Hackers are targeting organizations in Europe and the Americas by tricking employees into installing a modified version of a legitimate data import tool. Once installed, the malicious app allows attackers to steal sensitive information, access cloud services, and move laterally across networks for broader attacks and extortion.
The group behind the campaign, tracked as UNC6040, uses voice phishing to deceive employees into visiting a fake setup page and approving the rogue app. Disguised to mimic a common enterprise tool, the app grants deep access to corporate environments, enabling data exfiltration and system compromise.
Google Threat Intelligence Group noted that around 20 organizations have been affected, with some suffering confirmed data breaches. The operation is linked to ‘The Com,’ a loosely organized cybercriminal ecosystem involved in various illegal activities.
Experts emphasize that the threat doesn’t stem from software vulnerabilities but from social engineering, highlighting the need for stronger employee awareness and better controls on app authorization.
