Cybersecurity experts at Google Threat Intelligence Group (GTIG) have issued a warning about a new group of hackers, known as UNC6783, who are trying to steal data from large companies for data theft extortion. Austin Larsen, a lead analyst at GTIG, reports that this group might be linked to an individual using the name Raccoon.
The hackers have so far targeted dozens of high-value organisations across various industries by compromising the security of Business Process Outsourcers (BPOs). These are third-party service providers responsible for handling tasks such as customer service and technical support for larger corporations. By targeting these partner firms, hackers can gain access to the main systems of the companies they really want to target for data theft.
How the hackers trick the staff
According to Larsen, the group uses a special phishing kit to bypass standard security. The attack kicks off with social engineering, where hackers use live chat windows to talk to employees. They pretend to be helpful but actually send links to fake login pages that look like the real Okta service used by many offices. These fake websites use addresses like
Once an employee tries to log in, the hackers steal information from the person’s computer clipboard. This allows the attackers to add their own phones or laptops to the company’s security list. This is called enrolling a device for persistent access, which means they can get back into the system whenever they want.
Fake updates and ransom notes
GTIG’s research reveals that the hackers use several different methods to trick employees. They sometimes send messages about fake security software updates, containing the malware installer. If the employee downloads the update, a Remote Access Trojan (RAT) gets installed instead, which lets the hackers remotely control the computer. After they take the files they want, they send ransom notes using Proton Mail.
For staying safe, Mandiant and Google recommend that organisations start using physical security keys, like Titan Security Keys, instead of just text message codes. These use a standard called FIDO2, which is much harder for hackers to crack. Also, they must monitor live chat logs and block suspicious web links that follow the Zendesk pattern. Regularly checking which devices are allowed to log in is another good practice to prevent these hackers from invading the system.
Industry experts’ perspectives
Industry experts shared their thoughts on these findings with Hackread.com. John Watters, CEO at iCOUNTER, believes this represents a major change in how hackers work. Watters stated: “What’s emerging with UNC6783 and the Raccoon persona is not just another social engineering campaign; it’s a deliberate strategy to enter through the ecosystem instead of attacking the enterprise head-on.”
He explained that by targeting live support channels, hackers are exploiting the trust between companies and their partners. Watters added: “Raccoon isn’t attacking companies, it’s attacking the relationships companies rely on to operate. If you’re not defending your ecosystem, you’re leaving the front door open through someone else’s system.”
Mika Aalto, Co-Founder and CEO at Hoxhunt, says that these attackers are using psychological tricks to beat strong security. “Attackers don’t need to hack through security systems when they can persuade people to open the door,” Aalto stated, suggesting that targeting helpdesk teams is very effective because they handle sensitive requests every day.
To stay safe, he recommends training employees with realistic simulations so they can spot suspicious chats and report them as soon as they happen.
