Google flags BPO helpdesk extortion threat

Google has warned that a financially motivated cyber group tracked as UNC6783 is targeting business process outsourcers and corporate helpdesks in a campaign aimed at stealing sensitive data from large companies and then using that access for extortion. The group, which Google says may be tied to the “Raccoon” persona, has targeted several dozen high-value organisations across multiple sectors, shifting attention to a weak point that many large enterprises share: outsourced support operations and internal service desks.

The warning came from Austin Larsen, principal threat analyst at Google Threat Intelligence Group, who said the attackers focus first on BPO providers serving major companies and, in some cases, go straight after support and helpdesk staff inside the victim organisations themselves. According to Google’s description, the aim is to gain trusted access rather than force entry through a heavily defended perimeter. That makes the campaign notable not only for its technical elements, but for its exploitation of routine support workflows that many companies depend on every day.

Google said the operation relies heavily on social engineering. Staff are approached through live chat and steered towards spoofed Okta login pages hosted on domains designed to resemble official support infrastructure, often using a pattern that imitates Zendesk-style naming. Once a victim enters credentials, the attackers use a phishing kit that can steal clipboard contents, helping them bypass standard multi-factor authentication checks and enrol their own devices for ongoing access. Google also said it has seen the group use fake security software updates to trick victims into installing remote-access malware. After data is taken, ransom notes have been delivered through Proton Mail accounts.

The case underlines how enterprise cyber risk is expanding beyond direct attacks on a company’s own network. BPOs, call centres and support contractors often sit close to customer records, ticketing systems, internal admin tools and identity platforms, yet may not always receive the same scrutiny as core production systems. By compromising those channels, attackers can gain a credible identity inside the trust chain. That model echoes tactics used by other financially motivated groups, including UNC3944, better known through overlap with Scattered Spider, which Google and other security firms have said routinely prey on large helpdesks, outsourced IT functions and identity-reset procedures.

Google’s earlier hardening guidance on UNC3944 described a pattern of attacks against sectors including financial services, technology, telecommunications, retail, hospitality, media and BPO operations, with a particular focus on organisations that maintain large helpdesk and outsourced IT functions. CrowdStrike has likewise said helpdesk personnel and privileged users remain common targets in social-engineering-led intrusions, especially where password resets, MFA changes and remote-access approvals can be manipulated under pressure. The overlap does not mean UNC6783 and UNC3944 are the same actor, but it does show that the helpdesk has become a frontline target in extortion campaigns.

Attention has also centred on Google’s reference to a possible link between UNC6783 and the “Raccoon” persona. Independent cyber outlets said that persona had claimed responsibility for stealing a large body of Adobe-related data via a third-party BPO, though those claims remain allegations and Adobe had not publicly confirmed them in the reporting reviewed. That distinction matters. In cyber incidents, attacker claims can exaggerate scale or impact, and security researchers usually treat them as leads rather than settled fact unless corroborated by the victim or by forensic evidence.

For companies, the practical lesson is less about one named cluster than about structural exposure. Security teams have spent years strengthening endpoint detection, patching and network monitoring, yet many still rely on people-driven verification at precisely the points attackers now target: account recovery, identity proofing and support escalation. Google’s guidance for comparable threat activity has stressed stronger identity verification for helpdesk interactions, tighter controls on MFA resets and device enrolment, removal of SMS or email-based authentication where possible, and wider use of phishing-resistant methods. CISA has also promoted phishing-resistant MFA as a core defensive measure as identity attacks become more sophisticated.