UNC6783

Executive Summary

UNC6783 is a financially motivated uncategorized cluster publicly named by Google’s Threat Intelligence Group (GTIG) in early April 2026 as the actor behind a campaign targeting Business Process Outsourcing (BPO) providers and their downstream corporate customers. The cluster’s observed tradecraft centers on social engineering BPO helpdesk staff — particularly those responsible for customer-support identity operations — to obtain password resets, enroll attacker-controlled devices, and pivot into corporate Zendesk tenants where they export support-ticket data and associated customer records.

The “UNC” prefix follows GTIG’s standing convention for UNcategorized clusters: activity that coheres as a distinct group by infrastructure and tradecraft but has not yet been merged into a named threat actor or confidently attributed to a nation-state or criminal enterprise. Public reporting to date names UNC6783 alongside a loosely associated extortion persona referred to as “Mr. Raccoon,” but primary sources do not treat the two as identical. Threatpedia maintains Mr. Raccoon as a separate persona-level profile pending stronger evidence.

As of April 2026, UNC6783 is assessed as active and operationally focused on BPO-mediated access paths rather than direct corporate intrusion. This profile is a conservative synthesis of three independent secondary reports of GTIG’s disclosure; primary GTIG telemetry and indicator packages have not been publicly published at this time.

Notable Campaigns

BPO helpdesk-to-Zendesk intrusion campaign (2026)

The only publicly documented UNC6783 operation to date is the BPO-mediated campaign disclosed by GTIG in April 2026. Key elements reported across SecurityWeek, BleepingComputer, and Infosecurity Magazine converge on:

• Target shape. BPO vendors providing tier-1 helpdesk and customer-support services to corporate customers, with downstream enterprise Zendesk tenants as the ultimate data target.
• Initial access. Voice-led social engineering of BPO helpdesk staff, using pretexts built around urgent password resets or MFA device re-enrollment for purportedly locked-out corporate users.
• Privilege abuse. Abuse of legitimate BPO helpdesk authority — password resets, MFA factor changes, device registration — to convert a social-engineering success into durable authenticated access to the downstream corporate tenant.
• Collection. Zendesk support-ticket exports at scale, including PII-bearing ticket bodies, attachments, and internal correspondence visible to support agents.
• Impact. Extortion-style contact to named victim organizations, referencing exfiltrated Zendesk content and threatening publication or onward sale.

Victim naming is currently thin in open reporting; named victims and scope figures should be treated as provisional until primary attribution evidence is published.

Technical Capabilities

UNC6783’s reported capability set skews social-engineering-heavy rather than exploit-heavy:

• Helpdesk-process abuse. Working knowledge of common BPO helpdesk workflows (identity verification scripts, MFA factor management, device enrollment) and the policy gaps that allow a determined caller to obtain a password reset without strong out-of-band verification.
• Voice social engineering. Telephone-led pretexting targeting support staff during high-volume periods, plausibly with pre-collected victim-org context to pass basic identity checks.
• Cloud-to-cloud data staging. Once authenticated to the downstream corporate tenant, bulk export of support-ticket data via the tenant’s own administrative export paths rather than custom malware.
• Extortion operations. Named-victim extortion follow-through referencing exfiltrated Zendesk content, consistent with a data-theft-for-extortion model rather than ransomware.

No custom implants, zero-days, or dedicated malware families have been publicly attributed to UNC6783 as of April 2026.

Attribution

Attribution confidence is A4 (uncategorized). The cluster identifier originates with Google Threat Intelligence Group; independent media reporting (SecurityWeek, BleepingComputer, Infosecurity Magazine) references GTIG as the primary source. GTIG has not publicly linked UNC6783 to a named criminal enterprise, nation-state, or prior Mandiant-tracked cluster; the “UNC” prefix is itself GTIG’s marker for an uncategorized cluster.

A potential association with the Mr. Raccoon persona appears in adjacent reporting around Adobe and related corporate-breach claims. That association is not sufficiently corroborated in the UNC6783-specific reporting cited here to justify a merge. Threatpedia maintains the two as distinct profiles — Mr. Raccoon as a persona-level article, UNC6783 as a cluster-level article — and treats any stronger link as an attribution question to be resolved only on primary evidence.

Operator identity, national nexus, and infrastructure footprint remain unknown as of this profile’s generatedDate.

MITRE ATT&CK Profile

The mapped techniques above reflect the publicly reported tradecraft:

• T1566.004 — Phishing: Spearphishing Voice (Initial Access): voice-led pretexting of BPO helpdesk staff.
• T1556.006 — Modify Authentication Process: Multi-Factor Authentication (Credential Access): helpdesk-mediated MFA factor changes and device enrollments.
• T1213 — Data from Information Repositories (Collection): bulk Zendesk ticket export from downstream corporate tenants.
• T1657 — Financial Theft (Impact): extortion of named victims referencing exfiltrated content.

Additional ATT&CK coverage should be added only as primary GTIG telemetry or independent IR reporting surfaces.

Sources & References

• SecurityWeek: Google Warns of New Campaign Targeting BPOs to Steal Corporate Data — SecurityWeek, 2026-04-09
• BleepingComputer: Google — New UNC6783 hackers steal corporate Zendesk support tickets — BleepingComputer, 2026-04-09
• Infosecurity Magazine: Google Warns of Group Targeting BPOs — Infosecurity Magazine, 2026-04-10
• CISA: Joint Advisory AA23-320A — Scattered Spider helpdesk social engineering tradecraft (corroborating TTP source, not UNC6783-specific primary) — CISA, 2023-11-16