A sophisticated cybercrime campaign, identified by Google’s Threat Intelligence Group as UNC6040, is actively targeting employees at companies across Europe and the Americas. The attackers are tricking staff into installing a modified version of Salesforce’s Data Loader tool, gaining unauthorized access to sensitive corporate data and extending their reach into additional cloud services and internal networks.
UNC6040 has proven especially effective at social engineering, using voice phishing (“vishing”) to direct employees to what appears to be a legitimate Salesforce app installation page. There, victims unknowingly download a malicious version of Salesforce Data Loader, a tool widely used to import and manage bulk data within Salesforce environments.
Once installed, this compromised application grants hackers the ability to query and extract sensitive information directly from the victim’s Salesforce environment. Google researchers say the attackers then often use the initial breach as a springboard to infiltrate other connected cloud systems and internal corporate infrastructures, significantly widening the damage.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Ties to “The Com” and Broader Cybercriminal Ecosystem
Google’s investigation links the technical infrastructure of the UNC6040 campaign to the loosely organized cybercriminal network known as “The Com.” This collective is notorious for its decentralized and fragmented operations, involving numerous small groups often engaged in cybercrime, fraud, and even violent activity.
The use of voice calls in combination with fake app installs is part of a growing trend in cybercrime where human vulnerabilities—not software flaws—are being exploited. Google reported that around 20 organizations have already been targeted, with several confirmed cases of successful data exfiltration.
This campaign highlights how even organizations with robust digital infrastructure remain vulnerable to manipulated trust and low-tech tactics, such as impersonation and phishing, which require no exploitation of platform vulnerabilities.
Salesforce Responds, Emphasizes Platform Integrity
In response to the campaign, a Salesforce spokesperson emphasized that the issue did not stem from any inherent vulnerability in Salesforce’s systems. Instead, they noted the attacks were targeted social engineering scams, exploiting gaps in cybersecurity awareness and individual user practices.
Back in March 2025, Salesforce published a public advisory warning users of potential vishing attempts and the circulation of malicious versions of Data Loader. The advisory urged customers to verify download sources, stay vigilant against voice-based phishing, and educate employees about impersonation tactics used by attackers.
Although Salesforce did not confirm the exact number of affected clients, they noted only a small subset of customers had reported incidents, and maintained that the campaign was not widespread.
Cybersecurity Requires More Than Strong Platforms
The UNC6040 campaign underlines a stark reality: advanced cybersecurity infrastructure alone cannot protect against human error and social engineering attacks. As tools like Salesforce’s Data Loader become central to business operations, attackers are finding new ways to weaponize trust and bypass technical defenses.
Experts are now calling for organizations to implement stronger employee awareness programs, multi-factor verification for software installs, and closer scrutiny of third-party applications to prevent similar breaches. Both Google and Salesforce continue to monitor the situation, advising companies to review internal processes and report suspicious activity promptly.
In an age where voice and code can be easily faked, digital trust must be constantly re-evaluated—and reinforced with layered, human-aware defenses.