BPO Supply Chain Pivot: UNC6783 Tunnels Through Help Desks to Reach Enterprise Data

A newly tracked threat actor, UNC6783, is exploiting business process outsourcing providers as an entry point into high-value corporate targets across multiple sectors. The group combines phishing campaigns against BPO staff with live-chat social engineering directed at internal helpdesk employees, funneling victims toward spoofed Okta login pages hosted on domains mimicking legitimate Zendesk support URLs. A custom phishing kit strips clipboard contents to defeat MFA, and the actor also distributes fake security updates bundled with remote access trojans to establish persistent footholds.

Google Threat Intelligence Group links UNC6783 to a persona called ‘Mr. Raccoon,’ who has claimed responsibility for breaches at Adobe and CrunchyRoll. The Adobe intrusion allegedly ran through a compromised India-based BPO - a RAT was planted on one employee’s machine, then used to pivot upward via targeted phishing against that employee’s manager. The claimed haul: 13 million support tickets containing PII, employee records, HackerOne vulnerability disclosures, and internal documentation. Adobe has not confirmed the breach.

Post-exfiltration, UNC6783 moves to extortion, contacting victims via ProtonMail with payment demands. Mandiant’s recommended defenses center on hardware-bound authentication - FIDO2 keys specifically - alongside active monitoring of live chat channels, aggressive blocking of Zendesk-pattern spoofed domains, and routine audits of enrolled MFA devices.