Google says hackers are using fake Salesforce app to attack businesses

Hackers are targeting employees at companies across Europe and the Americas using a sophisticated social engineering campaign involving a modified Salesforce app, Google's

cybersecurity

arm has said. According to Google’s Threat Intelligence Group (GTIG), the attackers—identified as UNC6040—have been “particularly effective” in deceiving corporate users into installing a fake version of

Salesforce Data Loader

, a legitimate tool used for importing large datasets into Salesforce environments.

How hackers are targeting large companies

The team at Google explains that the hackers impersonate official Salesforce representatives and are calling employees to direct them to a fake app setup page. There, users are tricked into authorising a malicious version of the Data Loader app that mimics the original software.Once installed, the app grants attackers significant access to sensitive corporate data. Google researchers noted that the hackers can exfiltrate confidential information, query internal systems, and in many cases, pivot to attack other cloud services and internal networks.

As per the researchers, technical indicators suggest that the campaign has ties to “The Com”, a loosely organised cybercriminal ecosystem known for orchestrating both online fraud and real-world violence.

What Google and Salesforce have to say

A Google spokesperson told news agency Reuters that at least 20 organisations have been affected by the UNC6040 operation over the past several months, with some suffering successful data breaches and extortion attempts.Meanwhile, Salesforce, stated that the issue does not stem from any vulnerability in its platform. A company spokesperson emphasised that the attacks rely on voice phishing (vishing) tactics and exploit gaps in employee cybersecurity awareness.“There’s no indication the issue described stems from any vulnerability inherent in our platform,” the spokesperson said, adding that the number of affected customers is small and the threat is not considered widespread.Salesforce had previously issued a warning in March 2025, cautioning users about vishing attacks and the risks posed by malicious versions of Data Loader.