A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. Evidence suggests that dozens of corporate entities have been targeted using this method to exfiltrate sensitive data for extortion.
Austin Larsen, principal threat analyst at the Google Threat Intelligence Group (GTIG), stated that UNC6783 typically employs social engineering and phishing campaigns to breach BPOs collaborating with targeted firms. There have also been instances where the attackers contacted support and helpdesk staff within targeted organizations to secure direct access.
Researchers indicate that UNC6783 may be linked to a persona known as Raccoon, associated with attacks on multiple BPOs providing services to large corporations. In these social engineering attacks, the threat actor directs support employees to spoofed Okta login pages hosted on domains resembling those of the target companies, notably following the pattern [.]zendesk-support<##>[.]com.
Larsen noted that the phishing kits used in these attacks can capture clipboard contents, allowing attackers to bypass multi-factor authentication (MFA) protocols and register their own devices within the organization. Google has also reported instances where UNC6783 disseminated fake security updates to install remote access malware.
After successfully stealing sensitive data, the threat actor extorts victims by communicating through ProtonMail addresses with demands for payment. Although GTIG did not provide additional details about the Raccoon persona, the International Cyber Digest recently reported that someone using the alias “Mr. Raccoon” claimed responsibility for a breach at Adobe, which the company has yet to confirm.
🚨‼️ BREAKING: Adobe has been breached by threat actor Mr. Raccoon, leaking 13 million support tickets with personal data, 15,000 employee records, all HackerOne submissions, internal documents and more.
Mr. Raccoon gained access through an Indian BPO, first deploying a remote… pic.twitter.com/cCH74Fjluk
— International Cyber Digest (@IntCyberDigest) April 2, 2026
Mr. Raccoon alleged they accessed Adobe data by compromising an India-based BPO associated with the company. The attacker deployed a remote access trojan (RAT) on a targeted employee’s computer and subsequently reached out to that employee’s manager via a phishing attempt.
According to Mr. Raccoon, 13 million support tickets containing personal information, employee records, HackerOne submissions, and internal documents were stolen during the breach. Conversations with BleepingComputer revealed that the threat actor behind the CrunchyRoll breach also claimed involvement in the Adobe attack but did not provide corroborative evidence.
Google’s Mandiant has outlined several recommendations to fortify defenses against UNC6783 attacks. These include deploying FIDO2 security keys for enhanced MFA, closely monitoring live chat for misuse, blocking spoofed domains that conform to Zendesk patterns, and routinely auditing MFA device enrollments.
