TL;DR
- Hackers (UNC6040) are using a modified Salesforce Data Loader app to steal data and extort global companies
- Voice phishing (“vishing”) tactics trick employees into installing backdoored applications
- About 20 organizations affected, some suffering data loss; hackers linked to “The Com” cybercrime network
Attackers across Europe and the Americas are executing a sophisticated campaign—labeled UNC6040 by Google—that tricks employees into installing a modified version of Salesforce’s Data Loader tool. This grants hackers deep access to corporate cloud systems for data theft and extortion.
Sophisticated Vishing Attacks Trigger Data Breaches
Google’s Threat Intelligence Group reveals attackers deploy voice phishing (vishing) calls to persuade employees into approving a fake “connected app” mimicking Salesforce’s Data Loader. Once granted access, hackers can query, exfiltrate, and manipulate sensitive data inside Salesforce environments.
This access often leads to lateral moves across systems—compromising other cloud services and internal corporate networks, amplifying the potential damage.
Gang Ties and Global Reach
The infrastructure behind UNC6040 suggests affiliation with “The Com”, a loose cybercrime collective known for criminal and occasionally violent operations. Google reports that about 20 organizations across Europe and the Americas have been targeted in recent months—some experiencing confirmed data breaches.
Salesforce Weighs In: No Platform Vulnerability
Salesforce has reassured stakeholders, stating that the campaign targets human vulnerabilities—not product flaws. A spokesperson told Reuters there’s “no indication the issue described stems from any vulnerability inherent in our platform,” calling it a classic social-engineering scam.
Salesforce confirmed it informed customers of a March 2025 blog post warning about vishing and malicious altered Data Loader apps—emphasizing that so far, only a limited number of users have been affected.
UNC6040 Campaign Summary
| Element | Details |
| Threat Group | UNC6040 (Google TI Group) |
| Attack Method | Modified Data Loader + voice‑phishing |
| Affected Regions | Europe and Americas |
| Organizations Targeted | ~20 (some data stolen) |
| Linked Network | “The Com” cybercrime collective |
| Platform Status | No Salesforce platform vulnerabilities found |
| Public Advisory | March 2025 blog post from Salesforce |
Sources: Google via Reuters, Reuters report
Why This Campaign Is Particularly Dangerous
- Direct access: Once the app is approved, hackers bypass typical corporate protections, pulling data directly from Salesforce.
- Social-engineering prowess: Vishing puts the onus on employee training—hacking isn’t breaking code, it’s exploiting trust.
- Extortion leverage: With deep access to cloud environments, attackers can threaten public leaks or data corruption to extract payments.
Organizations relying on Salesforce must urgently review internal controls and multi-layer defenses.
What Companies Should Do Now
- Employee awareness training must include simulated vishing calls.
- Connected app approvals should require admin-side validation, not just user consent.
- Real-time monitoring for new app integrations in Salesforce environments.
- Multi-factor authentication (MFA) enforcement for all privileged and non-standard app access.
- Incident response readiness: integrate cross-system intrusion and lateral movement detection, not just cloud perimeter alerts.
These steps can reduce risk—but only if applied proactively.
Google’s Role and Larger Cyber Threat Trends
Google’s disclosure highlights how advanced persistent threats now focus on cloud-native platforms via human-centric breaches. Their Threat Intelligence Group has repeatedly emphasized facing adversaries like UNC6040 and “The Com,” indicating that fundamental CI protections—like awareness, verification, and layered controls—are crucial.
Broader Implications for Cloud Security
This incident sends a stark message: enterprises cannot rely solely on secure platforms. As cloud ecosystems become more complex, attackers are shifting to user-targeted social engineering and wolf-in-sheep’s-clothing app compromises. Traditional endpoint and network protections may be missing the vulnerability at the user-platform interface.
Looking Ahead: Implications for the Workforce and Regulation
- Cyber-insurance premiums and compliance thresholds may soon mandate vishing-aware policies.
- Engineering access policies will need higher oversight across emerging SaaS ecosystems.
- Regulators may expand requirements around software supply chain integrity toward app-store analogues in database and SaaS ecosystems.
Conclusion
The UNC6040 campaign is a warning sign: even leading SaaS environments remain vulnerable—not to zero-days, but to well-crafted social engineering. As this threat evolves, CIOs, CISOs, and security teams must elevate user validation, app governance, and real-time monitoring to protect against silent intruders.
