Google Identifies Vishing Operation UNC6040 Targeting Salesforce with Deceptive Data Loader Application

Google has revealed critical information regarding a financially motivated threat cluster identified as UNC6040, which specializes in voice phishing activities (vishing) aimed at compromising organizations’ Salesforce systems for extensive data theft and subsequent extortion.

The threat intelligence team at Google has noted that UNC6040 exhibits behaviors characteristic of threat groups tied to an online cybercrime collective known as The Com.

According to a recent report, UNC6040 has achieved considerable success over the past few months by deploying tactics that involve operators impersonating IT support personnel during persuasive telephone-based social engineering interactions. This strategy has effectively convinced English-speaking employees to divulge critical information, including credentials, that enable the threat actors to conduct data exfiltration.

A salient feature of UNC6040’s methodology involves using a modified iteration of Salesforce’s Data Loader. Victims are led to authorize this compromised application to connect to their organization’s Salesforce portal during vishing attacks. The Data Loader is utilized for bulk data import, export, and updates within the Salesforce platform.

Specifically, attackers direct targets to the app setup page of Salesforce, prompting them to approve a disguised version of the Data Loader that utilizes a different name or branding, such as “My Ticket Portal.” This unauthorized approval grants the attackers access to Salesforce customer environments, enabling data exfiltration.

In addition to the significant risk of data loss, these attacks allow UNC6040 to navigate laterally within a victim’s network, accessing and harvesting information from additional platforms such as Okta, Workplace, and Microsoft 365.

While specific incidents have also been associated with extortion activities, these attempts typically emerge “several months” post-intrusion, suggesting a strategy to monetize and profit from the stolen data, potentially in collaboration with another threat actor.

During these extortion efforts, perpetrators have claimed affiliation with the notorious hacking group ShinyHunters, likely to intensify pressure on their victims.

UNC6040’s alignment with groups associated with The Com is evident through their focus on gathering Okta credentials and the employment of social engineering through IT support tactics, mirroring strategies adopted by Scattered Spider, another financially motivated threat actor within this loosely organized collective.

Salesforce has acknowledged the threat posed by this vishing campaign. In March 2025, the company alerted its clients regarding threat actors utilizing social engineering tactics to impersonate IT support personnel and trick employees into revealing credentials or approving the modified Data Loader application.

Reports indicate that these malicious actors have been observed luring employees and third-party support workers to phishing pages strategically designed to harvest credentials and MFA tokens. These engagements often prompt users to visit the login.salesforce[.]com/setup/connect page to authorize malicious connected applications.

The observed tactics underscore not only the evolving sophistication of social engineering campaigns but also the intensified targeting of IT support personnel as a means of gaining initial access.

The success of operations like UNC6040’s, which leverage enhanced vishing techniques, illustrates the continued effectiveness of this threat vector for financially motivated groups seeking to penetrate organizational defenses.

Given the prolonged interval between initial compromises and extortion attempts, it is plausible that multiple victim organizations, along with potential downstream targets, may face extortion demands in the upcoming weeks or months.