A new financially motivated threat actor, UNC6783, is targeting high-value corporations via social engineering attacks against helpdesk and BPO staff, using live chat to direct victims to spoofed Okta login pages. The phishing kit used can bypass MFA by stealing clipboard contents and enrolling attacker-controlled devices for persistent access. The group then exfiltrates sensitive data and delivers ransom demands via Proton Mail.
Cyber-crime 'Several dozen' high-value corporations hit by new extortion crew in helpdesk phishing spree Possible link to Mr. Raccoon's claimed Adobe break-in Jessica Lyons Thu 9 Apr 2026 // 17:11 UTC A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google. Google Threat Intelligence Group tracks the financially motivated group as UNC6783, and in a blog post, principal threat analyst Austin Larsen said that it may have ties to the "Raccoon" persona. "We are aware of several dozen high-value corporate entities targeted across multiple sectors," Larsen wrote. UNC6783 primarily compromises call centers and business process outsourcers (BPOs) that work with larger companies - an attack method popularized by groups like Scattered Spider and ShinyHunters . Once the criminals have access to the BPOs' networks, they can use stolen legitimate credentials from BPO employees to break into their customers' IT environments. Google has also observed the extortionists targeting corporations' support and helpdesk staff directly to gain access and steal sensitive data. "The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages," Larsen said. "These domains frequently masquerade as the targeted organization using a domain pattern such as <org>[.]zendesk-support<##>[.]com." The attackers use a phishing kit to bypass multi-factor authentication (MFA) by stealing clipboard contents, and then enrolling their own devices for persistent access to victim environments. Google has also spotted the miscreants using fake security software updates to trick victims into downloading remote access malware. Smooth criminals talking their way into cloud environments, Google says Months-old Adobe Reader zero-day uses PDFs to size up targets Hundreds of orgs compromised daily in Microsoft device code phishing attacks AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack Once they steal corporations' data, the crew uses Proton Mail accounts to deliver ransom notes to their victims. Google did not immediately respond to The Register's inquiries about UNC6783 and its extortion operations. Last week, International Cyber Digest reported that Adobe was allegedly breached by an attacker calling themselves Mr. Raccoon, who reportedly gained access through an Indian BPO by first deploying a remote access tool on one employee and then phishing that worker’s manager. The data thief claimed to have stolen 13 million support tickets with personal data, 15,000 employee records, all HackerOne submissions, internal documents, and other information. Adobe did not immediately respond to The Register 's request for comment. According to malware hunters vx-underground, the Adobe breach appears to be legitimate , and "anyone who submitted a helpdesk ticket to Adobe, or requested assistance in any capacity, could be impacted." ® Share More about Adobe Cybercrime Google Cloud More like these × More about Adobe Cybercrime Google Cloud Security Narrower topics 2FA Advanced persistent threat Android Application Delivery Controller App stores Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI Chrome Chromium CISO Common Vulnerability Scoring System Creative Cloud Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Gemini Google AI Google Cloud Platform Google I/O Google Nest Google Project Zero G Suite Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security Kubernetes NCSAM NCSC Palo Alto Networks Password PDF Personally Identifiable Information Phishing Pixel Privacy Sandbox Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance Tavis Ormandy TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics Alphabet Search Engine More about Share POST A COMMENT More about Adobe Cybercrime Google Cloud More like these × More about Adobe Cybercrime Google Cloud Security Narrower topics 2FA Advanced persistent threat Android Application Delivery Controller App stores Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI Chrome Chromium CISO Common Vulnerability Scoring System Creative Cloud Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Gemini Google AI Google Cloud Platform Google I/O Google Nest Google Project Zero G Suite Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security Kubernetes NCSAM NCSC Palo Alto Networks Password PDF Personally Identifiable Information Phishing Pixel Privacy Sandbox Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance Tavis Ormandy TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics Alphabet Search Engine TIP US OFF Send us news