Hackers are tricking employees at companies in Europe and the Americas into installing a modified version of a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies, Google said on Wednesday. The hackers – tracked by the Google Threat Intelligence Group as UNC6040 – have “proven particularly effective at tricking employees” into installing a modified version of Salesforce’s Data Loader, a proprietary tool used to bulk import data into Salesforce environments, the researchers said. The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to approve the unauthorized, modified version of the app, created by the hackers to emulate Data Loader. If the employee installs the app, the hackers gain “significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments,” the researchers said. The access also frequently gives the hackers the ability to move throughout a customer’s network, enabling attacks on other cloud services and internal corporate networks. Technical infrastructure tied to the campaign shares characteristics with suspected ties to the broader and loosely organized ecosystem known as “The Com,” known for small, disparate groups engaging in cybercriminal and sometimes violent activity, the researchers said. A Google spokesperson told Reuters that roughly 20 organizations have been affected by the UNC6040 campaign, which has been observed over the past several months. A subset of those organizations had data successfully exfiltrated, the spokesperson said. A Salesforce spokesperson told Reuters in an email that “there’s no indication the issue described stems from any vulnerability inherent in our platform.” The spokesperson said the voice calls used to trick employees “are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.” The spokesperson declined to share the specific number of affected customers, but said that Salesforce was “aware of only a small subset of affected customers,” and said it was “not a widespread issue.” Salesforce warned customers of voice phishing, or “vishing,” attacks and of hackers abusing malicious, modified versions of Data Loader in a March 2025 blog post.
Hackers are using a modified Salesforce app to trick employees and extort companies, Google says
TruthLens AI Suggested Headline:
"Google Reports Hackers Exploiting Modified Salesforce App to Access Corporate Data"
CNN
8.4
TruthLens AI Summary
Hackers have been targeting companies in Europe and the Americas by tricking employees into installing a modified version of a Salesforce-related application, according to a report from Google's Threat Intelligence Group. This malicious software, which mimics Salesforce’s Data Loader—an official tool used for bulk data import—enables the hackers to access sensitive data and extort the companies involved. The group, identified as UNC6040, has demonstrated a high level of effectiveness in deceiving employees through social engineering tactics, particularly by using voice calls to guide them to a fraudulent app setup page. Once the modified app is installed, the hackers gain substantial capabilities to access, query, and exfiltrate confidential information from the compromised Salesforce environments, which can also facilitate further attacks on other cloud services and the internal networks of the targeted organizations.
The campaign has reportedly affected around 20 organizations over recent months, with some experiencing successful data breaches. Google’s findings suggest that the technical infrastructure associated with this attack shares similarities with a broader cybercriminal network known as 'The Com,' which consists of various small groups involved in cybercrime and occasionally violent activities. Salesforce has responded to these incidents by stating that there is no evidence indicating that the vulnerabilities arise from their platform. Instead, the company emphasizes that these incidents stem from targeted social engineering attacks that exploit the cybersecurity awareness gaps among individual users. Although Salesforce noted that it is aware of only a limited number of affected customers, it continues to warn clients about the dangers of voice phishing and the risks associated with modified software applications, reinforcing the need for vigilance in cybersecurity practices.
TruthLens AI Analysis
The recent article sheds light on a troubling cyber threat, where hackers are manipulating employees to install a modified Salesforce application, leading to severe data breaches and potential extortion. This incident not only highlights the vulnerabilities within corporate environments but also raises questions regarding the effectiveness of existing security measures.
Purpose Behind the Article
The news aims to inform the public and businesses about the rising threat of cyberattacks, particularly those that exploit employee vulnerabilities through social engineering. By detailing the modus operandi of the hackers, the article serves to heighten awareness of cybersecurity issues and encourages companies to strengthen their defenses against such tactics. This focus on the threat aims to promote a sense of urgency regarding cybersecurity.
Public Perception and Hidden Agendas
The article likely seeks to create a perception of increasing cyber vulnerability, especially within well-known platforms like Salesforce. By showcasing the effectiveness of these attacks, it may encourage companies to invest more in cybersecurity solutions. However, it is also possible that this report diverts attention from other pressing issues in the cybersecurity landscape or broader corporate governance, suggesting a potential agenda to steer focus towards specific security solutions or vendors.
Truthfulness and Reliability
The reliability of the article seems high, given the involvement of reputable entities such as Google and Salesforce, which lend credibility to the claims made. The specificity regarding the hacker group, UNC6040, and the details about the methods used to breach security provide a factual basis for the report. However, it is essential to remain cautious, as media narratives can sometimes exaggerate threats to attract attention.
Societal and Economic Impact
This news could significantly influence companies' approaches to cybersecurity, potentially leading to heightened investments in security infrastructure. In turn, this might affect the stock performance of cybersecurity firms positively, as businesses seek to mitigate risks associated with data breaches. The article could also spur discussions in regulatory circles about the need for more stringent cybersecurity laws and frameworks.
Target Audience
The article is likely to resonate more with corporate leaders, cybersecurity professionals, and IT departments who are directly responsible for protecting company data. By focusing on the tactics used by hackers, it serves as a cautionary tale for those in positions of authority within organizations.
Market Implications
In terms of market impact, companies involved in cybersecurity solutions may see increased interest and stock price fluctuations following this report. Investors may become more cautious about firms associated with Salesforce or similar platforms if they perceive a heightened risk of data breaches.
Geopolitical Context
While the article does not directly address geopolitical implications, the rise of cyber threats can have broader ramifications for international relations, particularly as countries grapple with issues of cyber warfare and corporate espionage. The incident may prompt discussions about national cybersecurity policies and international cooperation to combat such threats.
Use of Artificial Intelligence
There is no explicit indication that artificial intelligence was used in the creation of this article. However, AI tools could be employed in analyzing data breaches and identifying patterns that could enhance cybersecurity. If AI were involved, it may have influenced the presentation of data or the identification of key threats within the narrative.
The article effectively highlights a pressing issue in today’s digital landscape, providing valuable insights into the tactics employed by cybercriminals while urging organizations to reassess their security measures.