Google Warns of New Campaign Targeting BPOs to Steal Corporate Data

Summary

Google Threat Intelligence Group has identified UNC6783, a financially motivated threat actor targeting business process outsourcing firms to steal data from high-value corporate clients. The actor uses phishing, spoofed login pages (particularly Okta), clipboard-stealing phishing kits to bypass MFA, and fake security updates delivering remote access malware. UNC6783 is likely linked to 'Mr. Raccoon,' who claimed responsibility for stealing Adobe data from an Indian BPO, including personal information of 15,000 employees and millions of support tickets.

Full text

A financially motivated threat actor is targeting business process outsourcing (BPO) organizations to steal data pertaining to high-value companies, Google Threat Intelligence Group (GTIG) warns. Tracked as UNC6783, the threat actor is potentially linked to a certain ‘Raccoon’ persona, used by a hacker who recently claimed the theft of various Adobe data from a third-party supplier. UNC6783, GTIG principal threat analyst Austin Larsen says, has been engaged in social engineering and phishing campaigns targeting dozens of high-value corporate entities across multiple industries. “The actor primarily focuses on compromising Business Process Outsourcers (BPOs) that work with these targeted companies. We have also seen them target the support and helpdesk staff of these organizations directly to gain trusted access and steal sensitive data for extortion operations,” Larsen says. The threat actor relies on live chats to lure employees to spoofed Okta login pages and uses a phishing kit that steals clipboard contents to bypass standard multi-factor authentication (MFA) verification. According to GTIG, UNC6783’s social engineering tactics involve fake Zendesk support pages that pose as the targeted organization’s domain.Advertisement. Scroll to continue reading. Using the targeted employees’ accounts, the hackers enroll their own devices to gain persistent access to the compromised environment. “We have also observed them using fake security software updates to trick victims into downloading remote access malware. Following data exfiltration, UNC6783 has been known to use Proton Mail accounts to deliver ransom notes for data theft extortion operations,” Larsen says. Mr. Raccoon claims Adobe data theft GTIG’s description of UNC6783’s tactics and its mention of Raccoon suggest that the threat actor is the same Mr. Raccoon who claimed the theft of a large amount of Adobe data from a BPO firm in India. The stolen data, the hacker said, includes the personal information of 15,000 employees, millions of support tickets, and bug bounty submissions. The attack reportedly started with a phishing email targeting a support agent at the BPO, who was tricked into executing a RAT, thereby giving the hacker full access to their computer. Next, the attacker performed reconnaissance and used the employee’s email address to send a second phishing email to a manager, who handed over credentials for the support platform. Mr. Raccoon claimed to have exported the entire Adobe database from the platform with a single request. SecurityWeek has emailed Adobe for a statement on the hacker’s claims and will update this article if the company responds. Related: 300,000 People Impacted by Eurail Data Breach Related: Lloyds Data Security Incident Impacts 450,000 Individuals Related: Mobile Attack Surface Expands as Enterprises Lose Control Related: $3.6 Million Stolen in Bitcoin Depot Hack Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverTrent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker CrosshairsGrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise DataMedusa Ransomware Fast to Exploit Vulnerabilities, Breached SystemsGerman Police Unmask REvil Ransomware LeaderGoogle DeepMind Researchers Map Web Attacks Against AI Agents Latest News Adobe Reader Zero-Day Exploited for Months: Researcher300,000 People Impacted by Eurail Data Breach$3.6 Million Stolen in Bitcoin Depot HackShaky Ceasefire Unlikely to Stop Cyberattacks From Iran-Linked Hackers for LongData Leakage Vulnerability Patched in OpenSSLRCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MovePamela McLeod has been named as CISO of the state of New Hampshire.Aspen Digital has named Matt Altomare as its new Senior Director for Cybersecurity Programs.Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Entities