The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to launch indicators of compromise (IoCs) related to two cybercriminal teams tracked as UNC6040 and UNC6395 for a string of knowledge theft and extortion assaults.
“Each teams have not too long ago been noticed concentrating on organizations’ Salesforce platforms through totally different preliminary entry mechanisms,” the FBI mentioned.
UNC6395 is a menace group that has been attributed a widespread knowledge theft marketing campaign concentrating on Salesforce situations in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift utility. In an replace issued this week, Salesloft mentioned the assault was made attainable because of the breach of its GitHub account from March via June 2025.
On account of the breach, Salesloft has remoted the Drift infrastructure and brought the unreal intelligence (AI) chatbot utility offline. The corporate additionally mentioned it is within the means of implementing new multi-factor authentication processes and GitHub hardening measures.
“We’re targeted on the continuing hardening of the Drift Software atmosphere,” the corporate mentioned. “This course of contains rotating credentials, briefly disabling sure elements of the Drift utility and strengthening safety configurations.” “At the moment, we’re advising all Drift prospects to deal with any and all Drift integrations and associated knowledge as doubtlessly compromised.”
The second group the FBI has referred to as consideration to is UNC6040. Assessed to be energetic since October 2024, UNC6040 is the identify assigned by Google to a financially motivated menace cluster that has engaged in vishing campaigns to acquire preliminary entry and hijack Salesforce situations for large-scale knowledge theft and extortion.
These assaults have concerned the usage of a modified model of Salesforce’s Information Loader utility and customized Python scripts to breach victims’ Salesforce portals and exfiltrate helpful knowledge. At the very least a number of the incidents have concerned extortion actions following UNC6040 intrusions, with them happening months after the preliminary knowledge theft.
“UNC6040 menace actors have utilized phishing panels, directing victims to go to from their cell phones or work computer systems through the social engineering calls,” the FBI mentioned. “After acquiring entry, UNC6040 menace actors have then used API queries to exfiltrate massive volumes of knowledge in bulk.”
The extortion part has been attributed by Google to a different uncategorized cluster tracked as UNC6240, which has constantly claimed to be the ShinyHunters group in emails and calls to staff of sufferer organizations.
“As well as, we consider menace actors utilizing the ‘ShinyHunters’ model could also be getting ready to escalate their extortion techniques by launching a knowledge leak web site (DLS),” Google famous final month. “These new techniques are doubtless supposed to extend strain on victims, together with these related to the latest UNC6040 Salesforce-related knowledge breaches.”
Since then, there have been a flurry of developments, essentially the most notable being the teaming up of ShinyHunters, Scattered Spider, and LAPSUS$ to consolidate and unify their legal efforts. Then on September 12, 2025, the group claimed on their Telegram channel “scattered LAPSUS$ hunters 4.0” that they’re shutting down.
“We LAPSUS$, Trihash, Yurosh, Yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari and amongst many others, have determined to go darkish,” the group mentioned. “Our goals having been fulfilled, it’s now time to say goodbye.”
It is at present not clear what prompted the group to hold up their boots, but it surely’s attainable that the transfer is an try to put low and keep away from additional regulation enforcement consideration.
“The newly shaped scattered LAPSUS$ hunters 4.0 group mentioned it is hanging up the boots and ‘go darkish’ after it alleged that French regulation enforcement arrested one other flawed particular person in reference to the cybercrime group,” Sam Rubin, senior vice chairman of Unit 42 Consulting and Menace Intelligence, advised The Hacker Information. “These declarations hardly ever sign a real retirement.”
“Current arrests could have prompted the group to put low, however historical past tells us that is usually short-term. Teams like this splinter, rebrand, and resurface â very like ShinyHunters. Even when public operations pause, the dangers stay: stolen knowledge can resurface, undetected backdoors could persist, and actors could re-emerge underneath new names. Silence from a menace group doesn’t equal security. Organizations should keep vigilant and function underneath the belief that the menace has not disappeared, solely tailored.”
