A cybercriminal group that used voice phishing assaults to siphon greater than a billion information from Salesforce<\/strong> prospects earlier this 12 months has launched an internet site that threatens to publish knowledge stolen from dozens of Fortune 500 corporations in the event that they refuse to pay a ransom. The group additionally claimed accountability for a current breach involving Discord<\/strong> person knowledge, and for stealing terabytes of delicate recordsdata from 1000’s of shoppers of the enterprise software program maker Purple Hat<\/strong>.<\/p>\n The brand new extortion web site tied to ShinyHunters (UNC6040), which threatens to publish stolen knowledge except Salesforce or particular person sufferer corporations comply with pay a ransom.<\/p>\n<\/div>\n In Might 2025, a prolific and amorphous English-speaking cybercrime group often called ShinyHunters<\/strong> launched a social engineering marketing campaign that used voice phishing to trick targets into connecting a malicious app to their group\u2019s Salesforce portal.<\/p>\n The primary actual particulars concerning the incident got here in early June, when the Google Risk Intelligence Group <\/strong>(GTIG)\u00a0warned<\/a> that ShinyHunters \u2014 tracked by Google as UNC6040 <\/strong>\u2014\u00a0was extorting victims over their stolen Salesforce knowledge, and that the group was poised to launch an information leak website to publicly disgrace sufferer corporations into paying a ransom to maintain their information personal. A month later, Google acknowledged that one in every of its personal company Salesforce situations was impacted within the voice phishing marketing campaign.<\/p>\n Final week, a brand new sufferer shaming weblog dubbed \u201cScattered LAPSUS$ Hunters<\/strong>\u201d started publishing the names of corporations that had buyer Salesforce knowledge stolen on account of the Might voice phishing marketing campaign.<\/p>\n \u201cContact us to barter this ransom or all of your prospects knowledge can be leaked,\u201d the web site acknowledged in a message to Salesforce. \u201cIf we come to a decision all particular person extortions in opposition to your prospects can be withdrawn from. No one else should pay us, when you pay, Salesforce, Inc.\u201d<\/p>\n Beneath that message had been greater than three dozen entries for corporations that allegedly had Salesforce knowledge stolen, together with Toyota<\/strong>, FedEx<\/strong>, Disney\/Hulu<\/strong>, and UPS<\/strong>. The entries for every firm specified the amount of stolen knowledge out there, in addition to the date that the data was retrieved (the acknowledged breach dates vary between Might and September 2025).<\/p>\n Picture: Mandiant.<\/p>\n<\/div>\n On October 5, the Scattered LAPSUS$ Hunters sufferer shaming and extortion weblog introduced that the group was liable for a breach in September involving a GitLab server utilized by Purple Hat that contained greater than 28,000 Git code repositories, together with greater than 5,000 Buyer Engagement Stories (CERs).<\/p>\n \u201cAlot of folders have their shopper\u2019s secrets and techniques comparable to artifactory entry tokens, git tokens, azure, docker (redhat docker, azure containers, dockerhub), their shopper\u2019s infrastructure particulars within the CERs just like the audits that had been completed for them, and an entire LOT extra, and many others.,\u201d the hackers claimed.<\/p>\n Their claims got here a number of days after a beforehand unknown hacker group calling itself the Crimson Collective<\/strong> took credit score for the Purple Hat intrusion on Telegram.<\/p>\n Purple Hat disclosed on October 2<\/a> that attackers had compromised an organization GitLab server, and stated it was within the strategy of notifying affected prospects.<\/p>\n \u201cThe compromised GitLab occasion housed consulting engagement knowledge, which can embrace, for instance, Purple Hat\u2019s mission specs, instance code snippets, inside communications about consulting companies, and restricted types of enterprise contact data,\u201d Purple Hat wrote.<\/p>\n Individually, Discord has began emailing customers affected by one other breach claimed by ShinyHunters. Discord stated<\/a> an incident on September 20 at a \u201cthird-party customer support supplier\u201d impacted a \u201crestricted variety of customers\u201d who communicated with Discord buyer assist or Belief & Security groups. The knowledge included Discord usernames, emails, IP handle, the final 4 digits of any saved cost playing cards, and authorities ID photos submitted throughout age verification appeals.<\/p>\n The Scattered Lapsus$ Hunters declare they are going to publish knowledge stolen from Salesforce and its prospects if ransom calls for aren\u2019t paid by October 10. The group additionally claims it should quickly start extorting tons of extra organizations that misplaced knowledge in August after a cybercrime group stole huge quantities of authentication tokens from Salesloft<\/strong><\/a>, whose AI chatbot is utilized by many company web sites to transform buyer interplay into Salesforce leads.<\/p>\n In a communication despatched to prospects at the moment, Salesforce emphasised that the theft of any third-party Salesloft knowledge allegedly stolen by ShinyHunters didn’t originate from a vulnerability inside the core Salesforce platform. The corporate additionally careworn that it has no plans to fulfill any extortion calls for.<\/p>\n \u201cSalesforce won’t interact, negotiate with, or pay any extortion demand,\u201d the message to prospects learn. \u201cOur focus is, and stays, on defending the environment, conducting thorough forensic evaluation, supporting our prospects, and dealing with legislation enforcement and regulatory authorities.\u201d<\/p>\n The GTIG tracked the group behind the Salesloft knowledge thefts as UNC6395<\/strong>, and says the group has been noticed harvesting the info for authentication tokens tied to a variety of cloud companies like Snowflake and Amazon\u2019s AWS.<\/p>\n Google catalogs Scattered Lapsus$ Hunters by so many UNC names (throw in UNC6240<\/strong> for good measure) as a result of it’s regarded as an amalgamation of three hacking teams \u2014 Scattered Spider<\/strong>, Lapsus$ and ShinyHunters. The members of those teams hail from most of the identical chat channels on the Com<\/strong>, a principally English-language cybercriminal group that operates throughout an ocean of Telegram and Discord servers.<\/p>\n The Scattered Lapsus$ Hunters darknet weblog is presently offline. The outage seems to have coincided with the disappearance of the group\u2019s new clearnet weblog \u2014 breachforums[.]hn<\/strong> \u2014 which vanished after shifting its Area Title Service (DNS) servers from DDoS-Guard to Cloudflare.<\/p>\n However earlier than it died, the web sites disclosed that hackers had been exploiting a vital zero-day vulnerability in Oracle\u2019s E-Enterprise Suite<\/strong> software program. Oracle has since confirmed<\/a> {that a} safety flaw tracked as CVE-2025-61882<\/strong> permits attackers to carry out unauthenticated distant code execution, and is urging prospects to use an emergency replace to deal with the weak spot.<\/p>\n Mandiant\u2019s Charles Carmichael<\/strong> shared on LinkedIn<\/a> that CVE-2025-61882 was initially exploited in August 2025 by the Clop ransomware gang to steal knowledge from Oracle E-Enterprise Suite servers. Bleeping Laptop<\/strong> writes<\/a> that information of the Oracle zero-day first surfaced on the Scattered Lapsus$ Hunters weblog, which printed a pair of scripts that had been used to take advantage of weak Oracle E-Enterprise Suite situations.<\/p>\n On Monday night, KrebsOnSecurity obtained a malware-laced message from a reader that threatened bodily violence except their unspoken calls for had been met. The missive, titled \u201cShiny hunters,\u201d contained the hashtag $LAPSU$$SCATEREDHUNTER, and urged me to go to a web page on limewire[.]com to view their calls for.<\/p>\n A screenshot of the phishing message linking to a malicious trojan disguised as a Home windows screenshot file.<\/p>\n<\/div>\n KrebsOnSecurity didn’t go to this hyperlink, however as a substitute forwarded it to Mandiant, which confirmed that related menacing missives had been despatched to staff at Mandiant and different safety corporations across the identical time.<\/p>\n The hyperlink within the message fetches a malicious trojan disguised as a Home windows screenshot file (Virustotal\u2019s evaluation on this malware is right here<\/a>). Merely viewing the booby-trapped screenshot picture on a Home windows PC is sufficient to trigger the bundled trojan to launch within the background.<\/p>\n Mandiant\u2019s Austin Larsen<\/strong> stated the trojan is a commercially out there backdoor often called ASYNCRAT<\/strong>, which is a .NET-based backdoor that communicates utilizing a customized binary protocol over TCP, and might execute shell instructions and obtain plugins to increase its options.<\/p>\n A scan of the malicious screenshot file at Virustotal.com exhibits it’s detected as unhealthy by practically a dozen safety and antivirus instruments.<\/p>\n<\/div>\n \u201cDownloaded plugins could also be executed immediately in reminiscence or saved within the registry,\u201d Larsen wrote in an evaluation shared by way of e-mail. \u201cCapabilities added by way of plugins embrace screenshot seize, file switch, keylogging, video seize, and cryptocurrency mining. ASYNCRAT additionally helps a plugin that targets credentials saved by Firefox and Chromium-based net browsers.\u201d<\/p>\n Malware-laced focused emails are usually not out of character for sure members of the Scattered Lapsus$ Hunters, who’ve beforehand harassed and threatened safety researchers and even legislation enforcement officers who’re investigating and warning concerning the extent of their assaults.<\/p>\n With so many large knowledge breaches and ransom assaults now coming from cybercrime teams working on the Com, legislation enforcement companies on either side of the pond are below growing strain to apprehend the legal hackers concerned. In late September, prosecutors within the U.Ok. charged two alleged Scattered Spider members aged 18 and 19 with extorting at the very least $115 million in ransom funds<\/a> from corporations victimized by knowledge theft.<\/p>\n U.S. prosecutors heaped their very own prices on the 19 year-old in that duo \u2014 U.Ok. resident Thalha Jubair <\/strong>\u2014\u00a0who’s alleged to have been concerned in knowledge ransom assaults in opposition to Marks & Spencer<\/strong> and Harrods<\/strong>, the British foot retailer Co-op Group<\/strong>, and the 2023 intrusions at MGM Resorts<\/strong> and Caesars Leisure<\/strong>. Jubair additionally was allegedly a key member of LAPSUS$, a cybercrime group that broke into dozens of expertise corporations starting in late 2021.<\/p>\n A Mastodon submit by Kevin Beaumont, lamenting the prevalence of main corporations paying tens of millions to extortionist teen hackers, refers derisively to Thalha Jubair as part of an APT menace often called \u201cSuperior Persistent Youngsters.\u201d<\/p>\n<\/div>\n In August, convicted Scattered Spider member and 20-year-old Florida man Noah Michael City<\/strong> was sentenced to 10 years in federal jail<\/a> and ordered to pay roughly $13 million in restitution to victims.<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/sf-extortionsite.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/mandiant-sf.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/sh-malwareemail.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/shmalware-vt.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/beaumont-sh.png\")
<\/p>\n