Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First reported
Last updated
Happening score
H score 65
2 unique sources, 2 articles

Summary

Hide ▲

UNC6783 is an active BPO compromise campaign targeting business process outsourcers and large enterprises to reach downstream environments for extortion. The operation has hit dozens of corporate entities across multiple sectors and uses live chat social engineering, spoofed Okta login pages, and lookalike support domains such as [.]zendesk-support[redacted][.]com to steal sensitive data. The group also uses a phishing kit to steal clipboard contents and bypass MFA, then enroll attacker devices for persistent access. In some cases, it uses fake security software updates to deploy remote access malware and may send ransom notes via Proton Mail after exfiltration.

Related Happenings

Pink new extortion brand within The Com

Threat Actor Meta
H score30 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...

Silent Ransom Group US law firm IT impersonation campaign

Campaign
H score36 First: 29.05.2026 16:00 Last: 29.05.2026 16:00 Sources 1

About this happening: **Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
H score37 First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
H score57 First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...

Timeline

  1. 09.04.2026 00:46 3 articles · 3mo ago

    UNC6783 BPO compromise campaign disclosed

    Initial Disclosure

    Google Threat Intelligence Group says UNC6783 is compromising business process outsourcing (BPO) providers to reach high-value companies across multiple sectors, using social engineering and phishing against support staff, live-chat abuse, spoofed Okta login pages on Zendesk-style domains, clipboard theft to bypass multi-factor authentication (MFA), and fake security updates to deliver remote access malware; the group has targeted dozens of corporate entities and extorts victims after exfiltrating sensitive data.

    Show sources