UNC6783 Exploits BPOs for Data Extortion via Phishing Campaigns

UNC6783 Exploits BPOs for Data Extortion via Phishing Campaigns

First seen 8 Apr 2026, 22:16 UTC CybersecuritydiveBleepingcomputerInfosecurity-MagazineThecyberexpressTheregister+1 88% similarity 72.5

Article Content

Browse articles
ThreatCluster

The Google Threat Intelligence Group (GTIG) reported that a financially motivated cybercriminal group, UNC6783, is targeting business process outsourcing (BPO) companies to infiltrate high-value organizations across various sectors. The group employs social engineering and phishing tactics, particularly through live chat, to compromise BPOs and gain access to sensitive data. Attackers direct employees to spoofed Okta login pages hosted on domains resembling legitimate ones, often using the pattern [.]zendesk-support [.]com. They utilize advanced phishing kits capable of stealing clipboard contents to bypass multi-factor authentication (MFA). Following data exfiltration, ransom notes are sent via ProtonMail accounts. The campaign has already affected several dozen companies, with notable claims of a breach at Adobe involving the theft of 13 million support tickets. Google’s Mandiant division has recommended defensive measures, including the use of FIDO2 hardware keys for MFA and monitoring live chat systems for suspicious activity.

Key Points: • UNC6783 targets BPOs to access sensitive data of high-value companies. • Attackers use phishing kits to bypass MFA and gain persistent access. • Ransom notes are sent via ProtonMail after data exfiltration.

ThreatCluster AI

Timeline

2026-04-07
GTIG reports on UNC6783's phishing campaigns targeting BPOs.
2026-04-09
Multiple articles published detailing UNC6783's tactics and impact.
Recent
Adobe breach claimed by 'Mr. Raccoon' linked to UNC6783.

Community

Browse all →