How “The Com” Hijacked Salesforce Tools to Infiltrate, Exfiltrate, and Extort Across the Cloud
Category: Cloud App Abuse & Social Engineering Attack
Features: Fake IT support calls, modified Salesforce tools, data exfiltration, cross-platform lateral movement
Delivery Method: Vishing (voice phishing), manipulated connected apps, human engineering
Threat Actor: UNC6040 (linked to “The Com” collective, overlaps with Scattered Spider)
The Call Is Coming from Inside the App
In an operation that merges old-school deception with cloud-era exploitation, a cybercriminal syndicate identified as UNC6040 has infiltrated multiple corporate environments by hijacking a legitimate Salesforce tool — not through vulnerability, but through trust.
This isn’t a zero-day. It’s a zero-trust betrayal — one that begins with a voice on the phone, claiming to be IT support.
According to Google’s Threat Intelligence Group (TAG), hackers aligned with “The Com” — a loose but potent English-speaking cybercriminal community — have weaponized Salesforce’s Data Loader, a legitimate admin tool meant to bulk-manage CRM data. But in this new campaign, it’s become the key to the castle.
Impersonation at Scale: Welcome to the Vishing Era
The attackers call employees directly, posing as internal IT technicians or support contractors. On these calls, victims are coaxed into authorizing a modified Salesforce Connected App, often branded deceptively like Salesforce’s own Data Loader.
Once installed, the malicious variant gives the intruder direct access to the organization’s Salesforce instance — complete with data read, export, and query capabilities. From there, UNC6040 doesn’t just steal customer records. They escalate.
Microsoft 365, Okta, Workplace, and internal networks are often next in line as the group laterally moves through connected services — all under the guise of trust.
Not Just a Breach — A Time Bomb
This campaign is ongoing, targeting at least 20 organizations across retail, hospitality, education, and luxury sectors in both the U.S. and Europe. Google reports that in many cases, months passed between initial breach and the eventual extortion attempt, suggesting a strategic delay designed to increase leverage or allow secondary actors time to monetize the stolen data.
In some intrusions, only 10% of data was stolen before detection, while in others, the attackers refined their tactics — starting with test queries, then scaling up to large-volume exfiltration once detection thresholds were understood.
A Collective Without a Flag
Google’s research confirms infrastructure and behavioral overlaps between UNC6040 and the broader “Com” collective, a community that previously made headlines through its Scattered Spider offshoot — the group behind the MGM Resorts and Caesars Entertainment hacks.
These actors are native English speakers, which increases the effectiveness of their voice phishing (vishing) calls — a method still vastly underappreciated in the defensive community. Unlike email phishing, which can be filtered or trained against, vishing relies on psychological engineering in real time, preying on urgency and employee confusion.
“During a vishing call, the actor guides the victim to visit Salesforce’s connected app setup page… The app looks legit. But once approved, UNC6040 gains full access to Salesforce data tables.”
— Google TAG
No Ransomware. Just Cold Extortion.
Google’s analysts confirm that no ransomware has been used in this campaign — yet the damage is no less severe. UNC6040 has issued direct extortion demands to several victims, sometimes months after initial compromise. In some instances, the group claimed ties to ShinyHunters, a known criminal data broker, to inflate perceived threat and coerce payment.
Google declined to confirm the extortion amounts, but the FBI and multiple security firms have issued industry alerts to luxury brands and retailers following breaches at names like Victoria’s Secret, Adidas, and Dior — suggesting a coordinated wave of targeting across high-visibility brands.
Not a Salesforce Flaw — A Human One
It’s critical to note: This is not a Salesforce vulnerability. There’s no CVE, no exploited backend flaw. What’s being breached is trust — the trust that users place in a tool’s name, in a voice on the phone, and in their own routine.
Salesforce has already warned customers about this type of impersonation risk. But with corporate ecosystems becoming increasingly cloud-linked and federated, the attack surface now includes people as much as platforms.
UNC6040’s deep familiarity with Salesforce’s Data Loader capabilities, and its variable sophistication across intrusions, also suggests a community-based toolkit — likely shared or sold among cybercrime subgroups within The Com.
TRJ 30-DAY THREAT WATCH
| Indicator | Risk Level | TRJ Notes |
|---|---|---|
| 🚨 Medical telemetry interception (space-Earth) | 🔴 High | Vulnerable to spoofing, MITM, or data tampering in unencrypted channels |
| 🛡️ Telemedicine platform integrity (Earth-side nodes) | 🟠 Moderate | Attacks on the hospital/provider end could breach patient-mission sync logs |
| 🔄 Real-time biometric relay (in-flight testbeds) | 🔺 Rising | Axiom, CASIS, and NASA should monitor for behavioral anomalies or unexpected pings |
| 🧬 Sensor spoofing / false diagnostic injection | 🟡 Emerging | Future threat actors could simulate fake health conditions to trigger responses |
| 🧠 AI-based medical parsing (coming phase) | 🟠 Moderate | Machine learning diagnosis layers (if used later) must be hardened against poisoning attacks |
Real Implications, Delayed Detonations
What makes this campaign dangerous isn’t just the breach — it’s the lag between compromise and chaos. Many affected companies may still be unaware they’ve been infiltrated. And those who know? They’re watching the calendar, waiting for the extortion email to drop. This is modern cybercrime — surgical, silent, and socially engineered. And it reminds us: The front door to our data isn’t always code.
Sometimes, it’s a calm voice on the other end of a phone.
— The Realist Juggernaut
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
