Hackers are using a modified Salesforce app to trick employees and extort companies, Google says

Cybercriminals are deceiving employees at various companies across Europe and the Americas into downloading a tampered version of a Salesforce-related application, which allows them to harvest extensive data, infiltrate corporate cloud services, and extort these organizations, according to a report from Google released on Wednesday. The group of hackers, identified by the Google Threat Intelligence Group as UNC6040, has demonstrated a remarkable ability to persuade employees to install a modified version of Salesforce’s Data Loader—a proprietary tool designed for bulk data imports into Salesforce systems. Using deceptive phone calls, these hackers direct employees to a fraudulent Salesforce app setup page where they unwittingly approve the installation of the altered application, which mimics the legitimate Data Loader. Once installed, the hackers gain substantial access to query and extract sensitive data directly from compromised Salesforce environments. Furthermore, this access often allows them to navigate through the corporate networks of their victims, facilitating attacks on other cloud services and internal systems. The technical aspects of this operation suggest connections to a broader, loosely organized cybercriminal group known as “The Com,” which is associated with various small factions involved in cybercrime and, at times, violent activities. A spokesperson from Google informed Reuters that approximately 20 organizations have fallen victim to the UNC6040 campaign in recent months, with a number of these companies experiencing data breaches. In response, a Salesforce representative stated that there are no indications of any vulnerabilities within their platform being exploited. They characterized the phone calls used in these scams as targeted social engineering efforts aimed at exploiting individual users' cybersecurity awareness. While Salesforce acknowledged the occurrence of these attacks, they noted that only a limited number of customers have been affected, emphasizing that it is not a widespread issue. The company also issued a warning in a March 2025 blog post regarding voice phishing, or “vishing,” attacks, and the use of maliciously modified versions of Data Loader.