New Threat Group Targets BPOs and Helpdesks via Live Chat: Google Warns

A new financially motivated threat cluster, tracked as UNC6783, is actively targeting business process outsourcers (BPOs) and large enterprises, using live chat channels to steal sensitive data for extortion. Google Threat Intelligence Group (GTIG) principal threat analyst Austin Larsen recently detailed the group’s tactics, which involve sophisticated social engineering and multi-factor authentication (MFA) bypass techniques.

According to Larsen, UNC6783 may be linked to the “Raccoon” persona and has already targeted several dozen “high-value corporate entities” across multiple sectors. The group primarily focuses on BPOs but also directly attacks in-house helpdesk and support teams. The end goal is clear: data theft for extortion.

UNC6783 Tactics: Live Chat Phishing and MFA Bypass

This BPO helpdesk threat group relies heavily on social engineering through live chat to direct employees to malicious, spoofed Okta login pages. Larsen noted that these domains often mimic the targeted organization using patterns like [.]zendesk-support<##>[.]com. The phishing kit used by UNC6783 is designed to bypass standard MFA verification by stealing clipboard contents, allowing attackers to enroll their own devices for persistent access.

In addition to this approach, GTIG has observed UNC6783 using fake security software updates to trick users into downloading remote access malware. Following data exfiltration, the group sometimes uses Proton Mail accounts to deliver ransom notes. These methods are reminiscent of other extortion-focused groups like Scattered Lapsus$ Hunters.

Last year, similar campaigns emerged using Zendesk phishing domains to harvest employee credentials. Hackers also submitted fraudulent tickets to helpdesk staff to infect them with remote access trojans (RATs).

Protecting BPOs and Helpdesk Teams from Social Engineering

Given the sophistication of UNC6783, organizations must take proactive steps to defend their helpdesk and BPO operations. Larsen outlined several key recommendations for helpdesk social engineering defense.

Implement Phishing-Resistant MFA

Larsen urges organizations to deploy phishing-resistant MFA, such as FIDO2 hardware security keys like Titan Security Keys, for all users, especially those in high-risk roles like support and helpdesk. This can prevent attackers from bypassing standard MFA through clipboard theft.

Monitor Live Chat for Suspicious Activity

Live chat channels should be actively monitored for interactions that direct users to external links or ask for sensitive information. Employees must be educated on this specific campaign to recognize red flags.

Proactively Block Malicious Domains

Organizations should proactively block any unauthorized domains following the [.]zendesk-support[.]com pattern. Additionally, monitoring for unauthorized binary execution, especially installers or “updates” downloaded during support sessions, is critical.

Audit MFA Devices Regularly

Regular audits of newly enrolled MFA devices across the organization can help identify unauthorized additions. This simple step can prevent attackers from maintaining persistent access.

As this live chat phishing campaign evolves, BPOs and enterprises must remain vigilant. For more on securing helpdesk operations, see our guide on helpdesk security best practices. Additionally, explore how to prevent MFA bypass attacks for further insights.

Ultimately, the threat from UNC6783 highlights the growing sophistication of social engineering attacks targeting support channels. Building on these insights, organizations should integrate these defenses into their broader cybersecurity strategy. This means that regular training and technical controls are both essential to mitigate the risk of BPO data extortion.