UNC6040 Campaign Exploits Salesforce Data Loader in Voice Phishing Attacks

A financially motivated threat cluster tracked as UNC6040 has been observed executing voice phishing (vishing) campaigns against multinational corporations, targeting their Salesforce instances for data theft and eventual extortion. The activity, documented by Google's Threat Intelligence Group (GTIG), leverages social engineering to trick employees often in English-speaking branches—into granting unauthorized access. The attackers impersonate IT support staff during phone calls, instructing victims to connect a modified version of Salesforce’s Data Loader to the company’s Salesforce environment. Domains hosting these modified tools are disguised to appear legitimate, often named to align with internal support systems such as “My Ticket Portal.” According to GTIG, “this approach has proven particularly effective in tricking employees… into actions that grant the attackers access or lead to the sharing of sensitive credentials.” Importantly, these campaigns exploit no vulnerability in Salesforce itself but depend entirely on social engineering end users.

Once connected, the modified Data Loader provides attackers with the ability to query and export sensitive data directly from Salesforce. GTIG reports varied exfiltration tactics across incidents. "In one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation. In another case, numerous test queries were made with small chunk sizes initially. Once sufficient information was gathered, the actor rapidly increased the exfiltration volume to extract entire tables," reports GTIG. After compromising Salesforce, UNC6040 moves laterally to other SaaS platforms such as Okta and Microsoft 365, expanding access to internal communications, authorization tokens, and business documents. The use of infrastructure overlapping with previously known phishing activity and VPN services like Mullvad further obfuscates the threat actors’ operations. These tactics align with behaviors observed in other groups linked to “The Com,” a loosely affiliated underground network.

The campaign has also included delayed extortion tactics. In many observed cases, demands for payment are made months after the initial intrusion. GTIG notes that during these extortion attempts, actors have claimed affiliation with the ShinyHunters group, likely as a means of increasing psychological pressure on the victim. This group has previously been associated with large-scale data breaches including the Snowflake and PowerSchool incidents. GTIG assesses that this delay may indicate a handoff from UNC6040 to a secondary actor focused on monetizing the stolen data. Such a strategy allows for a slower and more deliberate exfiltration operation without immediately alerting the victim organization to follow-on extortion efforts.

The attack methods deployed in this campaign reflect a growing emphasis on abusing legitimate administrative tools. The Salesforce Data Loader, designed for large-scale data operations, becomes a key vector when misused through social engineering. GTIG emphasizes that “in all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.” Social engineering remains central to most critical intrusions, evident with its execution under the direction of another threat group.