We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

News Flash

Perfect scam: hackers alter Salesforce app to steal corporate data

Google's security division issues warning: voice call phishing targets employees to infiltrate cloud services

Perfect scam by hackers

24 June 2025

Table of contents

  • A sophisticated attack hits Europe and the United States
  • It all starts with a phone call
  • From data theft to full cloud infiltration
  • No known vulnerabilities in Salesforce
  • Who is UNC6040?

A sophisticated attack hits Europe and the United States

Google’s Threat Intelligence Group has uncovered an advanced cyberattack led by UNC6040, a hacker group tricking employees in Europe and the US into installing a fake version of the Salesforce app.

Disguised as a data management tool, the malicious app allows attackers to steal sensitive data, gain unauthorized access, and move laterally across cloud services.

It all starts with a phone call

The method is shockingly simple yet effective: a fake IT support call guides the employee to a fraudulent Salesforce setup page.

There, the target is tricked into downloading a rogue version of the Data Loader app. Once installed, the app grants hackers direct access to query, extract and control company data from within Salesforce environments.

From data theft to full cloud infiltration

Google’s security experts confirmed that at least 20 organizations have been affected by the UNC6040 campaign, and several have already suffered successful data breaches.

Once inside, hackers often use the compromised access to navigate internal networks, expanding their control to other cloud services and IT infrastructures.

No known vulnerabilities in Salesforce

Salesforce has clarified that the platform itself has not been compromised. “There is no indication that this issue stems from any inherent vulnerability in our system,” stated a company spokesperson, who did not specify how many customers may have been affected.

This cyber security incident comes just as Salesforce makes headlines for signing an $8 billion deal to acquire Informatica, an AI-driven data management platform.

Who is UNC6040?

According to Google experts, the UNC6040 group is particularly skilled at social engineering.

It is therefore not a widespread malware, but a targeted and personalized strategy, which exploits the trust of employees in corporate platforms to gain access from the inside.

Questions and answers

  1. Who is UNC6040?
    A hacker group known for using fake apps and phone calls to gain unauthorized access to corporate cloud systems.
  2. How does the attack work?
    Employees receive phishing calls and are directed to install a rogue version of Salesforce’s Data Loader app.
  3. Is the real Salesforce app affected?
    No, the attack leverages a fake version created by the hackers, not the actual platform.
  4. Who is most at risk?
    Businesses in Europe and the US, particularly those relying heavily on Salesforce and cloud integrations.
  5. What happens after the rogue app is installed?
    Hackers gain access to Salesforce environments and can move within the company’s entire cloud ecosystem.
  6. Did Salesforce confirm the attack?
    Yes, but clarified there’s no known vulnerability in the official platform.
  7. How many companies were breached?
    At least 20, according to Google’s Threat Intelligence Group.
  8. Why is this attack so dangerous?
    It uses social engineering, exploiting human error instead of technical flaws.
  9. What data is at risk?
    Client data, internal communications, business intelligence, and cloud credentials.
  10. How can companies protect themselves?
    Employee training, multi-factor authentication, and strict app whitelisting are key defenses.

 

4
To top