According to the **Google** Threat Intelligence Group (GTIG), dozens of corporate entities have been targeted using this method. **Austin Larsen**, GTIG principal threat analyst, reports that **UNC6783** typically employs social engineering and phishing campaigns to compromise BPOs working with targeted companies. However, there have been instances where the threat actors directly contacted support and helpdesk staff within targeted organizations to gain access. Researchers suggest that **UNC6783** may be linked to **Raccoon**, a persona known for targeting multiple BPOs that provide services to large companies. ### Social Engineering Tactics In social engineering attacks conducted via live chat, the threat actor directs support employees to spoofed **Okta** login pages. These pages are hosted on domains that impersonate those of the target company, following the pattern `&lt;org&gt;[.]zendesk-support&lt;##&gt;[.]com`. <a rel="nofollow noopener" href="http://www.linkedin.com/feed/update/urn:li:activity:7447117799153360896/">Larsen says</a> that the phishing kit deployed in these attacks can steal clipboard contents to bypass multi-factor authentication (MFA) protection, enabling the attacker to register their device with the organization. **Google** has also observed attacks where **UNC6783** distributed fake security updates to deliver remote access malware (RAT). ### Extortion and Potential Link to Adobe Breach After successfully stealing sensitive data, the threat actor proceeds to extort victims, contacting them via **ProtonMail** addresses with payment demands. While GTIG did not offer more information about **Raccoon**, threat intelligence account International Cyber Digest reported that someone using the alias “Mr. Raccoon” claimed a breach at **Adobe**, which the company has yet to confirm. The attacker claimed to have gained access to **Adobe** data after compromising an India-based BPO working for the company. They deployed a remote access trojan (RAT) on an employee’s computer and subsequently targeted the employee’s manager in a phishing attack. Mr. Raccoon claimed to have stolen 13 million support tickets containing personal data, employee records, **HackerOne** submissions, and internal documents. The threat actor behind the **CrunchyRoll breach** confirmed that they were also behind the **Adobe** attack, but did not provide any evidence. ### Mitigation Recommendations **Google's Mandiant** has provided several defense recommendations against **UNC6783** attacks, including: * Deploying FIDO2 security keys for MFA. * Monitoring live chat for abuse. * Blocking spoofed domains that match **Zendesk** patterns. * Regularly auditing MFA device enrollments.