Google has published a comprehensive guide aimed at fortifying organizational defenses against UNC6040, a sophisticated threat actor known for targeting cloud environments and enterprise networks.
Emerging in late 2024, UNC6040 quickly garnered attention for its highly coordinated campaigns, which leverage advanced payload delivery methods and custom malware loaders.
Initial investigations linked the group’s activity to strategic espionage objectives, with attackers exploiting misconfigured cloud storage and weak API authentication to establish footholds across diverse environments.
In its guide, Google details the primary attack vectors employed by UNC6040, highlighting spear-phishing emails with weaponized attachments, exploitation of known web application vulnerabilities, and unauthorized use of stolen service account keys.
By chaining these tactics, UNC6040 operators achieve lateral movement and privilege escalation with minimal detection.
Google Cloud analysts noted that UNC6040 consistently abuses legitimate administrative tools—such as the Cloud SDK and gcloud CLI—to mask malicious activity and evade standard security telemetry within Google Cloud environments.
The impact of UNC6040’s operations has been profound for affected enterprises, resulting in data exfiltration, prolonged network compromises, and significant remediation costs.
Targets include organizations in the technology, defense, and telecommunications sectors, where proprietary data and intellectual property are high-value assets.
Google’s guide emphasizes the necessity of adopting a defense-in-depth approach, combining proactive threat hunting with continuous monitoring of anomalous behavior and configuration drift.
Within the guide’s technical deep dive, one essential recommendation is to deploy custom detection rules using Sigma and YARA.
For example, the following YARA rule snippet can detect UNC6040’s loader binaries by matching on distinctive API invocation patterns:-
rule UNC6040_Loader_Detection {
meta:
description = "Detect UNC6040 custom loader based on API calls"
author = "Google Cloud Security"
strings:
$api1 = "NtCreateUserProcess" wide
$api2 = "ZwQueueApcThread" wide
$str1 = "GoogleSecurityClient" ascii
condition:
uint16(0) == 0x5A4D and
2 of ($api*) and
$str1
}.webp)
Persistence Tactics
A closer examination of UNC6040’s persistence tactics reveals the group’s preference for embedding malicious components into legitimate cloud-native services.
After initial compromise, UNC6040 operators commonly register forged service accounts with overly permissive roles to maintain long-term access.
These accounts are configured to execute startup scripts that download and install a custom backdoor—frequently named gtoken_agent—which communicates with command-and-control (C2) servers over encrypted channels.
Google’s guide shows that the backdoor employs a modular architecture: a primary agent for C2 communication and secondary plugins for credential harvesting and lateral movement.
Persistence is achieved by creating a covert cron job entry in the metadata server of virtual machines:-
curl - X POST - H "Metadata-Flavor: Google"
--data '{"items":[{"key":"startup-script","value":"bash /opt/gtoken_agent/install.sh"}]}'
http://metadata.google.internal/computeMetadata/v1/project/attributesThis mechanism ensures that the gtoken_agent is reinstalled upon instance reboot, effectively preserving UNC6040’s presence even after remediation efforts.
Google recommends regular audits of service account roles and metadata attributes, combined with automated validation of metadata changes, to detect and prevent such persistence techniques.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
