Cybercriminals are weaponizing a modified version of Salesforce’s Data Loader to infiltrate companies across Europe and the Americas, according to a warning from Google’s Threat Intelligence Group. The attacks, linked to the hacking group UNC6040, involve sophisticated social engineering tactics that trick employees into unknowingly granting access to malicious software.
The attackers impersonate Salesforce representatives and use voice phishing — or vishing — calls to direct employees to a fake app setup page. There, victims install a tampered version of Salesforce’s Data Loader, a legitimate tool used to import large volumes of data into Salesforce environments.
Once installed, the malicious app provides hackers with sweeping access to sensitive customer data within the compromised Salesforce instances. Beyond Salesforce, attackers often pivot to infiltrate other cloud-based services and internal systems, enabling broader data theft and extortion campaigns, Google Cloud report indicated.
Google’s investigation ties the technical infrastructure of this campaign to a loosely connected cybercrime network known as “The Com,” notorious for its disjointed, opportunistic, and at times violent activities.
About 20 organizations have been targeted so far, with a subset reporting successful data exfiltration. A Google spokesperson noted the campaign has been active for several months, Reuters news report said.
Salesforce, in a statement, emphasized that the threat does not stem from a vulnerability in its platform. Instead, the attack hinges on exploiting user trust and gaps in cybersecurity awareness. The company had previously warned users about such attacks in a March 2025 advisory, urging vigilance against vishing scams and unauthorized app downloads.
Mandiant has effectively reduced the risk of cyber attacks by simulating real-world voice-based social engineering tactics — especially vishing — during Red Team Assessments. By mimicking threat actors like UNC3944 and UNC6040, Mandiant has demonstrated how attackers exploit human trust to bypass security controls, such as by tricking service desks into resetting credentials or manipulating employees into authorizing malicious apps.
Through these realistic simulations, Mandiant has helped organizations uncover vulnerabilities in their employee verification processes, MFA enforcement, and overall security posture. As a result, companies have been able to strengthen their defenses, patch procedural gaps, and prepare more effectively for actual threats, significantly lowering the likelihood of successful cyber intrusions via social engineering.
As these attacks demonstrate, even trusted enterprise tools can become dangerous vectors when manipulated. The incident highlights the growing need for stronger user education and security controls to guard against evolving threats in cloud ecosystems.
InfotechLead.com News Desk
