By AJ Vicens

June 4 (Reuters) - Hackers are tricking employees at

companies in Europe and the Americas into installing a modified

version of a Salesforce ( CRM )-related app, allowing the hackers to

steal reams of data, gain access to other corporate cloud

services and extort those companies, Google said on Wednesday.

The hackers - tracked by the Google Threat Intelligence

Group as UNC6040 - have "proven particularly effective at

tricking employees" into installing a modified version of

Salesforce's ( CRM ) Data Loader, a proprietary tool used to bulk import

data into Salesforce ( CRM ) environments, the researchers said.

The hackers use voice calls to trick employees into visiting

a purported Salesforce ( CRM ) connected app setup page to approve the

unauthorized, modified version of the app, created by the

hackers to emulate Data Loader.

If the employee installs the app, the hackers gain

"significant capabilities to access, query, and exfiltrate

sensitive information directly from the compromised Salesforce ( CRM )

customer environments," the researchers said.

The access also frequently gives the hackers the ability to

move throughout a customer's network, enabling attacks on other

cloud services and internal corporate networks.

Technical infrastructure tied to the campaign shares

characteristics with suspected ties to the broader and loosely

organized ecosystem known as "The Com," known for small,

disparate groups engaging in cybercriminal and sometimes violent

activity, the researchers said.

A Google spokesperson did not share additional

details about how many companies have been targeted as part of

the campaign, which has been observed over the past several

months.

A Salesforce ( CRM ) spokesperson told Reuters in an email that

"there's no indication the issue described stems from any

vulnerability inherent in our platform." The spokesperson said

the voice calls used to trick employees "are targeted social

engineering scams designed to exploit gaps in individual users'

cybersecurity awareness and best practices."

The spokesperson declined to share the specific number

of affected customers, but said that Salesforce ( CRM ) was "aware of

only a small subset of affected customers," and said it was "not

a widespread issue."

Salesforce ( CRM ) warned customers of voice phishing, or "vishing,"

attacks and of hackers abusing malicious, modified versions of

Data Loader in a March 2025 blog post.