A financially motivated actor tracked as UNC6783 is targeting business process outsourcing firms and support staff to steal sensitive corporate data and extort high-value companies. GTIG links UNC6783 to a βRaccoonβ persona that allegedly stole Adobe data from a BPO, and the actor lures staff with live chats to spoofed Okta and Zendesk pages, uses a clipboard-stealing phishing kit to bypass MFA, tricks victims into installing RATs via fake security updates, enrolls attacker devices for persistence, and sends extortion notes through Proton Mail. #UNC6783 #Raccoon #Adobe #Okta #Zendesk #ProtonMail
Keypoints
- UNC6783 focuses on compromising BPOs and helpdesk/support staff to access client data for extortion.
- The group employs live chat social engineering and spoofed Okta and Zendesk pages to harvest credentials.
- A phishing kit that captures clipboard contents enables the actor to bypass standard MFA protections.
- Attackers use fake security updates to deliver remote access malware and enroll their own devices for persistence.
- βMr. Raccoonβ claimed theft of Adobe-related data from a BPO, including employee records and millions of support tickets, with ransom notes sent via Proton Mail.
Read More: https://www.securityweek.com/google-warns-of-new-campaign-targeting-bpos-to-steal-corporate-data/