Google's Threat Intelligence group has identified a previously unknown cybercriminal operation that combines social engineering with custom malware to steal data. The group, tracked as UNC4999, initiates attacks by sending Microsoft Teams chat invitations that impersonate help desk staff, tricking employees into granting remote access.
Once access is obtained, the attackers deploy a custom backdoor called 'VaporRage' that allows persistent data exfiltration. The malware is designed to evade detection by using encrypted communications and mimicking legitimate network traffic, according to Google's analysis published on April 24, 2026.
The campaign has primarily targeted technology and financial services companies in North America and Europe since early 2026. Google recommends organizations enable multi-factor authentication and train employees to verify help desk requests through separate channels.
