{"id":45310,"date":"2026-04-10T22:10:47","date_gmt":"2026-04-10T14:10:47","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/10\/unc6783-hackers-use-fake-okta-pages-in-corporate-breach-campaign\/"},"modified":"2026-04-10T22:10:47","modified_gmt":"2026-04-10T14:10:47","slug":"unc6783-hackers-use-fake-okta-pages-in-corporate-breach-campaign","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/10\/unc6783-hackers-use-fake-okta-pages-in-corporate-breach-campaign\/","title":{"rendered":"UNC6783 Hackers Use Fake Okta Pages in Corporate Breach Campaign"},"content":{"rendered":"\n

Cybersecurity experts at Google Threat Intelligence Group (GTIG) have issued a warning about a new group of hackers, known as UNC6783, who are trying to steal data from large companies for data theft extortion<\/a>. Austin Larsen, a lead analyst at GTIG, reports that this group might be linked to an individual using the name Raccoon.<\/p>\n

The hackers have so far targeted dozens of high-value organisations across various industries by compromising the security of Business Process Outsourcers (BPOs). These are third-party service providers responsible for handling tasks such as customer service and technical support for larger corporations. By targeting these partner firms, hackers can gain access to the main systems of the companies they really want to target for data theft.<\/p>\n

How the hackers trick the staff<\/strong><\/h3>\n

According to Larsen, the group uses a special phishing kit to bypass standard security. The attack kicks off with social engineering, where hackers use live chat<\/a> windows to talk to employees. They pretend to be helpful but actually send links to fake login pages that look like the real Okta<\/a> service used by many offices. These fake websites use addresses like <org>zendesk-support<##>com<\/code> to look official.<\/p>\n

Once an employee tries to log in, the hackers steal information from the person’s computer clipboard. This allows the attackers to add their own phones or laptops to the company\u2019s security list. This is called enrolling a device for persistent access, which means they can get back into the system whenever they want.<\/p>\n

Fake updates and ransom notes<\/strong><\/h3>\n

GTIG\u2019s research<\/a> reveals that the hackers use several different methods to trick employees. They sometimes send messages about fake security software updates, containing the malware installer. If the employee downloads the update, a Remote Access Trojan<\/a> (RAT) gets installed instead, which lets the hackers remotely control the computer. After they take the files they want, they send ransom notes using Proton Mail<\/a>.<\/p>\n

For staying safe, Mandiant and Google recommend that organisations start using physical security keys, like Titan Security Keys, instead of just text message codes. These use a standard called FIDO2<\/a>, which is much harder for hackers to crack. Also, they must monitor live chat logs and block suspicious web links that follow the Zendesk pattern. Regularly checking which devices are allowed to log in is another good practice to prevent these hackers from invading the system.<\/p>\n

Industry experts’ perspectives<\/strong><\/h3>\n

Industry experts shared their thoughts on these findings with Hackread.com. John Watters, CEO at iCOUNTER, believes this represents a major change in how hackers work. Watters stated: \u201cWhat\u2019s emerging with UNC6783 and the Raccoon persona is not just another social engineering campaign; it\u2019s a deliberate strategy to enter through the ecosystem instead of attacking the enterprise head-on.\u201d<\/p>\n

He explained that by targeting live support channels, hackers are exploiting the trust between companies and their partners. Watters added: \u201cRaccoon isn\u2019t attacking companies, it\u2019s attacking the relationships companies rely on to operate. If you\u2019re not defending your ecosystem, you\u2019re leaving the front door open through someone else\u2019s system.\u201d<\/p>\n