HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

“Mr. Raccoon” Threat Actor Hijacks Enterprise Help Desks to Steal Credentials

🛡️ LiveThreat™ Intelligence · 📅 April 17, 2026· 📰 databreachtoday.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
MEDIUM
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
databreachtoday.com

“Mr. Raccoon” Threat Actor Hijacks Enterprise Help Desks to Steal Credentials

What Happened

Google’s Threat Intelligence Group identified a financially‑motivated actor—tracked as UNC6783 and self‑styled “Mr. Raccoon”—that is impersonating IT support staff to compromise outsourced help‑desk and support teams. The group uses live‑chat and phone calls to lure employees onto look‑alike Zendesk‑style login pages, bypasses MFA with a custom phishing kit, and harvests credentials, clipboard data, and device registrations. Successful intrusions have led to ransomware deployment and extortion demands against dozens of high‑value corporate entities across multiple sectors.

Why It Matters for TPRM

  • Credential‑theft at the support‑desk level gives attackers footholds inside vendor environments, amplifying third‑party risk.
  • The use of spoofed SaaS support domains (e.g., .zendesk‑support.com) evades traditional URL‑filtering, exposing downstream customers to data loss.
  • Extortion after exfiltration adds financial and reputational exposure for both the vendor and its clients.

Who Is Affected

  • Enterprises that outsource IT help‑desk or customer‑support functions.
  • SaaS providers that host support portals (Zendesk, ServiceNow, etc.).
  • Industries relying heavily on outsourced labor: finance, healthcare, retail, and technology.

Recommended Actions

  • Conduct an immediate inventory of all third‑party help‑desk and support service contracts.
  • Verify that vendors enforce strict MFA, phishing‑resistant authentication, and domain‑based email authentication (DMARC/DKIM/SPF).
  • Request a detailed incident‑response and security‑posture disclosure from any support‑service provider.
  • Deploy real‑time monitoring for anomalous login attempts to support‑related subdomains.

Technical Notes

  • Attack vector: Social engineering via live chat/phone, spoofed Zendesk‑style login pages, custom phishing kit that bypasses MFA, clipboard data capture, fake security‑update payloads.
  • CVEs: None reported in the public disclosure.
  • Data types exposed: Enterprise credentials (username/password, MFA tokens), clipboard contents (potentially confidential documents), device registration tokens, and any data accessed after lateral movement.

Source: DataBreachToday – Breach Roundup: Mr. Raccoon Wants Your Password

📰 Original Source
https://www.databreachtoday.com/breach-roundup-mr-raccoon-wants-your-password-a-31450

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →