A new cyberattack campaign uncovered by Google’s Threat Intelligence team reveals how attackers are increasingly blurring the lines between legitimate software tools and malicious intent. In this case, hackers exploit a Salesforce tool to infiltrate corporate environments, exfiltrate data, and launch extortion attempts against affected organizations.
Voice Phishing Leads to Compromise
The attackers, identified by Google as UNC6040, are using a combination of voice phishing and social engineering tactics to trick employees into installing a tampered version of Salesforce’s Data Loader. This tool is normally used for bulk data import and export in Salesforce environments, making it a trusted utility within many organizations.
However, the malicious variant distributed by these hackers gives them unauthorized access to sensitive internal data. Once installed, the tool opens the door to lateral movement within the network, including access to cloud services and private systems unrelated to Salesforce.
Not a Vulnerability But a Warning
Salesforce has emphasized that this campaign does not stem from a vulnerability in its platform. Instead, it highlights the effectiveness of targeted social engineering. Attackers pose as IT support personnel during calls and convince users to install the modified tool, no exploit code or platform weakness required.
It’s a textbook example of how hackers exploit Salesforce tools not through code, but through people.
Scope of the Attack
So far, approximately 20 organizations have been targeted, with victims primarily located in Europe and the Americas. In several cases, attackers successfully exfiltrated confidential information, later demanding ransom in exchange for silence or data deletion.
Some victims reported that the attackers claimed affiliation with the ShinyHunters group, though Google believes this may have been a tactic to add psychological pressure rather than a confirmed link.
The UNC6040 Group: Blending Technical and Human Tactics
UNC6040 appears to be a financially motivated actor operating with a mix of technical sophistication and manipulation. The infrastructure they use resembles that of “The Com,” a loosely affiliated cybercrime ecosystem. While some operations were highly coordinated, Google observed inconsistency in the attackers’ proficiency, suggesting a team with varying skill levels and likely a shared playbook.
Their ability to abuse a widely trusted enterprise tool and pair it with a convincing social engineering campaign is a warning sign for organizations reliant on cloud-based platforms.
Recommendations from Salesforce and Google
Both Salesforce and Google have issued recommendations to help organizations defend against such attacks:
- Enable multifactor authentication (MFA) across all platforms.
- Restrict installation permissions for software and tools.
- Implement IP allowlists to control access to critical systems.
- Train employees to recognize social engineering, especially voice-based phishing attempts.
- Audit third-party applications regularly to detect unauthorized installations.
Lessons for the Cybersecurity Community
This incident illustrates a shift in tactics. Instead of targeting zero-day vulnerabilities or brute-forcing access credentials, attackers now focus on legitimate tools misused in malicious contexts. It reminds us that cloud security is not just about securing the platform. It’s about securing people, processes, and every piece of the ecosystem that connects them.
Organizations must continuously evaluate how tools like Salesforce are used, managed, and secured. Even the most trusted software can become an attack vector when placed in the wrong hands.
Final Thoughts
The fact that hackers exploit a Salesforce tool like Data Loader shows how social engineering continues to be one of the most effective techniques in the modern threat landscape. The technical barrier for this attack was low, but the psychological strategy was expertly crafted.
To prevent similar breaches, organizations must treat end-user education and access control as central components of their security strategy. When trust is weaponized, vigilance is the only true defense.
