🇮🇳 IN

Mr. Raccoon

Also known asMr. Raccoon

Mr. Raccoon is a threat actor name associated with unverified claims of a breach involving Adobe. According to reporting cited in the provided content, the actor allegedly gained initial access through a third-party Indian BPO firm contracted by Adobe, reportedly by delivering a malicious email that deployed a remote access tool on a BPO employee’s machine, then expanding access by phishing the employee’s manager. The claims further state that the actor accessed Adobe support resources, including a Microsoft SharePoint instance and Adobe’s HackerOne account, and exfiltrated large volumes of data including more than 13 million support ticket records, details on more than 15,000 Adobe employees, HackerOne bug bounty submissions, and internal documents. The reporting also alleges abuse of overly permissive ticket export functionality that allowed bulk export of support tickets from an agent account. These claims were characterized in the source material as allegations and remained unverified at the time of publication; Adobe had not publicly confirmed or denied the incident. No additional aliases or sub-groups beyond "mr_raccoon" / "Mr. Raccoon" are provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics8 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1195

Supply Chain Compromise

T1566×3

Phishing

T1566.001

Spearphishing Attachment

TA0006

Credential Access

1 technique

T1528

Steal Application Access Token

TA0009

Collection

2 techniques

T1125

Video Capture

T1213

Data from Information Repositories

TA0011

Command and Control

1 technique

T1219×3

Remote Access Tools

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

Apr 3, 2026

Adobe Breach - Threat Actor Allegedly Claims Leak of 13 Million Support Tickets and Employee Records

Allegedly conducted a supply-chain-style intrusion against Adobe via a contracted Indian BPO, exfiltrating support tickets, employee records, HackerOne bug bounty submissions, and internal documents.

reddit netsecNews

Apr 3, 2026

A threat actor who goes by the name "Mr. Raccoon" has claimed to hack Adobe support via 3rd party Indian BPO firm : r/netsec

Claimed responsibility for an alleged breach affecting Adobe support data, including support ticket details, employee details, and alleged access to Microsoft SharePoint and Adobe's HackerOne account via a third-party Indian BPO firm.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.