FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks

The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks.

“Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms,” the FBI said.

UNC6395 is a threat group that has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025.

As a result of the breach, Salesloft has isolated the Drift infrastructure and taken the artificial intelligence (AI) chatbot application offline. The company also said it’s in the process of implementing new multi-factor authentication processes and GitHub hardening measures.

“We are focused on the ongoing hardening of the Drift Application environment,” the company said. “This process includes rotating credentials, temporarily disabling certain parts of the Drift application and strengthening security configurations.” “At this time, we are advising all Drift customers to treat any and all Drift integrations and related data as potentially compromised.”

The second group the FBI has called attention to is UNC6040. Assessed to be active since October 2024, UNC6040 is the name assigned by Google to a financially motivated threat cluster that has engaged in vishing campaigns to obtain initial access and hijack Salesforce instances for large-scale data theft and extortion.

These attacks have involved the use of a modified version of Salesforce’s Data Loader application and custom Python scripts to breach victims’ Salesforce portals and exfiltrate valuable data. At least some of the incidents have involved extortion activities following UNC6040 intrusions, with them taking place months after the initial data theft.

“UNC6040 threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls,” the FBI said. “After obtaining access, UNC6040 threat actors have then used API queries to exfiltrate large volumes of data in bulk.”

The extortion phase has been attributed by Google to another uncategorized cluster tracked as UNC6240, which has consistently claimed to be the ShinyHunters group in emails and calls to employees of victim organizations.

“In addition, we believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google noted last month. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”

Since then, there have been a flurry of developments, the most notable being the teaming up of ShinyHunters, Scattered Spider, and LAPSUS$ to consolidate and unify their criminal efforts. Then on September 12, 2025, the group claimed on their Telegram channel “scattered LAPSUS$ hunters 4.0” that they are shutting down.

“We LAPSUS$, Trihash, Yurosh, Yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari and among many others, have decided to go dark,” the group said. “Our objectives having been fulfilled, it is now time to say goodbye.”

It’s currently not clear what prompted the group to hang up their boots, but it’s possible that the move is an attempt to lay low and avoid further law enforcement attention.

“The newly formed scattered LAPSUS$ hunters 4.0 group said it’s hanging up the boots and ‘go dark’ after it alleged that French law enforcement arrested another wrong person in connection with the cybercrime group,” Sam Rubin, senior vice president of Unit 42 Consulting and Threat Intelligence, told The Hacker News. “These declarations rarely signal a true retirement.”

“Recent arrests may have prompted the group to lay low, but history tells us this is often temporary. Groups like this splinter, rebrand, and resurface – much like ShinyHunters. Even if public operations pause, the risks remain: stolen data can resurface, undetected backdoors may persist, and actors may re-emerge under new names. Silence from a threat group does not equal safety. Organizations must stay vigilant and operate under the assumption that the threat has not disappeared, only adapted.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.