(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Have questions like this:

• what do you know about UNC6040 ?
• How does UNC6040's use of modified Salesforce Data Loader compare to other threat actors’ abuse of legitimate enterprise tools?
• How effective are current enterprise security solutions in detecting abuse of legitimate connected apps and remote access tools?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

TL;DR

Key Points

1. • UNC6040 leverages voice phishing (vishing) to socially engineer employees into authorizing malicious Salesforce Data Loader connected apps, enabling covert data exfiltration.
   • Organizations must enforce strict policy controls, multi-factor authentication (MFA), and continuous monitoring of connected app authorizations to mitigate this attack vector.
2. • The group exploits trusted enterprise tools—including Salesforce which is similar to other actors leveraging ConnectWise and Atera. This complicates detection and response due to the abuse of legitimate credentials and applications.
   • Behavioral analytics, user training, and realistic vishing simulations are critical to reducing successful social engineering attacks and improving incident response.
3. • Extortion attempts often follow data theft, with attackers leveraging stolen data months after initial compromise and claiming affiliation with known cybercrime collectives.
   • Executive leadership should prioritize risk assessments, incident response planning, and integration of threat intelligence specific to UNC6040 and similar actors.

Executive Summary

UNC6040 is a financially motivated threat actor specializing in voice phishing (vishing) campaigns that abuse Salesforce Data Loader connected apps to gain unauthorized access and exfiltrate sensitive data. This novel attack vector leverages social engineering via telephone impersonation of IT support to trick employees into authorizing malicious connected apps. Similar threat actors abuse legitimate remote access tools such as ConnectWise and Atera by compromising credentials or exploiting misconfigurations. These abuses pose significant organizational and policy risks, including data breaches, compliance violations, financial extortion, and operational disruption. Executive leadership must prioritize policy enforcement, risk management, user training, and technology controls to mitigate these risks effectively.

Research & Attribution

Historical Context

UNC6040 emerged as a distinct financially motivated threat cluster in early 2025, focusing on voice phishing campaigns targeting Salesforce environments. The group manipulates employees into authorizing a modified Salesforce Data Loader connected app, enabling stealthy data exfiltration. UNC6040 has targeted approximately 20 organizations across hospitality, retail, education, and other sectors in the Americas and Europe. The group also moves laterally to cloud services such as Okta, Workplace, and Microsoft 365. Extortion attempts follow data theft, sometimes months later, with attackers claiming affiliation with the ShinyHunters group. UNC6040 shares some infrastructure and tactics with the cybercrime collective "The Com" but remains operationally distinct.

Timeline

• Early 2025: UNC6040 activity identified and reported.
• Mid-2025: Public exposure by Google Cloud and cybersecurity media.
• Ongoing: Targeting of multiple organizations and extortion campaigns.

Origin

UNC6040 is a financially motivated cybercriminal group with no confirmed nation-state ties. It is linked to the broader cybercrime collective "The Com" but is distinct from other groups like UNC3944 (Scattered Spider).

Countries Targeted

1. United States – Primary target with multiple sectors affected.
2. United Kingdom – Significant targeting in English-speaking markets.
3. Canada – Retail and education sectors targeted.
4. Germany – European market targeting.
5. Australia – Limited targeting reported.

Sectors Targeted

1. Hospitality – High-value customer data.
2. Retail – Transactional and customer data.
3. Education – Sensitive personal and research data.
4. Technology – Cloud service access.
5. Financial Services – Data theft and extortion.

Motivation

Financial gain through data theft and extortion, leveraging social engineering and abuse of trusted enterprise tools.

Attack Types

• Voice phishing to impersonate IT support.
• Abuse of Salesforce Data Loader connected apps.
• Lateral movement to cloud services.
• Data exfiltration and extortion.

Links to Other APT Groups

1. The Com – Loosely organized cybercrime collective sharing infrastructure and tactics with UNC6040.

Similar Threat Actor Groups

1. Scattered Spider (UNC3944) – Uses social engineering and targets Salesforce but employs different malware and techniques.

Comparative Analysis and Executive Insights

Organizational and Operational Tactics

UNC6040 uniquely exploits voice phishing to gain authorization for malicious Salesforce connected apps, enabling stealthy data theft. Other threat actors abusing remote access tools like ConnectWise and Atera typically compromise credentials or exploit software vulnerabilities to gain persistent access. Both exploit trusted enterprise tools, complicating detection.

Policy and Governance Challenges

• Over-reliance on trusted enterprise applications without sufficient monitoring.
• Insufficient user training on voice phishing and social engineering.
• Weak policy enforcement on connected app authorizations and remote access tool usage.
• Difficulty detecting abuse of legitimate credentials and tools.
• Governance gaps in cloud access management.

Risks to Enterprise Data Security, Compliance, and Business Continuity

• Data breaches and regulatory violations.
• Financial losses from extortion.
• Reputational damage.
• Operational disruptions.

Strategic Recommendations for Executive Leadership

Policy Enforcement

• Enforce strict approval and MFA for connected app authorizations.
• Apply least privilege and regular access reviews.
• Prohibit unauthorized use of remote access and connected apps.

Risk Management

• Conduct risk assessments focused on social engineering and tool abuse.
• Integrate threat intelligence on UNC6040 and similar actors.
• Develop incident response plans for voice phishing and connected app abuse.

User Training

• Train employees on voice phishing risks.
• Simulate vishing attacks.
• Promote verification culture for IT support requests.

Technology Controls

• Monitor connected app authorizations and remote access tool usage.
• Use behavioral analytics for unusual access patterns.
• Deploy endpoint detection and response tools.

Key Risk Indicators for Executive Oversight

• Increase in voice phishing attempts reported by employees.
• Unauthorized connected app authorizations in Salesforce.
• Anomalous remote access tool usage outside business hours.
• Delays or failures in access review processes.
• Extortion attempts referencing stolen data.

Questions for the Board

• Are policies in place to strictly control connected app authorizations and remote access tools?
• How is user training addressing emerging social engineering threats like voice phishing?
• What monitoring and detection capabilities exist for abuse of legitimate enterprise tools?
• How are incident response plans adapted to address these specific threat vectors?

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)