Google: New UNC6783 hackers steal corporate Zendesk support tickets

Summary

Google Threat Intelligence Group has identified UNC6783, a threat actor targeting business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. The group uses social engineering, phishing campaigns, and fake Okta login pages to compromise support staff, deploying malware to steal sensitive data and subsequently extort victims. UNC6783 may be linked to a persona known as Raccoon, who has claimed responsibility for breaches at Adobe (13 million support tickets) and CrunchyRoll.

Full text

Google: New UNC6783 hackers steal corporate Zendesk support tickets By Bill Toulas April 8, 2026 05:46 PM 0 A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. According to the Google Threat Intelligence Group, dozens of corporate entities have been targeted through this method to exfiltrate sensitive data for extortion. Austin Larsen, GTIG principal threat analyst, says that UNC6783 typically relies on social engineering and phishing campaigns to compromise BPOs working with targeted companies. However, there have been instances where the hackers have also contacted support and helpdesk staff within targeted organizations, in an attempt to obtain direct access. The researchers say that UNC6783 may be linked to Raccoon, a persona known to have targeted multiple BPOs that provide services to large companies. In social engineering attacks over live chat, the threat actor directs support employees to spoofed Okta login pages hosted on domains that impersonate those of the target company and follow the pattern <org>[.]zendesk-support<##>[.]com. Larsen says that the phishing kit deployed in these attacks can steal clipboard contents to bypass multi-factor authentication (MFA) protection, enabling the attacker to register their device with the organization. Google has also observed attacks where UNC6783 distributed fake security updates to deliver remote access malware. After stealing sensitive data, the threat actor proceeds to extort victims, contacting them via ProtonMail addresses with payment demands. While GTIG did not offer more information about Raccoon, threat intelligence account International Cyber Digest recently disclosed that someone using the alias “Mr. Raccoon” claimed a breach at Adobe, which the company has yet to confirm. The attacker claimed to have gained access to Adobe data after compromising an India-based BPO working for the company. They deployed a remote access trojan (RAT) on an employee’s computer and subsequently targeted the employee’s manager in a phishing attack. Mr. Raccoon said that they stole 13 million support tickets containing personal data, employee records, HackerOne submissions, and internal documents. In conversations with BleepingComputer, the threat actor behind the CrunchyRoll breach confirmed that they were also behind the Adobe attack, but did not provide any evidence. Google’s Mandiant listed several defense recommendations against UNC6783 attacks, including deploying FIDO2 security keys for MFA, monitoring live chat for abuse, blocking spoofed domains that match Zendesk patterns, and regularly auditing MFA device enrollments. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Ransomware payment rate drops to record low as attacks surgeCanada Goose investigating as hackers leak 600K customer recordsSnowflake customers hit in data theft attacks after SaaS integrator breachDrift $280M crypto theft linked to 6-month in-person operationEvolution of Ransomware: Multi-Extortion Ransomware Attacks

Entities