UNC6783 BPO compromise campaign targeting downstream companies
Campaign
Summary
Hide ▲
Show ▼
UNC6783 is an active BPO compromise campaign targeting business process outsourcers and large enterprises to reach downstream environments for extortion. The operation has hit dozens of corporate entities across multiple sectors and uses live chat social engineering, spoofed Okta login pages, and lookalike support domains such as [.]zendesk-support[redacted][.]com to steal sensitive data. The group also uses a phishing kit to steal clipboard contents and bypass MFA, then enroll attacker devices for persistent access. In some cases, it uses fake security software updates to deploy remote access malware and may send ransom notes via Proton Mail after exfiltration.
Related Happenings
Pink new extortion brand within The Com
Threat Actor Meta
H score30
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
Pink new extortion brand within The Com
Threat Actor MetaAbout this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
Silent Ransom Group US law firm IT impersonation campaign
Campaign
H score36
First: 29.05.2026 16:00
Last: 29.05.2026 16:00
Sources 1
About this happening:
**Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...
Silent Ransom Group US law firm IT impersonation campaign
CampaignAbout this happening: **Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
H score37
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
Timeline
-
09.04.2026 00:46 3 articles · 3mo ago
UNC6783 BPO compromise campaign disclosed
Initial DisclosureGoogle Threat Intelligence Group says UNC6783 is compromising business process outsourcing (BPO) providers to reach high-value companies across multiple sectors, using social engineering and phishing against support staff, live-chat abuse, spoofed Okta login pages on Zendesk-style domains, clipboard theft to bypass multi-factor authentication (MFA), and fake security updates to deliver remote access malware; the group has targeted dozens of corporate entities and extorts victims after exfiltrating sensitive data.
Show sources
- Google: New UNC6783 hackers steal corporate Zendesk support tickets — www.bleepingcomputer.com — 09.04.2026 00:46
- Google: New UNC6783 hackers steal corporate Zendesk support tickets — www.bleepingcomputer.com — 09.04.2026 00:46
- Google Warns of New Threat Group Targeting BPOs and Helpdesks — www.infosecurity-magazine.com — 09.04.2026 11:35