C0059 Salesforce Data Exfiltration
The Salesforce Data Exfiltration campaign began in October 2024 with financially-motivated threat actor UNC6040 using Spearphishing Voice (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the Salesforce Data Exfiltration campaign overlap with those used by threat groups with suspected ties to the broader collective known as “The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.12
| Item | Value |
|---|---|
| ID | C0059 |
| Associated Names | |
| First Seen | October 2004 |
| Last Seen | September 2025 |
| Version | 1.0 |
| Created | 22 October 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1020 | Automated Exfiltration | During Salesforce Data Exfiltration, threat actors used API queries to automatically exfiltrate large volumes of data.1 |
| enterprise | T1671 | Cloud Application Integration | During Salesforce Data Exfiltration, threat actors deceived victims into authorizing malicious connected apps to their organization’s Salesforce portal.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.006 | Python | During Salesforce Data Exfiltration, threat actors used custom applications developed in python.2 |
| enterprise | T1586 | Compromise Accounts | - |
| enterprise | T1586.002 | Email Accounts | During Salesforce Data Exfiltration, threat actors used compromised emails to create Salesforce trial accounts.2 |
| enterprise | T1213 | Data from Information Repositories | - |
| enterprise | T1213.004 | Customer Relationship Management Software | During Salesforce Data Exfiltration, threat actors accessed and exfiltrated sensitive information from compromised Salesforce instances.2 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | During Salesforce Data Exfiltration, threat actors created malicious applications within Salesforce trial accounts, typically Python scripts with similar function to the Salesforce Data Loader.12 |
| enterprise | T1585 | Establish Accounts | During Salesforce Data Exfiltration, threat actors created Salesforce trial accounts to register their malicious applications.2 |
| enterprise | T1585.002 | Email Accounts | During Salesforce Data Exfiltration, threat actors registered emails shinycorp@tuta[.]com and shinygroup@tuta[.]com to send victims extortion demands.2 |
| enterprise | T1567 | Exfiltration Over Web Service | During Salesforce Data Exfiltration, threat actors exfiltrated data via legitimate Salesforce API communication channels including the Salesforce Data Loader application.21 |
| enterprise | T1083 | File and Directory Discovery | During Salesforce Data Exfiltration, threat actors queried customers’ Salesforce environments to identify sensitive information for exfiltration.1 |
| enterprise | T1656 | Impersonation | During Salesforce Data Exfiltration, threat actors impersonated IT support personnel in voice calls with victims at times claiming to be addressing enterprise-wide connectivity issues.21 |
| enterprise | T1036 | Masquerading | During Salesforce Data Exfiltration, threat actors used voice calls to socially engineer victims into authorizing a modified version of the Salesforce Data Loader app.2 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | During Salesforce Data Exfiltration, threat actors initially relied on the legitimate Salesforce Data Loader app for data exfiltration.21 |
| enterprise | T1598 | Phishing for Information | - |
| enterprise | T1598.004 | Spearphishing Voice | During Salesforce Data Exfiltration, threat actors initiated voice calls with victims to socially engineer them into authorizing malicious applications or divulging sensitive credentials.12 |
| enterprise | T1090 | Proxy | During Salesforce Data Exfiltration, threat actors used Mullvad VPN IPs to proxy voice phishing calls.2 |
| enterprise | T1090.003 | Multi-hop Proxy | During Salesforce Data Exfiltration, threat actors used Tor IPs for voice calls and for the collection of stolen data.2 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.005 | Link Target | During Salesforce Data Exfiltration, threat actors established an Okta phishing panel which victims were tricked into accessing from mobile phones or work computers during social engineering calls.12 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.002 | Domain Accounts | During Salesforce Data Exfiltration, threat actors used compromised credentials for lateral movement.12 |
Software
| ID | Name | Description |
|---|---|---|
| S0183 | Tor | During Salesforce Data Exfiltration, threat actors used Tor IPs for voice calls and data collection.2 |
References
-
FBI Cyber Division. (2025, September 12). Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion. Retrieved October 22, 2025. ↩↩↩↩↩↩↩↩↩↩↩
-
Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩