{ "id": "678b9d91-f7b4-4d7e-8f18-5d54e4e5a86a", "created_at": "2026-04-06T03:37:54.309906Z", "updated_at": "2026-04-10T03:36:00.826553Z", "deleted_at": null, "sha1_hash": "ceb6daf589923566e4096f2c089c89605ceaf8eb", "title": "Google: Hackers target Salesforce accounts in data extortion attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1721936, "plain_text": "Google: Hackers target Salesforce accounts in data extortion attacks\r\nBy Bill Toulas\r\nPublished: 2025-06-04 · Archived: 2026-04-06 03:23:09 UTC\r\nGoogle has observed hackers claiming to be the ShinyHunters extortion group conducting social engineering attacks against\r\nmulti-national companies to steal data from organizations' Salesforce platforms.\r\nAccording to Google's Threat Intelligence Group (GTIG), which tracks the threat cluster as 'UNC6040,'  the attacks target\r\nEnglish-speaking employees with voice phishing attacks to trick them into connecting a modified version of Salesforce's\r\nData Loader application.\r\nThe attackers impersonate IT support personnel, requesting the target employee to accept a connection to Salesforce Data\r\nLoader, a client application that allows users to import, export, update, or delete data within Salesforce environments.\r\nhttps://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"The application supports OAuth and allows for direct \"app\" integration via the \"connected apps\" functionality in\r\nSalesforce,\" explains the researchers.\r\n\"Threat actors abuse this by persuading a victim over the phone to open the Salesforce connect setup page and enter a\r\n\"connection code,\" thereby linking the actor-controlled Data Loader to the victim's environment.\r\nPrompt to enter connection code\r\nSource: Google\r\nThe target organizations already use the Salesforce cloud-based customer relationship management (CRM) platform, so the\r\nmalicious request to install the tool appears legitimate within the attack's workflow.\r\nIn the UNC6040 attacks, the app is used to export data stored in Salesforce instances and then use the access to move\r\nlaterally through connected platforms such as Okta, Microsoft 365, and Workplace.\r\nAccessing these additional cloud platforms allows the threat actors to access more sensitive information stored on those\r\nplatforms, including sensitive communications, authorization tokens, documents, and more.\r\n\"UNC6040 is a financially motivated threat cluster that accesses victim networks by voice phishing social engineering,\"\r\ndescribes the GTIG report.\r\n\"Upon obtaining access, UNC6040 has been observed immediately exfiltrating data from the victim's Salesforce\r\nenvironment using Salesforce's Data Loader application.\"\r\n\"Following this initial data theft, UNC6040 was observed moving laterally through the victim's network, accessing and\r\nexfiltrating data from other platforms such as Okta, Workplace, and Microsoft 365.\"\r\nhttps://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/\r\nPage 3 of 5\n\nOverview of the UNC6040 attack\r\nSource: Google\r\nIn some cases, the data exfiltration process was stopped prematurely, as protection systems that detected unauthorized\r\nactivity intervened to revoke access. The threat actors appeared to be aware of this risk, experimenting with various packet\r\nsizes before escalating their attack.\r\nUNC6040 also used modified versions of the Salesforce Data Loader appropriately named to fit the social engineering\r\ncontext. For example, renaming it to \"My Ticket Portal\" and tricking victims into installing the app on their systems during\r\nan alleged support phone call.\r\nGTIG reports the threat actors use Mullvad VPN IPs when exfiltrating the Salesforce data to obfuscate the activity.\r\nGoogle says that attacks used phishing pages impersonating Okta, linking them to threat actors associated with the \"The\r\nCom\" or Scattered Spider tactics.\r\nFor organizations using Salesforce, Google recommends restricting \"API Enabled\" permissions, limiting app installation\r\nauthorization, and blocking access from commercial VPNs like Mullvad.\r\nMore information on protecting Salesforce from social engineering attacks is available here.\r\nAfter publishing our story, Salesforce confirmed to BleepingComputer that accounts are not breached through a\r\nvulnerability attack but rather via social engineering attacks.\r\n\"Salesforce has enterprise-grade security built into every part of our platform, and there’s no indication the issue described\r\nstems from any vulnerability inherent to our services,\" Salesforce told BleepingComputer\r\n\"Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity\r\nawareness and best practices.\r\n\"Security is a shared responsibility, and we provide customers with tools, guidance, and security features like Multi-Factor\r\nAuthentication and IP restrictions to help defend against evolving threats. For full details, please see our blog on how\r\ncustomers can protect their Salesforce environments from social engineering: https://www.salesforce.com/blog/protect-against-social-engineering/.\"\r\nHackers claim to be part of ShinyHunters\r\nIn the attacks observed by Google, the threat actors will eventually attempt to extort the company into paying a ransom not\r\nto leak the data. Google says these extortion demands can come months later, claiming to be from the infamous\r\nShinyHunters extortion group.\r\n\"In some instances, extortion activities haven't been observed until several months after the initial UNC6040 intrusion\r\nactivity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen\r\nhttps://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/\r\nPage 4 of 5\n\ndata,\" explains Google.\r\n\"During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely\r\nas a method to increase pressure on their victims.\"\r\nShinyHunters is a well-known hacking group that has long been associated with data theft attacks that extort companies into\r\npaying a ransom.\r\nThreat actors associated with the group have been behind numerous high-profile attacks, including the SnowFlake data theft\r\nattacks and the PowerSchool data breach that impacted 62 million students.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/" ], "report_names": [ "google-hackers-target-salesforce-accounts-in-data-extortion-attacks" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "70929bd1-2bf9-4689-bfff-2bc6b113d3ed", "created_at": "2026-01-20T02:00:03.666874Z", "updated_at": "2026-04-10T02:00:03.916254Z", "deleted_at": null, "main_name": "UNC6040", "aliases": [], "source_name": "MISPGALAXY:UNC6040", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775446674, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ceb6daf589923566e4096f2c089c89605ceaf8eb.pdf", "text": "https://archive.orkl.eu/ceb6daf589923566e4096f2c089c89605ceaf8eb.txt", "img": "https://archive.orkl.eu/ceb6daf589923566e4096f2c089c89605ceaf8eb.jpg" } }