A cybercriminal group that used voice phishing assaults to siphon greater than a billion information from Salesforce clients earlier this yr has launched a web site that threatens to publish information stolen from dozens of Fortune 500 companies in the event that they refuse to pay a ransom. The group additionally claimed accountability for a latest breach involving Discord consumer information, and for stealing terabytes of delicate recordsdata from hundreds of shoppers of the enterprise software program maker Crimson Hat.
The brand new extortion web site tied to ShinyHunters (UNC6040), which threatens to publish stolen information until Salesforce or particular person sufferer firms comply with pay a ransom.
In Might 2025, a prolific and amorphous English-speaking cybercrime group referred to as ShinyHunters launched a social engineering marketing campaign that used voice phishing to trick targets into connecting a malicious app to their group’s Salesforce portal.
The primary actual particulars in regards to the incident got here in early June, when the Google Menace Intelligence Group (GTIG) warned that ShinyHunters — tracked by Google as UNC6040 — was extorting victims over their stolen Salesforce information, and that the group was poised to launch an information leak web site to publicly disgrace sufferer firms into paying a ransom to maintain their information personal. A month later, Google acknowledged that one in all its personal company Salesforce situations was impacted within the voice phishing marketing campaign.
Final week, a brand new sufferer shaming weblog dubbed “Scattered LAPSUS$ Hunters” started publishing the names of firms that had buyer Salesforce information stolen on account of the Might voice phishing marketing campaign.
“Contact us to barter this ransom or all of your clients information can be leaked,” the web site acknowledged in a message to Salesforce. “If we come to a decision all particular person extortions in opposition to your clients can be withdrawn from. No one else should pay us, in the event you pay, Salesforce, Inc.”
Under that message had been greater than three dozen entries for firms that allegedly had Salesforce information stolen, together with Toyota, FedEx, Disney/Hulu, and UPS. The entries for every firm specified the amount of stolen information out there, in addition to the date that the knowledge was retrieved (the acknowledged breach dates vary between Might and September 2025).
Picture: Mandiant.
On October 5, the Scattered LAPSUS$ Hunters sufferer shaming and extortion weblog introduced that the group was answerable for a breach in September involving a GitLab server utilized by Crimson Hat that contained greater than 28,000 Git code repositories, together with greater than 5,000 Buyer Engagement Stories (CERs).
“Alot of folders have their consumer’s secrets and techniques equivalent to artifactory entry tokens, git tokens, azure, docker (redhat docker, azure containers, dockerhub), their consumer’s infrastructure particulars within the CERs just like the audits that had been performed for them, and an entire LOT extra, and so on.,” the hackers claimed.
Their claims got here a number of days after a beforehand unknown hacker group calling itself the Crimson Collective took credit score for the Crimson Hat intrusion on Telegram.
Crimson Hat disclosed on October 2 that attackers had compromised an organization GitLab server, and stated it was within the means of notifying affected clients.
“The compromised GitLab occasion housed consulting engagement information, which can embody, for instance, Crimson Hat’s venture specs, instance code snippets, inside communications about consulting providers, and restricted types of enterprise contact data,” Crimson Hat wrote.
Individually, Discord has began emailing customers affected by one other breach claimed by ShinyHunters. Discord said an incident on September 20 at a “third-party customer support supplier” impacted a “restricted variety of customers” who communicated with Discord buyer assist or Belief & Security groups. The knowledge included Discord usernames, emails, IP tackle, the final 4 digits of any saved fee playing cards, and authorities ID photographs submitted throughout age verification appeals.
The Scattered Lapsus$ Hunters declare they may publish information stolen from Salesforce and its clients if ransom calls for aren’t paid by October 10. The group additionally claims it’s going to quickly start extorting a whole bunch extra organizations that misplaced information in August after a cybercrime group stole huge quantities of authentication tokens from Salesloft, whose AI chatbot is utilized by many company web sites to transform buyer interplay into Salesforce leads.
In a communication despatched to clients at the moment, Salesforce emphasised that the theft of any third-party Salesloft information allegedly stolen by ShinyHunters didn’t originate from a vulnerability inside the core Salesforce platform. The corporate additionally pressured that it has no plans to satisfy any extortion calls for.
“Salesforce is not going to have interaction, negotiate with, or pay any extortion demand,” the message to clients learn. “Our focus is, and stays, on defending our surroundings, conducting thorough forensic evaluation, supporting our clients, and dealing with legislation enforcement and regulatory authorities.”
The GTIG tracked the group behind the Salesloft information thefts as UNC6395, and says the group has been noticed harvesting the information for authentication tokens tied to a spread of cloud providers like Snowflake and Amazon’s AWS.
Google catalogs Scattered Lapsus$ Hunters by so many UNC names (throw in UNC6240 for good measure) as a result of it’s considered an amalgamation of three hacking teams — Scattered Spider, Lapsus$ and ShinyHunters. The members of those teams hail from lots of the similar chat channels on the Com, a largely English-language cybercriminal neighborhood that operates throughout an ocean of Telegram and Discord servers.
The Scattered Lapsus$ Hunters darknet weblog is at the moment offline. The outage seems to have coincided with the disappearance of the group’s new clearnet weblog — breachforums[.]hn — which vanished after shifting its Area Identify Service (DNS) servers from DDoS-Guard to Cloudflare.
However earlier than it died, the web sites disclosed that hackers had been exploiting a crucial zero-day vulnerability in Oracle’s E-Enterprise Suite software program. Oracle has since confirmed {that a} safety flaw tracked as CVE-2025-61882 permits attackers to carry out unauthenticated distant code execution, and is urging clients to use an emergency replace to deal with the weak spot.
Mandiant’s Charles Carmakal shared on LinkedIn that CVE-2025-61882 was initially exploited in August 2025 by the Clop ransomware gang to steal information from Oracle E-Enterprise Suite servers. Bleeping Pc writes that information of the Oracle zero-day first surfaced on the Scattered Lapsus$ Hunters weblog, which printed a pair of scripts that had been used to use weak Oracle E-Enterprise Suite situations.
On Monday night, KrebsOnSecurity acquired a malware-laced message from a reader that threatened bodily violence until their unspoken calls for had been met. The missive, titled “Shiny hunters,” contained the hashtag $LAPSU$$SCATEREDHUNTER, and urged me to go to a web page on limewire[.]com to view their calls for.
A screenshot of the phishing message linking to a malicious trojan disguised as a Home windows screensaver file.
KrebsOnSecurity didn’t go to this hyperlink, however as a substitute forwarded it to Mandiant, which confirmed that related menacing missives had been despatched to workers at Mandiant and different safety companies across the similar time.
The hyperlink within the message fetches a malicious trojan disguised as a Home windows screensaver file (Virustotal’s evaluation on this malware is here). Merely viewing the booby-trapped screensaver on a Home windows PC is sufficient to trigger the bundled trojan to launch within the background.
Mandiant’s Austin Larsen stated the trojan is a commercially out there backdoor referred to as ASYNCRAT, a .NET-based backdoor that communicates utilizing a customized binary protocol over TCP, and may execute shell instructions and obtain plugins to increase its options.
A scan of the malicious screensaver file at Virustotal.com reveals it’s detected as dangerous by practically a dozen safety and antivirus instruments.
“Downloaded plugins could also be executed immediately in reminiscence or saved within the registry,” Larsen wrote in an evaluation shared by way of electronic mail. “Capabilities added by way of plugins embody screenshot seize, file switch, keylogging, video seize, and cryptocurrency mining. ASYNCRAT additionally helps a plugin that targets credentials saved by Firefox and Chromium-based net browsers.”
Malware-laced focused emails usually are not out of character for sure members of the Scattered Lapsus$ Hunters, who’ve beforehand harassed and threatened safety researchers and even legislation enforcement officers who’re investigating and warning in regards to the extent of their assaults.
With so many massive information breaches and ransom assaults now coming from cybercrime teams working on the Com, legislation enforcement businesses on each side of the pond are beneath rising strain to apprehend the legal hackers concerned. In late September, prosecutors within the U.Okay. charged two alleged Scattered Spider members aged 18 and 19 with extorting a minimum of $115 million in ransom funds from firms victimized by information theft.
U.S. prosecutors heaped their very own costs on the 19 year-old in that duo — U.Okay. resident Thalha Jubair — who’s alleged to have been concerned in information ransom assaults in opposition to Marks & Spencer and Harrods, the British meals retailer Co-op Group, and the 2023 intrusions at MGM Resorts and Caesars Leisure. Jubair additionally was allegedly a key member of LAPSUS$, a cybercrime group that broke into dozens of expertise firms starting in late 2021.
A Mastodon publish by Kevin Beaumont, lamenting the prevalence of main firms paying hundreds of thousands to extortionist teen hackers, refers derisively to Thalha Jubair as part of an APT risk referred to as “Superior Persistent Youngsters.”
In August, convicted Scattered Spider member and 20-year-old Florida man Noah Michael City was sentenced to 10 years in federal jail and ordered to pay roughly $13 million in restitution to victims.
In April 2025, a 23-year-old Scottish man considered an early Scattered Spider member was extradited from Spain to the U.S., the place he’s dealing with costs of wire fraud, conspiracy and id theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of firms in the US and overseas, and that he personally managed greater than $26 million stolen from victims.
Replace, Oct. 8, 8:59 a.m. ET: A earlier model of this story incorrectly referred to the malware despatched by the reader as a Home windows screenshot file. Slightly, it’s a Home windows screensaver file.
