The FBI has issued a flash alert regarding two distinct cybercrime groups, UNC6040 and UNC6395, that have been orchestrating a series of data theft and extortion attacks. Both groups have recently focused their efforts on compromising Salesforce platforms, using different initial access methods to breach victim organizations. The alert highlights the immediate threat these groups pose and provides indicators of compromise (IoCs) to help companies protect themselves from these sophisticated attacks.
The group known as UNC6395 has been linked to a widespread data theft campaign that targeted Salesforce instances in August 2025. This group exploited compromised OAuth tokens for the Salesloft Drift application, which became vulnerable after Salesloft’s GitHub account was breached between March and June 2025. In response, Salesloft has taken its Drift AI chatbot offline, isolated its infrastructure, and is in the process of implementing new security measures, including enhanced multi-factor authentication and GitHub hardening, to prevent future incidents.
Another group, UNC6040, has been active since October 2024 and is a financially motivated threat cluster identified by Google. This group uses a different tactic, employing vishing (voice phishing) campaigns to gain initial access to Salesforce instances. They use modified versions of Salesforce’s Data Loader and custom Python scripts to breach systems and exfiltrate large quantities of data. The extortion phase of these attacks, which can happen months after the initial data theft, has been linked to a separate group, UNC6240, that often claims to be part of the notorious ShinyHunters criminal syndicate.
The group calling itself ShinyHunters has recently shown signs of escalating its extortion tactics, with Google noting that the group might be preparing to launch a data leak site (DLS) to pressure victims. This potential escalation follows a flurry of activity, including a supposed consolidation of efforts with other major cybercrime groups like Scattered Spider and LAPSUS$. Despite a recent claim on their Telegram channel that they are “going dark” and shutting down their operations, experts remain skeptical, viewing the announcement as a temporary move to avoid law enforcement attention.
Cybersecurity experts caution that declarations of retirement from such groups are rarely permanent. According to Sam Rubin of Unit 42 Consulting and Threat Intelligence, groups like this often splinter, rebrand, and resurface under new names. He advises that organizations should not mistake silence from a threat group for safety. Instead, they should assume that the threat has simply adapted, meaning that stolen data could still resurface, and undetected backdoors may remain active. Vigilance and proactive security measures are crucial for protecting against these ever-evolving cyber threats.
Reference:
