'Several dozen' high-value corporations hit by new extortion crew in helpdesk phishing spree
(2026/04/09)
- Reference: 1775754701
- News link: https://www.theregister.co.uk/2026/04/09/several_dozen_highvalue_corporations_targeted/
- Source link:
A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google.
Google Threat Intelligence Group tracks the financially motivated group as UNC6783, and in a blog post, principal threat analyst Austin Larsen [1]said that it may have ties to the "Raccoon" persona.
"We are aware of several dozen high-value corporate entities targeted across multiple sectors," Larsen wrote.
[2]
UNC6783 primarily compromises call centers and business process outsourcers (BPOs) that work with larger companies - an attack method popularized by groups like [3]Scattered Spider and [4]ShinyHunters . Once the criminals have access to the BPOs' networks, they can use stolen legitimate credentials from BPO employees to break into their customers' IT environments.
[5]
[6]
Google has also observed the extortionists targeting corporations' [7]support and helpdesk staff directly to gain access and steal sensitive data.
"The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages," Larsen said. "These domains frequently masquerade as the targeted organization using a domain pattern such as <org>[.]zendesk-support<##>[.]com."
[8]
The attackers use a custom phishing kit to bypass multi-factor authentication (MFA) by stealing clipboard contents, and then enrolling their own devices for persistent access to victim environments.
Google has also spotted the miscreants using fake security software updates to trick victims into downloading remote access malware.
[9]Smooth criminals talking their way into cloud environments, Google says
[10]Months-old Adobe Reader zero-day uses PDFs to size up targets
[11]Hundreds of orgs compromised daily in Microsoft device code phishing attacks
[12]AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack
Once they steal corporations' data, the crew uses Proton Mail accounts to deliver ransom notes to their victims.
When asked how many of these were successful intrusions, Larsen told The Register that “we are aware of several successful attacks as part of this campaign.”
Last week, International Cyber Digest [13]reported that Adobe was allegedly breached by an attacker calling themselves Mr. Raccoon, who reportedly gained access through an Indian BPO by first deploying a remote access tool on one employee and then phishing that worker’s manager.
[14]
The data thief claimed to have stolen 13 million support tickets with personal data, 15,000 employee records, all HackerOne submissions, internal documents, and other information.
Adobe did not immediately respond to The Register 's request for comment.
According to malware hunters vx-underground, the Adobe breach [15]appears to be legitimate , and "anyone who submitted a helpdesk ticket to Adobe, or requested assistance in any capacity, could be impacted." ®
Get our [16]Tech Resources
[1] https://austinlarsen.me/blog/tracking-the-raccoon-unc6783-2026-04-07/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/
[4] https://www.theregister.com/2026/03/15/telus_breach_starbucks_attack/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2026/03/23/voice_phishing_skyrockets_as_smooth/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2026/03/23/voice_phishing_skyrockets_as_smooth/
[10] https://www.theregister.com/2026/04/09/monthsold_adobe_reader_zeroday_uses/
[11] https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/
[12] https://www.theregister.com/2026/04/02/mercor_supply_chain_attack/
[13] https://x.com/IntCyberDigest/status/2039774692085526854
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://x.com/vxunderground/status/2039788565882651132
[16] https://whitepapers.theregister.com/
Google Threat Intelligence Group tracks the financially motivated group as UNC6783, and in a blog post, principal threat analyst Austin Larsen [1]said that it may have ties to the "Raccoon" persona.
"We are aware of several dozen high-value corporate entities targeted across multiple sectors," Larsen wrote.
[2]
UNC6783 primarily compromises call centers and business process outsourcers (BPOs) that work with larger companies - an attack method popularized by groups like [3]Scattered Spider and [4]ShinyHunters . Once the criminals have access to the BPOs' networks, they can use stolen legitimate credentials from BPO employees to break into their customers' IT environments.
[5]
[6]
Google has also observed the extortionists targeting corporations' [7]support and helpdesk staff directly to gain access and steal sensitive data.
"The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages," Larsen said. "These domains frequently masquerade as the targeted organization using a domain pattern such as <org>[.]zendesk-support<##>[.]com."
[8]
The attackers use a custom phishing kit to bypass multi-factor authentication (MFA) by stealing clipboard contents, and then enrolling their own devices for persistent access to victim environments.
Google has also spotted the miscreants using fake security software updates to trick victims into downloading remote access malware.
[9]Smooth criminals talking their way into cloud environments, Google says
[10]Months-old Adobe Reader zero-day uses PDFs to size up targets
[11]Hundreds of orgs compromised daily in Microsoft device code phishing attacks
[12]AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack
Once they steal corporations' data, the crew uses Proton Mail accounts to deliver ransom notes to their victims.
When asked how many of these were successful intrusions, Larsen told The Register that “we are aware of several successful attacks as part of this campaign.”
Last week, International Cyber Digest [13]reported that Adobe was allegedly breached by an attacker calling themselves Mr. Raccoon, who reportedly gained access through an Indian BPO by first deploying a remote access tool on one employee and then phishing that worker’s manager.
[14]
The data thief claimed to have stolen 13 million support tickets with personal data, 15,000 employee records, all HackerOne submissions, internal documents, and other information.
Adobe did not immediately respond to The Register 's request for comment.
According to malware hunters vx-underground, the Adobe breach [15]appears to be legitimate , and "anyone who submitted a helpdesk ticket to Adobe, or requested assistance in any capacity, could be impacted." ®
Get our [16]Tech Resources
[1] https://austinlarsen.me/blog/tracking-the-raccoon-unc6783-2026-04-07/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/
[4] https://www.theregister.com/2026/03/15/telus_breach_starbucks_attack/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2026/03/23/voice_phishing_skyrockets_as_smooth/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2026/03/23/voice_phishing_skyrockets_as_smooth/
[10] https://www.theregister.com/2026/04/09/monthsold_adobe_reader_zeroday_uses/
[11] https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/
[12] https://www.theregister.com/2026/04/02/mercor_supply_chain_attack/
[13] https://x.com/IntCyberDigest/status/2039774692085526854
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adghg1auqCGkYHY9ifKnigAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://x.com/vxunderground/status/2039788565882651132
[16] https://whitepapers.theregister.com/
I got three consecutive text messages earlier today
Giving a 6 digit code, mentioning Okta and saying to call some toll free number if I didn't ask for that code to be sent. I didn't really pay attention other than deleting them and "reporting as spam" on my iPhone, but it sounds like that may have been connected to this scam. It was obvious they wanted me to call that number and then they'd try to fool me into doing something stupid.