A cybercriminal group that used voice phishing attacks to steal over a billion records sales force Earlier this year Clients launched a website that threatened to publish data stolen from dozens of Fortune 500 firms if they refused to pay a ransom. The group also claimed responsibility for the recent breach discord To steal user data, and terabytes of sensitive files from thousands of customers of an enterprise software maker. red hat,
New extortion website linked to ShinyHunters (UNC6040) that threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.
In May 2025, a prolific and amorphous English-speaking cybercrime group known as shiny Launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal.
The first real details about the incident came in early June, when Google Threat Intelligence Group (GTIG) caution That shinyhooters – tracked by Google UNC6040 – was staking victims over its stolen Salesforce data, and that the group was prepared to launch a data leak site to publicly embarrass victim companies by paying ransom to keep their records private. A month later, Google acknowledged that one of its own corporate Salesforce instances had been compromised in a voice phishing campaign.
Last week, a new victim shaming blog dubbed “Scattered Lapsus $HunterMay began publishing the names of companies that had customer Salesforce data stolen as a result of a voice phishing campaign.
“Contact us to negotiate this ransom or all your customer data will be leaked,” a message to Salesforce said. “If we come to a resolution you will be withdrawn from all personal deletions against your customers. No one else will have to pay us, if you pay, Salesforce, Inc.”
Below that message were more than three dozen listings for companies that allegedly had their Salesforce data stolen. toyota, FedEx,, disney/huluAnd AboveEntries for each company provided the amount of data stolen, as well as the date it was recovered (breach dates were set between May and September 2025).
Image: Mandiant.
On October 5, the Scattered Lapsus $Hunters Victim Shaming and Extortion blog announced that the group was responsible for a breach in September that involved GitLab servers used by Red Hat containing more than 28,000 GIT code repositories, including more than 5,000 customer engagement reports (CERS).
“A lot of folders contain their customer’s secrets such as artifacts used for tokens, Git tokens, Azure, Docker (Redhat Docker, Azure containers, Dockerhub), details of their customer’s infrastructure like audits were done for them, and a whole lot more, etc.
Their claims came after a previously unknown hacker group called itself Crimson Collective Took credit for Red Hat intrusion on Telegram.
red hat Revealed on October 2 That attackers had compromised one company’s Gitlab servers, and said it was in the process of notifying affected customers.
“The compromised GitLab instance held consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information,” Red Hat wrote.
Separately, Discord has begun emailing users affected by another breach claimed by ShinyHunters. discord Said An incident at a “third-party customer service provider” on September 20 affected a “limited number of users” who communicated with Discord customer support or trust and safety teams. The information includes Discord username, email, IP address, last four digits of any stored payment cards, and government ID images presented during age verification appeals.
Scattered Lapsus$ hunters claim they will publish data stolen from Salesforce and its customers if the ransom demands are not paid by October 10. The group also claims salesloftWhose AI chatbot is used by many corporate websites to transform customer interactions into salesforce leads.
In a communication sent to customers today, Salesforce emphasized that the theft of any third-party SalesLoft data allegedly stolen by ShinyHunters did not originate from a vulnerability within the core Salesforce platform. The company also stressed that it has no plans to meet any extortionate demands.
“Our focus has been, and remains, on defending our environment, conducting thorough forensic analyses, supporting our customers, and working with law enforcement and regulatory authorities,” the email was read to customers.
GTIG tracks down group behind SalesLoft data theft UNC6395And says the group has been observed harvesting data for authentication tokens tied to a range of cloud services like Snowflake and Amazon’s AWS.
Google Catalog is littered with so many UNC names (throw in) UNC6240 For good measure) as it is believed to be an amalgamation of three hacking groups – scattered spiderLapsus$ and Shinyhunters. Members of these groups meet over many of the same chat channels comA mostly English-language cybercriminal community that operates in an ocean of Telegram and Discord servers.
Scattered Lapsus $Hunters Darknet Blog is currently offline. The outage coincides with the disappearance of the group’s new Clearnet blog – Breachforums(.)hn -which disappeared after shifting its domain name service (DNS) servers from DDOS-Guard to CloudFlare.
But before it died, the websites revealed that hackers were exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite software. since oracle Confirmed that was tracked as a security flaw CVE-2025-61882 Allows attackers to perform unpatched remote code execution, and is urging customers to apply an emergency update to address the weakness.
of unrighteousness charles carmichael Shared on LinkedIn CVE-2025-61882 was initially exploited by the Clop ransomware gang in August 2025 to steal data from Oracle E-Business Suite servers. bleeping computer writes This news of Oracle zero-day first surfaced on the defunct Lapsus$Hunters blog, which published a pair of scripts that were used to exploit vulnerable Oracle E-Business Suite instances.
On Monday evening, KrebsSecurity received a malware-laden message from a reader who threatened physical violence unless his unstated demands were met. The missive, titled “Shiny Hunters”, included the hashtag $lapsu$$skaterhunter, and urged me to visit a page on limewire(.)com to see my demands.
A screenshot of a phishing message linking to a malicious Trojan disguised as a Windows screenshot file.
Krebsonsecurity did not visit this link, but instead forwarded it to Mandiant, which confirmed that similar menacing missives were sent to employees at Mandiant and other security firms around the same time.
The link in the message contains a malicious Trojan disguised as a Windows screenshot file (Virustotal’s analysis on this malware is HereSimply looking at the booby-trapped screenshot image on a Windows PC is enough to cause the bundled Trojan to launch in the background.
of unrighteousness Austin Larson Said Trojan is a commercially available backdoor known as partialWhich is a .NET-based backdoor that communicates using a custom binary protocol over TCP, and can execute shell commands and download plugins to extend its features.
A scan of the malicious screenshot file on Virustotal.com shows that it is detected as bad by nearly a dozen security and antivirus tools.
“Downloaded plugins may be executed directly in memory or stored in the registry,” Larson wrote in an analysis shared via email. “Capabilities added via plugins include screenshot capture, file transfer, keylogging, video capture, and cryptocurrency mining. Asyncrat also supports a plugin that targets credentials stored by Firefox and Chromium-based web browsers.”
Malware-laden targeted emails scattered are not out of character for some members of the Lapsus$ hunters, who have previously harassed and threatened security researchers and even law enforcement officials who have been investigating and warning about the extent of their attacks.
With so many massive data breaches and ransom attacks coming from cybercrime groups operating on Internet, law enforcement agencies on both sides of the pond are under increasing pressure to contain the criminal hackers involved. In late September, prosecutors in the UK charged two alleged Scattered Spider members, aged 18 and 19, with at least $115 million in ransom payments from companies victimized by data theft.
U.S. prosecutors dropped their own charges against the 19-year-old child of the pair—a resident of Britain. Thalha Zubair – Who is alleged to have been involved in data ransom attacks marks and spencer And HarrodsBritish Foot Retailer co-group groupAnd on 2023 infiltration MGM Resorts And Caesars EntertainmentZubair was also reportedly a key member of Lapsus$, a cybercrime group that broke into dozens of technology companies starting in late 2021.
A Mastodon post by Kevin Beaumont, lamenting the prevalence of major companies paying millions to extortionate teenage hackers, explicitly refers to Thalha Zubair as part of a menace known as “advanced persistent teenagers”.
In August, Scattered Spiders member and 20-year-old Florida man convicted noah michael urban Sentenced to 10 years in federal prison and ordered to pay approximately $13 million in restitution to the victims.
In April 2025, a 23-year-old Scottish man thought to be an early Scattered Spiders member was extradited from Spain to the US, where he faces charges of wire fraud, conspiracy and identity theft. US prosecutors charged tyler robert buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and they personally controlled more than $26 million stolen from the victims.
