![](https://worldnewsradar.id/wp-content/uploads/2025/08/BANNER-RENT-300X47-COLUMN-1.png"){kind=small}
In a concerning development, hackers have begun targeting employees at companies across Europe and the Americas by deploying a tampered version of a Salesforce-related application. According to a report released Wednesday by Google’s Threat Intelligence Group, this campaign allows attackers to extract sensitive corporate data, access additional cloud platforms, and ultimately extort organizations. The malicious operation highlights a growing trend of exploiting human error through advanced social engineering techniques.
I. Sophisticated Attack via Modified Salesforce Tool
1. Employees Tricked Into Installing Fake Data Loader
The cybercriminal group, identified as UNC6040 by Google’s researchers, has launched a campaign that manipulates employees into installing a counterfeit version of Salesforce’s Data Loader—a proprietary tool typically used to bulk import data into Salesforce systems. This altered version mimics the official tool, yet it is designed to grant hackers direct access to the company’s Salesforce environment.
2. Vishing Attacks Aid Installation
Attackers rely on “vishing,” or voice phishing calls, to deceive employees into accessing a fraudulent Salesforce app setup page. Once the fake application is approved and installed, attackers gain powerful access to query and extract large volumes of sensitive data from compromised Salesforce environments.
II. Broader Network Compromise Beyond Salesforce
1. Lateral Movement to Internal Networks
Once inside a Salesforce system, the attackers frequently use the foothold to traverse a company’s broader digital infrastructure. This includes breaching internal networks and other cloud services linked to the targeted organization. The technique amplifies the scope and damage of each attack, making containment far more difficult.
2. Ties to Known Cybercriminal Collective
Google’s analysts noted that the infrastructure used in these attacks shares indicators with a loosely associated cybercrime ecosystem known as “The Com.” This group is known for operating through smaller, fragmented units that engage in both cybercrime and occasional real-world violence, creating a unique and evolving threat landscape.
3. At Least 20 Organizations Targeted
Google confirmed that around 20 different companies have been affected by the UNC6040 campaign over recent months. A portion of these firms experienced confirmed data breaches, with attackers successfully exfiltrating confidential files and information.
III. Salesforce Responds to the Threat
1. Platform Itself Not Breached
A Salesforce spokesperson emphasized that the attacks are not the result of any vulnerabilities in their platform. Instead, the spokesperson characterized the campaign as an example of sophisticated social engineering that exploits gaps in users’ cybersecurity habits rather than flaws in Salesforce’s software or infrastructure.
2. Scope of Impact Is Limited
Although the exact number of impacted organizations remains undisclosed, Salesforce confirmed that the issue has only affected a “small subset” of its customers. The company also noted that this was not a systemic or platform-wide threat, signaling that the incidents are isolated but serious.
3. Early Warning Issued in March 2025
Salesforce had already issued a warning in March 2025 about voice phishing attacks and the dangers of modified versions of its Data Loader tool. This advisory came amid rising incidents of hackers exploiting the tool to compromise enterprise environments.
IV. The Mechanics of the UNC6040 Campaign
1. How the Fake App Works
The tampered Data Loader replicates the legitimate version but with embedded code that enables unauthorized data access. Once installed, the app can interface directly with the company’s Salesforce data, extracting customer records, transaction histories, and proprietary corporate information.
2. Leveraging Human Vulnerabilities
UNC6040’s approach underscores a broader shift in cyberattacks—from targeting system flaws to exploiting human behavior. By posing as tech support or leveraging familiar branding, attackers manipulate employees into granting access they would never knowingly provide to an unknown third party.
3. Connection to Broader Threat Actors
Analysts believe UNC6040’s operations resemble those seen in campaigns associated with “The Com,” a network known for unconventional and sometimes chaotic cyber operations. These links suggest the current attacks may be part of a larger, more coordinated wave of cyber threats facing enterprises globally.
V. Mitigating the Risk of Social Engineering Attacks
1. Strengthening Employee Cyber Hygiene
Security experts stress the importance of training employees to recognize and resist social engineering tactics like vishing. Awareness campaigns and simulated phishing tests can help organizations build stronger frontline defenses against these human-centered attacks.
2. Verifying Application Sources
Firms should implement strict verification protocols for installing software, especially third-party or vendor-connected apps. Requiring multi-step approvals and digital signature checks can prevent unauthorized tools from being introduced into enterprise environments.
3. Collaboration with Tech Providers
Organizations using Salesforce or similar platforms should remain vigilant and collaborate closely with their service providers. Promptly applying security advisories, reading official blogs, and participating in vendor-driven security updates can offer critical insights into emerging threats.
Conclusion
The recent campaign by UNC6040, involving the misuse of Salesforce’s Data Loader, represents a significant warning for global enterprises. Despite no breach in Salesforce’s platform itself, the attack illustrates how cybercriminals are refining their tactics to exploit human error through social engineering. With lateral movement into corporate networks and the potential for mass data breaches, the consequences extend far beyond one application. As hackers grow bolder and more sophisticated, companies must invest in cybersecurity awareness, strengthen their software verification procedures, and remain vigilant against evolving threats.
