As cybercriminals increasingly exploit human psychology over technical vulnerabilities, a financially motivated threat group designated UNC6040 has emerged as a significant concern for multinational corporations across the Americas and Europe.
Google Threat Intelligence Group has identified this distinct organization, which differs from similar groups like Scattered Spider, as responsible for successfully infiltrating approximately twenty organizations since early 2025.
The attack methodology centers on voice-phishing campaigns where criminals impersonate IT support personnel to manipulate employees into compromising their organizations’ security. UNC6040 particularly targets English-speaking branches of multinational corporations across hospitality, retail, education, and other sectors, exploiting communication gaps that often exist within large organizations with multiple locations. With detection time averaging 191 days, these attacks often go unnoticed for extended periods.
During these deceptive phone calls, attackers convince employees to download and install a modified version of Salesforce’s Data Loader application, sometimes disguised as “My Ticket Portal” to maintain the IT support facade. The criminals then walk victims through the process of approving a connected app within their Salesforce environment, effectively granting unauthorized access to valuable customer relationship data stored in these widely-used CRM platforms.
Once access is established, UNC6040 employs sophisticated data exfiltration techniques, beginning with small test queries to avoid triggering security alerts. If initial probing remains undetected, the group escalates to large-volume data extraction, systematically pulling information in stages before using the stolen data for extortion purposes against victim organizations. Importantly, these attacks exploit no inherent vulnerabilities within the Salesforce platform itself, instead relying entirely on social engineering to manipulate legitimate user permissions. The group’s operations extend beyond Salesforce to include targeting various platforms like Okta and Microsoft 365, demonstrating their broad technical capabilities.
This trend reflects broader patterns in executive targeting, with approximately forty percent of surveyed organizations reporting executives targeted in deepfake attacks in 2025, representing an increase from roughly one-third in 2023.
Over half of security professionals indicated hackers personally targeted executives at their organizations during 2025, often through impersonation of trusted contacts requesting payments or confidential information.
The sophistication of voice-cloning technology and deepfake capabilities continues advancing, enabling attackers to create increasingly convincing impersonations. These developments underscore the growing effectiveness of social engineering tactics that bypass traditional technical security measures by exploiting human trust and organizational communication protocols.
