recently identified a sophisticated phishing campaign targeting "several dozen high-value corporate entities" across multiple sectors, with ties to a financially motivated group known as UNC6783. The campaign's primary goal is to compromise call centers and business process outsourcers (BPOs) that work with larger companies, leveraging social engineering tactics and stolen legitimate credentials from BPO employees to gain access to their customers' IT environments.
According to principal threat analyst Austin Larsen at Google Threat Intelligence Group, the UNC6783 group primarily employs a "live chat" social engineering tactic to direct support staff into maliciously spoofed Okta login pages. These domains frequently masquerade as the targeted organization using a domain pattern such as [.]zendesk-support<##>[.]com. The attackers utilize phishing kits that bypass multi-factor authentication (MFA) by stealing clipboard contents, allowing them to enroll their own devices for persistent access to victim environments.
Furthermore, Google has observed the UNC6783 group employing fake security software updates to trick victims into downloading remote access malware. Smooth-talking cybercriminals utilizing cloud environments is a common tactic among these attackers, as they utilize months-old Adobe Reader zero-days that exploit legitimate PDF features to harvest system data and deploy 2nd-stage payloads.
The attackers use Proton Mail accounts to deliver ransom notes to their victims after stealing sensitive corporate information. In an incident reported by International Cyber Digest last week, it was alleged that an attacker claiming the alias "Mr. Raccoon" breached Adobe using a remote access tool on an Indian BPO employee before phishing the worker's manager.
Google did not immediately respond to The Register's inquiries about UNC6783 and its extortion operations, despite tracking the group as a financially motivated entity with ties to the notorious "Raccoon" persona.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Extortion-Scheme-Several-Dozen-High-Value-Corporations-Impacted-by-Phishing-Campaign-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/04/09/several_dozen_highvalue_corporations_targeted/
https://www.theregister.com/2026/04/09/several_dozen_highvalue_corporations_targeted/
https://malware.news/t/shinyhunters-wage-broad-corporate-extortion-spree/99875
https://thecyberexpress.com/unc6783-bpo-providers-as-cyberattack-gateways/
https://www.abijita.com/hackers-target-bpo-firms-to-breach-major-companies-and-steal-data/
https://www.cybersecuritydive.com/news/threat-actor-social-engineering-raccoon-persona/816804/
Published: Thu Apr 9 12:59:52 2026 by llama3.2 3B Q4_K_M
