Threat Summary
Category: Enterprise SaaS Cyberattack / Extortion Campaign
Features: Data theft, social engineering, malicious connected apps, AI chatbot exploitation, ransom extortion
Delivery Method: Call center social engineering, phishing, malicious Salesforce connected apps, API abuse
Threat Actor: UNC6395 (Scattered Spider) and UNC6040 (ShinyHunters) — overlapping groups with evolving infrastructure
The FBI has issued a flash notice detailing a wide-ranging cyber extortion campaign carried out by Scattered Spider (UNC6395) and ShinyHunters (UNC6040). These groups are now leveraging their breaches of Salesforce environments to extort hundreds of organizations worldwide.
What makes this campaign different is its focus: not only did the attackers target Salesforce directly, but they also abused integrated third-party applications and AI chatbot platforms to sidestep traditional defenses like MFA and password resets.
Extortion demands vary widely, with some victims contacted within days of data exfiltration, while others were approached months later — showing a deliberate strategy of delayed psychological pressure.
Infrastructure at Risk
- Primary Target: Salesforce environments housing customer PII, corporate records, and business-critical data.
- Secondary Vectors: Connected applications, especially Salesloft Drift (AI chatbot integrations).
- Exploitation Path:
- Phase I (Fall 2024): Call center social engineering — attackers posed as IT staff to obtain employee credentials.
- Phase II (Winter–Spring 2025): Credential harvesting via phishing emails and SMS targeting employee endpoints.
- Phase III (Summer 2025): Malicious connected apps registered in Salesforce trial accounts to evade detection.
- Phase IV (August 2025): Exploitation of chatbot integrations — bypassing login protections entirely.
The FBI noted that these intrusions grant adversaries “significant capabilities to access, query, and exfiltrate sensitive information directly” from Salesforce portals.
Global Fallout
- Luxury Retail: Kering Group (Gucci, Balenciaga, Alexander McQueen) was confirmed as a victim, with 7.4 million unique emails compromised. Negotiations only began in June 2025, months after the breach.
- Government Sector: Vietnam’s financial records agency admitted the theft of millions of financial records by ShinyHunters.
- Previous Campaigns: Both groups have a track record — targeting global insurers, aviation networks, and major retailers.
This campaign highlights how SaaS providers like Salesforce are becoming prime targets for extortion syndicates, with downstream impact across every integrated partner application.
Policy / Allied Pressure
The FBI urged organizations to:
- Train call center staff on social engineering tactics.
- Restrict privileges to the minimum necessary accounts.
- Enforce IP-based restrictions and conditional access policies.
- Monitor API usage, especially for unusual queries and bulk downloads.
- Audit connected apps for unauthorized registrations in both production and trial accounts.
Experts warned that attackers are skilled at hiding their activity within legitimate cloud services, using Azure VMs, Tor exit nodes, and commercial proxy networks to mask their origins.
Vendor Defense / Reliance
This campaign exposes a broader truth: SaaS platforms like Salesforce are not self-contained. Once an attacker compromises a connected application, vendor assurances of security mean little. Enterprises are forced to rely on Salesforce’s ecosystem integrity, yet the weakest third-party integration becomes the adversary’s entry point.
This dynamic shifts the security burden onto enterprises, who must now defend both their own tenants and every app they connect.
Forecast — 30 Days
- Data Leaks: Expect staged releases of stolen Salesforce data on Telegram and dark web forums to pressure payment.
- Copycat Activity: Other groups may attempt to replicate the “connected app” tactic across Microsoft 365 and Google Workspace.
- Rebranding: Despite claims of “retirement,” Scattered Spider factions are likely to resurface under a new label, mirroring ShinyHunters’ evolution.
- AI Exploitation: Increased targeting of chatbot integrations in CRM systems as adversaries refine techniques to bypass MFA.
- Legal Fallout: Expect regulatory scrutiny on Salesforce’s third-party ecosystem, particularly in the EU and Asia-Pacific markets.
TRJ Verdict
Scattered Spider and ShinyHunters represent the bleeding edge of SaaS exploitation — weaponizing the very integrations businesses rely on to streamline operations. The FBI’s flash notice underscores what TRJ has warned for years: social engineering and ecosystem abuse are more dangerous than zero-days.
The claim of “retirement” on Telegram is pure theater. History proves these groups splinter, rebrand, and re-emerge. Silence does not equal safety. The real danger lies in the data already stolen — millions of records that can resurface at any time, fueling fraud, espionage, and corporate sabotage.
Enterprises that fail to treat their SaaS ecosystems as critical infrastructure are handing adversaries the keys to their kingdom. The next phase of cyber extortion isn’t about ransomware encrypting drives — it’s about adversaries owning the customer relationship itself.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
