Google has revealed details of a financially motivated threat cluster that it said to “specialize” in its “specialize” campaign for voice phishing (aka) campaigns designed to violate your organization’s Salesforce instances due to large-scale data theft and subsequent fear torture.
Tech Giant’s Threat Intelligence Team tracks activities under Monica UNC6040said it exhibits characteristics consistent with threat groups that have ties to online cybercrime groups known as com.
“Over the past few months, UNC6040 has demonstrated repeated success in violating the network by having operators impersonate IT support personnel when persuading phone-based social engineering engagement,” the company said in a report shared with Hacker News.
The approach, added by Google’s Threat Intelligence Group (GTIG), benefits from encouraging English-speaking employees to take actions that provide threat access or to share valuable information such as credentials and to carry out actions that are used to promote theft of data.
Notable aspects of UNC6040 activity include the use of a modified version of Salesforce Data Loader in which victims are deceived to be authorized to connect to the organization’s Salesforce portal during a billing attack. Data Loader is an application used to import, export and update data in bulk within the Salesforce platform.
Specifically, the attacker will guide the target to access the Setup page of the Connected app in Salesforce and approve the modified version of the Data Loader app with a different name or branding (such as “My Ticket Portal”) from its legitimate counterpart. This action allows unauthorized access to Salesforce’s customer environment and data data.
Beyond data loss, the attack acts as a stepping stone for UNC6040 to move laterally through the victim’s network, accessing and harvesting information from other platforms such as OKTA, workplace, and Microsoft 365.
The selected incident also includes the activity of fear tor, but only “a few months” after the first intrusion was observed, indicating an attempt to work with a second threat actor to monetize stolen data and make profits.
“In these attempts at terror, the actor claimed a relationship with the famous hacking group Shinyhunters.
UNC6040 overlaps with groups linked to groups related to the use of OKTA credential targeting and social engineering through IT support. This is a tactic that has been embraced by another financially motivated threat actor who is part of a loose knit organized group.
In March 2025, the Vising Campaign used social engineering tactics to assist with calls, impersonating IT personnel to place qualifications and approve modified data loader apps, and using social engineering tactics to warn threat actors.
“They are reportedly directing customer employees and third-party support workers to phishing pages designed to steal credentials and MFA tokens, and urge users to navigate to the login.salesforce(.)com/setup/connect page.
“In some cases, it has been observed that malicious connected apps are modified versions of data loader apps that are published under different names and/or brands. When threat actors access a customer’s Salesforce account or add a connected app, they use the connected app to use them for data.”
This development not only highlights the continued sophistication of social engineering campaigns, but also shows that it is increasingly targeted as a way for IT support staff to gain early access.
“The success of campaigns like UNC6040 leverages these sophisticated vising tactics to show that this approach is an effective threat vector for financially motivated groups seeking to violate the organization’s defenses,” Google said.
“Given the long time frame between early compromises and fear tor, multiple victim organizations and potentially downstream victims could face demand for fear tor in the coming weeks or months.”
