A threat actor known as UNC6783 is targeting business process outsourcing (BPO) providers as an initial attack vector to infiltrate high-value organizations across multiple industries, according to the Google Threat Intelligence Group (GTIG).
Security researchers say dozens of companies have already been affected, with attackers exploiting BPO relationships to access sensitive corporate data and carry out extortion schemes. UNC6783 primarily uses social engineering and phishing campaigns, often tricking BPO employees into handing over credentials or access.
In some cases, the attackers had directly contacted internal IT support and helpdesk staff to manipulate them into granting system access. The group has also used live chat platforms to direct employees to fake login pages designed to mimic legitimate authentication portals, including those associated with Okta.
Researchers found phishing domains mimicking trusted services, in particular, Zendesk support portals. Once credentials are captured, a sophisticated phishing kit can extract clipboard data, enabling attackers to bypass multi-factor authentication and register their own devices within compromised systems.
The group has also been observed distributing fake security updates that install remote access malware. After obtaining valuable data, victims are contacted via encrypted email services such as ProtonMail and pressured to pay ransom demands.
UNC6783 may be linked to a cybercriminal persona known as “Raccoon,” who has reportedly targeted multiple BPO providers. Recently, an individual using the alias “Mr. Raccoon” claimed responsibility for a breach involving Adobe, alleging that millions of sensitive records were stolen after compromising an India-based outsourcing partner. However, the company has not confirmed the incident.
To strengthen defenses against this threat, organizations are recommended to adopt phishing-resistant MFA using hardware security keys, especially for high-risk roles. Organizations should also educate staff and closely monitor live chat interactions for suspicious activity, while proactively blocking unauthorized domains that mimic trusted services. Additionally, it’s important to detect and alert on any unauthorized software execution, particularly files downloaded during support sessions, and to regularly audit newly added MFA devices to prevent unauthorized access.