Google Warns of New Threat Group UNC6783 Targeting BPOs and Helpdesks via Live Chat
Google Threat Intelligence Group has identified UNC6783, a financially motivated threat cluster using live chat social engineering to breach BPOs and helpdesks, bypass MFA, and extort victims.
Google Threat Intelligence Group (GTIG) has issued a warning about a new financially motivated threat cluster, UNC6783, that is actively targeting business process outsourcers (BPOs) and large enterprises. The group uses sophisticated social engineering via live chat to trick employees into visiting spoofed Okta login pages, ultimately stealing sensitive data for extortion.
According to GTIG principal threat analyst Austin Larsen, UNC6783 has already hit several dozen high-value corporate entities across multiple sectors. The attackers primarily focus on BPOs but also directly target in-house helpdesk and support teams. The campaign's end goal is data theft followed by ransom demands.
The attack chain begins with social engineering through live chat, where attackers direct employees to malicious domains that mimic legitimate Okta login pages. These domains often follow a pattern such as [.]zendesk-support<##>[.]com. The phishing kit used by UNC6783 is designed to bypass standard multi-factor authentication (MFA) by stealing clipboard contents, allowing the attackers to enroll their own devices for persistent access.
In some cases, UNC6783 employs fake security software updates to trick users into downloading remote access malware. After exfiltrating data, the group sometimes uses Proton Mail accounts to deliver ransom notes. These tactics bear resemblance to those of other extortion-focused groups like Scattered Spider and Lapsus$.
GTIG has provided several recommendations for organizations to defend against this threat. These include implementing phishing-resistant MFA such as FIDO2 hardware security keys, monitoring live chat for suspicious interactions, educating employees about the campaign, proactively blocking unauthorized domains with the [.]zendesk-support[.]com pattern, monitoring for unauthorized binary execution, and regularly auditing newly enrolled MFA devices.
The emergence of UNC6783 highlights the evolving threat landscape where attackers increasingly exploit trust in helpdesk and support channels. Organizations, especially those relying on BPOs, must adapt their security measures to counter these sophisticated social engineering attacks.