A social engineering campaign by a financially motivated threat cluster has been uncovered extort payments from dozens of targeted organizations, according to researchers at Google Threat Intelligence Group.

The threat cluster, tracked as UNC6783, operates by compromising business process outsourcers that work with targeted organizations, Austin Larsen, principal threat analyst at GTIG, said in a LinkedIn post. The cluster has potential ties to an operative using the “Raccoon” persona.

In other cases, hackers set their sights on support or help desk staff at the targeted entities in order to gain trust and steal sensitive data.

The hackers have used a live chat to direct employees to malicious Okta login pages, according to Larsen. Phishing kits are used to bypass multifactor authentication. The hackers then use their own enrolled device to gain persistent access to a targeted environment.

In some cases, fake security software has been used to trick workers into downloading remote access malware. The threat cluster has used Proton emails to send ransom notes to victims. 

GTIG researchers have not named any specific organizations that were impacted, but said that several dozen were targeted across multiple industry sectors. 

Cybersecurity Dive previously learned that a persona called Mr. Raccoon had taken credit for a social engineering attack against Adobe. The hacker claimed to have exfiltrated a large number of support tickets. Adobe did not respond to a request for comment. 

Security teams should implement phishing resistant multifactor authentication and proactively block unauthorized domains.