UNC6783
UNC6783 is a financially motivated threat actor tracked by Google Threat Intelligence Group (GTIG), potentially tied to the "Raccoon" persona. GTIG reported that the group has targeted several dozen high-value corporate entities across multiple sectors. The actor primarily focuses on compromising business process outsourcers (BPOs), call centers, and support/helpdesk functions to obtain trusted access into downstream customer environments, and has also directly targeted support and helpdesk staff at victim organizations. Observed tradecraft includes targeted social engineering and phishing campaigns conducted via live chat, directing victims to spoofed Okta login pages hosted on domains impersonating the target organization, frequently using patterns such as <org>[.]zendesk-support<##>[.]com. GTIG reported that UNC6783 uses a phishing kit capable of stealing clipboard contents to bypass standard MFA and then enroll attacker-controlled devices for persistent access. The group has also used fake security software updates to trick victims into downloading remote access malware. Following data exfiltration, UNC6783 has sent ransom notes using Proton Mail/ProtonMail accounts as part of data theft extortion operations. Reporting also notes suspected links to the "Raccoon" or "Mr. Raccoon" persona in relation to attacks involving BPO compromise and helpdesk-focused social engineering, but those links are described as potential or suspected rather than confirmed.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Commercial & Professional Services
- Software & Services
Tradecraft
20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Observables
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Financially motivated threat actor conducting targeted social engineering, phishing, and data theft extortion campaigns, with a focus on compromising business process outsourcers, help desks, and support staff to gain trusted access and steal sensitive data.
Financially motivated extortion crew targeting high-value corporations by compromising call centers and business process outsourcers, then using stolen credentials and helpdesk-focused social engineering to access customer environments and steal sensitive data for extortion.
Financially motivated extortion and social engineering campaign targeting organizations via their business process outsourcing providers and help desk staff to gain persistent access.
Compromising BPO providers to access downstream high-value corporate targets, steal sensitive data, and extort victims.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.