A cybercriminal group known as “The Com” is abusing Salesforce’s Data Loader tool to infiltrate corporate networks and steal sensitive data, according to researchers at Google’s Threat Intelligence Group.
The group is exploiting Data Loader, a legitimate Salesforce application used to import, export, and update large volumes of data. It also supports integrations with other software, which attackers are using to move laterally within targeted organizations.
The principal threat analyst at Google TAG, Austin Larsen, stated that the campaign has already compromised around 20 organizations and remains ongoing.
Larsen noted that under the Google designation UNC6040, the group has been observed targeting sectors such as hospitality, retail, education, and others across both the Americas and Europe.
“A subset of organizations targeted by UNC6040 had data successfully exfiltrated. In some instances, extortion demands weren’t made until several months after the initial intrusion activity by UNC6040,” Larsen said. “This could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data.”
These Hackers conducts sophisticated campaign by impersonating IT support staff over the phone to deceive employees into installing malicious Salesforce connected apps. These apps are often disguised as legitimate tools like Data Loader.
Once installed, the attackers gain broad access to exfiltrate sensitive data from Salesforce environments and can move laterally into other cloud services and internal corporate networks.
Google researchers emphasized that the campaign exploits human error—not a flaw in Salesforce itself.
Salesforce has also issued warnings to customers about rising social engineering threats targeting its platform.
In a blog post published Wednesday, Google said the campaign has been ongoing for several months, adding that the attackers’ infrastructure shows similarities to operations tied to UNC6040 and other threat actors believed to be connected to the loosely organized cybercriminal group known as “The Com.”
Google reported that the attackers employ overlapping tactics, including the well-known social engineering tactic of impersonating IT support and targeting credentials for the login security company Okta.
They also noted the hackers primarily target English-speaking employees at multinational corporations.
Despite the overlaps, Google noted that it is plausible “that these similarities stem from associated actors operating within the same communities, rather than indicating a direct operational relationship between the threat actors.”
Over the past two months, the FBI and cybersecurity firms have issued warnings about a campaign targeting retail companies and luxury brands in the U.K. and U.S., including recent attacks on Victoria’s Secret, Dior, Adidas, and others.
