{ "id": "3a63bbdb-47bd-4d23-aead-88be52d7439f", "created_at": "2026-04-06T00:17:36.709047Z", "updated_at": "2026-04-10T13:12:52.749716Z", "deleted_at": null, "sha1_hash": "b86f2b1e48572ecc373a14786e7ba8319c5b3dcf", "title": "The Cost of a Call: From Voice Phishing to Data Extortion", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 247854, "plain_text": "The Cost of a Call: From Voice Phishing to Data Extortion\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-06-04 · Archived: 2026-04-05 13:57:49 UTC\r\nUpdate (August 8): Google has completed its email notifications to those affected by this incident.\r\nUpdate (August 8): Emails are actively being sent to those affected by this incident. Another update will be posted\r\nhere once these alerts have been issued.\r\nUpdate (August 5)\r\nIn June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in\r\nthis post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was\r\nused to store contact information and related notes for small and medium businesses. Analysis revealed that data\r\nwas retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved\r\nby the threat actor was confined to basic and largely publicly available business information, such as business\r\nnames and contact details.\r\nUNC6240\r\nGoogle Threat Intelligence Group (GTIG) tracks the extortion activities following UNC6040 intrusions,\r\nsometimes several months after the initial data theft, as UNC6240. The extortion involves calls or emails to\r\nemployees of the victim organization demanding payment in bitcoin within 72 hours. During these\r\ncommunications, UNC6240 has consistently claimed to be the threat group ShinyHunters.  \r\nIn addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion\r\ntactics by launching a data leak site (DLS). These new tactics are likely intended to increase pressure on victims,\r\nincluding those associated with the recent UNC6040 Salesforce-related data breaches. We continue to monitor this\r\nactor and will provide updates as appropriate.\r\nUNC6240 Extortion Email Sender Addresses\r\nshinycorp@tuta[.]com\r\nshinygroup@tuta[.]com\r\nUNC6040 (Evolving TTPs)\r\nGTIG has observed an evolution in UNC6040's TTPs. While the group initially relied on the Salesforce\r\nDataloader application, they have since shifted to using custom applications. These custom applications are\r\ntypically Python scripts that perform a similar function to the Dataloader app. The updated attack chain involves a\r\nvoice call to enroll a victim, which the threat actor initiates while using Mullvad VPN IPs or TOR. Following this\r\ninitial engagement, the data collection is automated and through TOR IPs, a change that further complicates\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion\r\nPage 1 of 6\n\nattribution and tracking efforts. GTIG observed that the threat actor shifted from creating Salesforce trial accounts\r\nusing webmail emails to using compromised accounts from unrelated organizations to initially register their\r\nmalicious applications. \r\nA Google Threat Intelligence (GTI) collection of related Indicators of Compromise (IOCs) is available.\r\nIntroduction\r\nGoogle Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster that\r\nspecializes in voice phishing (vishing) campaigns specifically designed to compromise organizations' Salesforce\r\ninstances for large-scale data theft and subsequent extortion. Over the past several months, UNC6040 has\r\ndemonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in\r\nconvincing telephone-based social engineering engagements. This approach has proven particularly effective in\r\ntricking employees, often within English-speaking branches of multinational corporations, into actions that grant\r\nthe attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s\r\nSalesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability\r\ninherent to Salesforce.\r\nA prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app\r\nto their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader,\r\nnot authorized by Salesforce. During a vishing call, the actor guides the victim to visit Salesforce's connected app\r\nsetup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate\r\nversion. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive\r\ninformation directly from the compromised Salesforce customer environments. This methodology of abusing Data\r\nLoader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce\r\nin their guidance on protecting Salesforce environments from such threats.\r\nIn some instances, extortion activities haven't been observed until several months after the initial UNC6040\r\nintrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes\r\naccess to the stolen data. During these extortion attempts, the actor has claimed affiliation with the well-known\r\nhacking group ShinyHunters, likely as a method to increase pressure on their victims.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion\r\nPage 2 of 6\n\nFigure 1: Data Loader attack flow\r\nUNC6040\r\nGTIG is currently tracking a significant portion of the investigated activity as UNC6040. UNC6040 is a\r\nfinancially motivated threat cluster that accesses victim networks by voice phishing social engineering. Upon\r\nobtaining access, UNC6040 has been observed immediately exfiltrating data from the victim’s Salesforce\r\nenvironment using Salesforce’s Data Loader application. Following this initial data theft, UNC6040 was observed\r\nleveraging end-user credentials obtained through credential harvesting or vishing to move laterally through victim\r\nnetworks, accessing and exfiltrating data from the victim's accounts on other cloud platforms such as Okta and\r\nMicrosoft 365.\r\nAttacker Infrastructure \r\nUNC6040 utilized infrastructure to access Salesforce applications that also hosted an Okta phishing panel. This\r\npanel was used to trick victims into visiting it from their mobile phones or work computers during the social\r\nengineering calls. In these interactions, UNC6040 also directly requested user credentials and multifactor\r\nauthentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration.\r\nAlongside the phishing infrastructure, UNC6040 primarily used Mullvad VPN IP addresses to access and perform\r\nthe data exfiltration on the victim’s Salesforce environments and other services of the victim's network.\r\nOverlap with Groups Linked to “The Com”\r\nGTIG has observed infrastructure across various intrusions that shares characteristics with elements previously\r\nlinked to UNC6040 and threat groups suspected of ties to the broader, loosely organized collective known as \"The\r\nCom\". We’ve also observed overlapping tactics, techniques, and procedures (TTPs), including social engineering\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion\r\nPage 3 of 6\n\nvia IT support, the targeting of Okta credentials, and an initial focus on English-speaking users at multinational\r\ncompanies. It's plausible that these similarities stem from associated actors operating within the same\r\ncommunities, rather than indicating a direct operational relationship between the threat actors.\r\nData Loader\r\nData Loader is an application developed by Salesforce, designed for the efficient import, export, and update of\r\nlarge data volumes within the Salesforce platform. It offers both a user interface and a command-line component,\r\nthe latter providing extensive customization and automation capabilities. The application supports OAuth and\r\nallows for direct \"app\" integration via the \"connected apps\" functionality in Salesforce. Threat actors abuse this by\r\npersuading a victim over the phone to open the Salesforce connect setup page and enter a \"connection code,\"\r\nthereby linking the actor-controlled Data Loader to the victim's environment.\r\nFigure 2: The victim needs to enter a code to connect the threat actor controlled Data Loader\r\nModifications \r\nIn some of the intrusions using Data Loader, threat actors utilized modified versions of Data Loader to exfiltrate\r\nSalesforce data from victim organizations. The proficiency with the tool and capabilities by executed queries\r\nseems to differ from one intrusion to another. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion\r\nPage 4 of 6\n\nIn one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to\r\nretrieve approximately 10% of the data before detection and access revocation. In another case, numerous test\r\nqueries were made with small chunk sizes initially. Once sufficient information was gathered, the actor rapidly\r\nincreased the exfiltration volume to extract entire tables.\r\nThere were also cases where the threat actors configured their Data Loader application with the name \"My Ticket\r\nPortal\", aligning the tool's appearance with the social engineering pretext used during the vishing calls.\r\nOutlook \u0026 Implications  \r\nVoice phishing (vishing) as a social engineering method is not, in itself, a novel or innovative technique; it has\r\nbeen widely adopted by numerous financially motivated threat groups over recent years with varied results.\r\nHowever, this campaign by UNC6040 is particularly notable due to its focus on exfiltrating data specifically from\r\nSalesforce environments. Furthermore, this activity underscores a broader and concerning trend: threat actors are\r\nincreasingly targeting IT support personnel as a primary vector for gaining initial access, exploiting their roles to\r\ncompromise valuable enterprise data.\r\nThe success of campaigns like UNC6040's, leveraging these refined vishing tactics, demonstrates that this\r\napproach remains an effective threat vector for financially motivated groups seeking to breach organizational\r\ndefenses. \r\nGiven the extended time frame between initial compromise and extortion, it is possible that multiple victim\r\norganizations and potentially downstream victims could face extortion demands in the coming weeks or months.\r\nReadiness, Mitigations, and Hardening \r\nThis campaign underscores the importance of a shared responsibility model for cloud security. While platforms\r\nlike Salesforce provide robust, enterprise-grade security controls, it’s essential for customers to configure and\r\nmanage access, permissions, and user training according to best practices.\r\nTo defend against social engineering threats, particularly those abusing tools like Data Loader for data exfiltration,\r\norganizations should implement a defense-in-depth strategy. GTIG recommends the following key mitigations and\r\nhardening steps:\r\nAdhere to the Principle of Least Privilege, Especially for Data Access Tools: Grant users only the\r\npermissions essential for their roles—no more, no less. Specifically for tools like Data Loader, which often\r\nrequire the \"API Enabled\" permission for full functionality, limit its assignment strictly. This permission\r\nallows broad data export capabilities; therefore, its assignment must be carefully controlled. Per\r\nSalesforce's guidance, review and configure Data Loader access to restrict the number of users who can\r\nperform mass data operations, and regularly audit profiles and permission sets to ensure appropriate access\r\nlevels.\r\nManage Access to Connected Applications Rigorously: Control how external applications, including\r\nData Loader, interact with your Salesforce environment. Diligently manage access to your connected apps,\r\nspecifying which users, profiles, or permission sets can use them and from where. Critically, restrict\r\npowerful permissions such as \"Customize Application\" and \"Manage Connected Apps\"—which allow\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion\r\nPage 5 of 6\n\nusers to authorize or install new connected applications—only to essential and trusted administrative\r\npersonnel. Consider developing a process to review and approve connected apps, potentially allowlisting\r\nknown safe applications to prevent the unauthorized introduction of malicious ones, such as modified Data\r\nLoader instances.\r\nEnforce IP-Based Access Restrictions: To counter unauthorized access attempts, including those from\r\nthreat actors using commercial VPNs, implement IP address restrictions. Set login ranges and trusted IPs,\r\nthereby restricting access to your defined enterprise and VPN networks. Define permitted IP ranges for\r\nuser profiles and, where applicable, for connected app policies to ensure that logins and app authorizations\r\nfrom unexpected or non-trusted IP addresses are denied or appropriately challenged.\r\nLeverage Advanced Security Monitoring and Policy Enforcement with Salesforce Shield: For\r\nenhanced alerting, visibility, and automated response capabilities, utilize tools within Salesforce Shield.\r\nTransaction Security Policies allow you to monitor activities like large data downloads (a common sign of\r\nData Loader abuse) and automatically trigger alerts or block these actions. Complement this with \"Event\r\nMonitoring\" to gain deep visibility into user behavior, data access patterns (e.g., who viewed what data and\r\nwhen), API usage, and other critical activities, helping to detect anomalies indicative of compromise. These\r\nlogs can also be ingested into your internal security tools for broader analysis.\r\nEnforce Multi-Factor Authentication (MFA) Universally: While the social engineering tactics described\r\nmay involve tricking users into satisfying an MFA prompt (e.g., for authorizing a malicious connected\r\napp), MFA remains a foundational security control. Salesforce states that \"MFA is an essential, effective\r\ntool to enhance protection against unauthorized account access\" and requires it for direct logins. Ensure\r\nMFA is robustly implemented across your organization and that users are educated on MFA fatigue tactics\r\nand social engineering attempts designed to circumvent this critical protection.\r\nBy implementing these measures, organizations can significantly strengthen their security posture against the\r\ntypes of vishing and the UNC6040 data exfiltration campaign detailed in this report. Regularly review\r\nSalesforce’s security documentation, including the Salesforce Security Guide for additional detailed guidance.\r\nRead our vishing technical analysis for more details on the vishing threat, and strategic recommendations and best\r\npractices to stay ahead of it.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion" ], "report_names": [ "voice-phishing-data-extortion" ], "threat_actors": [ { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "70929bd1-2bf9-4689-bfff-2bc6b113d3ed", "created_at": "2026-01-20T02:00:03.666874Z", "updated_at": "2026-04-10T02:00:03.916254Z", "deleted_at": null, "main_name": "UNC6040", "aliases": [], "source_name": "MISPGALAXY:UNC6040", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434656, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b86f2b1e48572ecc373a14786e7ba8319c5b3dcf.pdf", "text": "https://archive.orkl.eu/b86f2b1e48572ecc373a14786e7ba8319c5b3dcf.txt", "img": "https://archive.orkl.eu/b86f2b1e48572ecc373a14786e7ba8319c5b3dcf.jpg" } }