A cybercriminal group identified as UNC6783 is targeting business process outsourcing (BPO) companies likely as a gateway to infiltrate major organizations across various industries.
The Google Threat Intelligence Group reports that this tactic has already affected dozens of companies, with attackers stealing sensitive information to pressure victims into paying ransoms.
According to principal threat analyst Austin Larsen, the group primarily depends on phishing schemes and social engineering tactics to compromise BPO providers that support their intended targets. In some cases, attackers have gone a step further by directly engaging with internal support or helpdesk teams to gain unauthorized access.
Investigators also believe UNC6783 may be connected to a cybercriminal persona known as “Raccoon,” which has previously focused on BPO firms serving large enterprises.
Also read: Singapore Launches Largest-Ever Cyber Defense Operation After UNC3886 Targets All Major Telcos
One notable technique involves manipulating support staff through live chat interactions. Employees are tricked into visiting counterfeit login pages that mimic Okta portals. These fraudulent sites are hosted on domains designed to resemble legitimate ones, often following a pattern like [.]zendesk-support<##>[.]com.
Larsen notes that the phishing toolkit used in these campaigns is particularly advanced—it can capture clipboard data, allowing attackers to bypass multi-factor authentication (MFA) and register their own devices within compromised systems.
In addition to phishing, the group has also distributed fake security updates that install remote access malware, further expanding their control over victim networks.
Once data is obtained, the attackers initiate extortion efforts, typically reaching out via ProtonMail accounts to demand payment in exchange for not releasing the stolen information.
Although further details about “Raccoon” remain limited, the International Cyber Digest recently reported that an individual using the alias “Mr. Raccoon” claimed responsibility for a breach involving Adobe—a claim that has not yet been confirmed.
According to these claims, the breach occurred after compromising an India-based BPO associated with Adobe. The attacker allegedly installed a remote access trojan (RAT) on an employee’s system and later targeted the employee’s manager through a phishing campaign.
The individual further asserted that approximately 13 million support tickets were stolen, including personal data, employee details, vulnerability reports submitted via HackerOne, and internal company documents.
To mitigate risks from UNC6783, Google’s Mandiant division recommends several defensive measures. These include adopting FIDO2-based hardware keys for MFA, closely monitoring live chat systems for suspicious activity, blocking domains that mimic Zendesk naming patterns, and routinely reviewing MFA device registrations for unauthorized additions.
