UNC6783 Extortion Crew Targets 'Several Dozen' Corporations Through BPO and Helpdesk Phishing Attacks

A financially motivated threat group tracked as UNC6783 has targeted "several dozen" high-value corporations through a sophisticated campaign targeting call centers, business process outsourcers (BPOs), and corporate helpdesk staff, according to Google Threat Intelligence Group.

Attack Methodology

UNC6783 employs a multi-stage attack chain:

1. Initial access: Social engineering via live chat to direct employees to spoofed Okta login pages (e.g., <org>.zendesk-support<##>.com)
2. MFA bypass: Custom phishing kit steals clipboard contents to bypass multi-factor authentication
3. Persistence: Enrolls attacker's own devices for persistent access
4. Lateral movement: Uses stolen BPO credentials to access customer IT environments
5. Data exfiltration: Steals sensitive corporate data
6. Extortion: Delivers ransom notes via Proton Mail accounts

Potential Adobe Breach Connection

The group may be linked to the "Mr. Raccoon" persona, who allegedly breached Adobe through an Indian BPO:

• Deployed remote access tool on one employee
• Phished that worker's manager
• Claimed to have stolen 13 million support tickets, 15,000 employee records, all HackerOne submissions, and internal documents
• According to vx-underground: "Anyone who submitted a helpdesk ticket to Adobe could be impacted"

Notable Techniques

• Fake security software updates to trick victims into downloading remote access malware
• BPO targeting — a method popularized by Scattered Spider and ShinyHunters
• Direct helpdesk phishing — voice phishing attacks against support staff have "skyrocketed" according to Google

Recommendations

• Verify Okta login page URLs carefully, especially variations of zendesk-support domains
• Implement additional controls for BPO and call center access
• Monitor for unusual device enrollment in MFA/identity systems
• Train helpdesk staff on live chat-based social engineering attacks
• Review access logs for BPO-linked accounts