UNC6783 Mr. Raccoon: New BPO Live Chat Attacks Explained

The cybersecurity landscape has reached a precarious inflection point. As enterprise security teams harden their perimeters and implement robust multi-factor authentication (MFA), threat actors are systematically shifting their focus toward the “human-in-the-loop” trust relationships that underpin global business operations. The discovery of UNC6783—a sophisticated threat cluster increasingly linked to the “Mr. Raccoon” persona—represents a chilling evolution in this strategy. By weaponizing live chat support interfaces and exploiting the inherent trust afforded to help desk personnel, this actor is bypassing traditional security controls with alarming efficiency.

The Anatomy of UNC6783: A New Breed of Social Engineering

First identified in early April 2026, UNC6783 is a financially motivated threat cluster tracked by Google Threat Intelligence Group (GTIG). While the cluster shares DNA with notorious “The Com” ecosystem actors known for aggressive social engineering, it distinguishes itself through a highly patient, interactive operational model. Unlike bulk phishing campaigns that rely on volume, UNC6783 employs targeted, live social engineering to breach high-value corporate entities, frequently by compromising the Business Process Outsourcers (BPOs) that act as their service conduits.

The core of the UNC6783 methodology is not technical exploitation of software vulnerabilities, but rather the exploitation of operational trust. By engaging help desk staff in real-time conversations—frequently via platforms like Zendesk—the actors create a sense of legitimacy that is difficult for even well-trained employees to distinguish from genuine support requests.

The Real-Time Advantage

The transition from static phishing to dynamic, live-chat-based social engineering provides the actor with a critical advantage: adaptability. Traditional phishing emails are rigid; if a victim becomes suspicious, the attack often fails. In contrast, UNC6783 operators engage in sustained, rapport-building dialogues. If an employee hesitates, the attacker can pivot their narrative, provide plausible “justifications,” or mirror the language and urgency of professional technical support. This real-time interaction allows them to guide victims precisely where they want them to go: malicious, spoofed authentication pages.

Infrastructure and Attack Vector Mechanics

The technical deployment of the UNC6783 campaign is both predictable in pattern and highly effective. The actors utilize sophisticated phishing infrastructure designed to look, feel, and behave exactly like the internal portals employees trust.

• Spoofed Authentication Pages: UNC6783 frequently deploys highly convincing replicas of Okta Single Sign-On (SSO) login portals. These are often hosted on look-alike domains that mimic the organization’s branding, frequently utilizing patterns such as <org>[.]zendesk-support<##>[.]com.
• Clipboard Content Exfiltration: The phishing kits employed by the cluster are engineered to steal more than just credentials. They are designed to capture clipboard contents, a technique that allows the attacker to intercept and exfiltrate sensitive data, including session tokens or other artifacts that can be used to bypass MFA.
• Unauthorized Device Enrollment: By successfully harvesting session tokens, the actor can enroll their own devices within the victim’s environment. This grants them persistent access that survives password rotations, as the attacker effectively becomes an “authorized” user from the perspective of the identity provider.
• Malware Distribution: In scenarios where they cannot achieve their goals through credential theft alone, UNC6783 has been observed distributing fake security software updates during support interactions. These “updates” are, in fact, remote access trojans (RATs) that provide the attacker with deep, persistent control over the victim’s endpoint.

The BPO “Trojan Horse” Strategy

A significant portion of the UNC6783 campaign targets Business Process Outsourcers (BPOs) that provide managed support services to high-value corporations. This is a strategic calculation: BPO agents are the ultimate “keys to the kingdom.” Because these agents operate across the environments of multiple, often high-profile clients, a single compromise at the BPO level can serve as a conduit for widespread data exfiltration across several, seemingly unrelated, enterprises.

When an actor compromises a help desk agent at a BPO, they inherit the privileges and implicit trust assigned to that role. This allows them to move laterally into the client environments the BPO supports, perform reconnaissance, and eventually export sensitive data—including internal support tickets, employee records, and confidential business documents—for the purpose of digital extortion.

Defensive Strategies for an Evolving Threat

The rise of UNC6783 demonstrates that legacy security models are insufficient against attackers who target the operational processes and human elements of an organization. Organizations must adopt a more proactive, context-aware defensive posture.

1. Implement Phishing-Resistant MFA

Standard SMS or push-notification-based MFA is no longer sufficient. Organizations should mandate the use of FIDO2-compliant hardware security keys (e.g., Titan Security Keys or YubiKeys). Because FIDO2 provides cryptographic proof of the origin of the authentication attempt, it is inherently resistant to the adversary-in-the-middle (AiTM) techniques and clipboard-theft methods utilized by UNC6783.

2. Monitor and Sanitize Communication Channels

Help desk and live chat platforms are now primary attack vectors. Security teams must:

• Implement strict monitoring on live chat platforms to identify unusual interactions, such as those that redirect users to external URLs or demand immediate authentication.
• Proactively block known or suspected look-alike domains, especially those mimicking support portals (e.g., the zendesk-support pattern).
• Establish clear protocols for what information or links can be shared within support chats.

3. Audit Identity Persistence

The actor’s ability to enroll their own devices highlights the need for continuous monitoring of identity provider (IdP) logs. Organizations should perform regular, automated audits of newly enrolled authentication devices. Any device enrollment that does not correspond to an authorized provisioning request should trigger an immediate, high-priority incident response action.

4. Enforce Endpoint Hygiene

The use of fake security updates confirms that endpoints remain a critical vulnerability. Organizations should restrict the ability of employees to install unauthorized software and monitor for anomalous binary execution—particularly installers that appear suddenly during active support or communication sessions.

Conclusion

The emergence of UNC6783 serves as a stark reminder that the “ecosystem” is now the primary attack surface. By exploiting the deep interdependencies of modern business—where BPOs, help desks, and SSO providers are inextricably linked—these actors have developed a playbook that favors persistence, stealth, and social manipulation over traditional brute-force tactics. In this new era, security can no longer be confined to the perimeter; it must be woven into the very fabric of how employees communicate, verify, and authenticate. Ignoring the human-centric nature of this threat is a gamble that no modern organization can afford to take.