BURSTThe cybersecurity landscape witnessed a sophisticated and ongoing attack campaign throughout 2025 that has successfully compromised major corporations, including Google, Adidas, Louis Vuitton, and numerous other high-profile organizations.
This comprehensive technical analysis reveals how the notorious cybercriminal group ShinyHunters, in apparent collaboration with Scattered Spider, has executed one of the most successful social engineering campaigns targeting Salesforce Customer Relationship Management (CRM) platforms.
The campaign represents a significant evolution in attack sophistication, combining traditional voice phishing techniques with advanced OAuth abuse and API exploitation to achieve persistent access and large-scale data exfiltration across multiple industry sectors.
Background and Threat Actor Attribution
Evolution from Database Thieves to Social Engineers
ShinyHunters emerged in 2020 as a financially motivated cybercriminal group initially focused on traditional credential theft and database exploitation.
The group gained notoriety through high-profile data breaches affecting major platforms, including Tokopedia (91 million records), Microsoft GitHub (500GB of data), and AT&T (70+ million records).
Beyond data theft operations, ShinyHunters established itself as a key player in the cybercriminal ecosystem by serving as administrators of popular hacking forums, including multiple incarnations of BreachForums.
Following arrests of several alleged members in June 2024, ShinyHunters maintained relative inactivity until their dramatic resurgence in June 2025 with fundamentally transformed tactics, techniques, and procedures (TTPs).
Google’s Threat Intelligence Group (GTIG) tracks the current campaign activities under the designations UNC6040 (initial compromise activities) and UNC6240 (extortion operations), though the operators consistently claim affiliation with the ShinyHunters brand.
Suspected Collaboration with Scattered Spider
Compelling circumstantial evidence suggests active collaboration between ShinyHunters and Scattered Spider, a sophisticated English-speaking cybercriminal collective known for social engineering expertise. This collaboration theory is supported by several key indicators
Tactical Convergence: The current ShinyHunters campaign demonstrates marked adoption of Scattered Spider’s signature techniques, including highly targeted voice phishing, domain impersonation patterns, and VPN obfuscation methods.
Infrastructure Overlap: Domain registration analysis reveals shared infrastructure characteristics, including similar naming conventions (ticket-companyname[.]com), common registrars (GMO Internet), and Cloudflare-masked nameservers.
Attribution Evidence: A BreachForums user with the portmanteau alias “Sp1d3rhunters” appeared in May 2024, claiming both groups “are the same” and “have always been the same,” while subsequently leaking data previously attributed to ShinyHunters.
Both groups demonstrate connections to “The Com,” a loosely organized collective of English-speaking cybercriminals engaged in diverse illegal activities, including SIM swapping, account takeovers, cryptocurrency theft, and more extreme criminal activities.
Technical Attack Methodology
Initial Access: Voice Phishing (Vishing) Operations
The attack chain begins with sophisticated voice phishing campaigns targeting employees with appropriate Salesforce permissions. Attackers impersonate internal IT support personnel using several social engineering techniques:
Reconnaissance Phase: Threat actors conduct extensive open-source intelligence gathering, harvesting employee contact information from LinkedIn, company directories, and public sources to identify high-value targets with Salesforce administrative privileges.
Call Initiation: Attackers initiate calls using spoofed caller IDs, voice-altering software, and professional-sounding scripts claiming urgent Salesforce-related issues requiring immediate attention. Some campaigns employ automated phone systems with pre-recorded messages and interactive menus to gather additional reconnaissance before connecting to live operators.
Trust Establishment: The social engineering approach exploits inherent trust relationships between employees and IT support, leveraging urgency and authority to bypass normal verification procedures.
OAuth Abuse: Malicious Connected App Authorization
The core technical exploit centers on manipulating Salesforce’s OAuth-based connected app authorization mechanism:
Connected App Setup Manipulation: During vishing calls, attackers guide victims to Salesforce’s connected app authorization page (typically login.salesforce.com/setup/connect), instructing them to authorize what appears to be legitimate software.
Malicious Application Deployment: The threat actors present modified versions of Salesforce’s legitimate Data Loader application, often rebranded with misleading names such as “My Ticket Portal” to align with social engineering pretexts. These applications request broad API permissions, including data export capabilities.
8-Digit Authorization Code: Victims enter attacker-provided 8-digit authorization codes, inadvertently granting persistent OAuth tokens with extensive API access permissions. This process bypasses multi-factor authentication requirements and establishes long-term access without triggering standard security alerts.
Connected App ID: Analysis of Salesforce Event Monitoring logs revealed the malicious Connected App ID 889Kb100000KFJc associated with suspicious data exfiltration activities. This identifier represents unauthorized applications performing large-volume data queries across multiple victim organizations.
Data Exfiltration: API Exploitation and Automation
Once OAuth access is established, threat actors deploy sophisticated data extraction techniques:
REST API Exploitation: Attackers utilize Salesforce’s legitimate REST API endpoint /services/data/v62.0/query to perform bulk SOQL (Salesforce Object Query Language) queries targeting high-value data objects.
Automated Extraction Scripts: GTIG observed evolution from legitimate Data Loader applications to custom Python scripts performing similar functions but with enhanced automation capabilities. These scripts enable rapid, large-scale data extraction while mimicking legitimate API usage patterns.
Data Volume and Targeting: Each extraction request typically retrieves approximately 2.3 MB of data, with attacks focusing on Contact objects containing 400+ fields per record. Attackers demonstrate a sophisticated understanding of Salesforce data structures, targeting customer databases, personally identifiable information (PII), and business intelligence.
Traffic Obfuscation: All data exfiltration activities route through Mullvad VPN IP addresses and Tor networks to complicate attribution and evade detection. This multi-layered obfuscation approach significantly hampers incident response and forensic analysis efforts.
Lateral Movement and Privilege Escalation
Following initial Salesforce compromise, attackers frequently attempt lateral movement to adjacent cloud platforms:
Credential Harvesting: Using harvested credentials and OAuth tokens, threat actors access integrated platforms including Okta, Microsoft 365, and Meta Workplace.
Cross-Platform Data Access: Attackers leverage single sign-on (SSO) relationships and shared authentication mechanisms to access SharePoint repositories, email systems, and additional data stores.
Privilege Escalation: Through social engineering and credential manipulation, attackers may escalate access privileges within target organizations, potentially gaining administrative rights to additional systems.
Comprehensive Tactics, Techniques, and Procedures (TTPs)
The following table provides a detailed mapping of observed ShinyHunters TTPs to the MITRE ATT&CK framework:
| Tactic | Technique ID | Technique Name | Description | Observed Behavior |
|---|---|---|---|---|
| Reconnaissance | T1589.001 | Gather Victim Identity Information: Credentials | Gathering target employee credentials and contact information for vishing campaigns | Researching target employees via LinkedIn, company directories |
| Reconnaissance | T1589.002 | Gather Victim Identity Information: Email Addresses | Collecting email addresses of target organization employees | Harvesting corporate email addresses from public sources |
| Initial Access | T1566.004 | Phishing: Spear Phishing Voice | Voice phishing calls impersonating IT support personnel to trick victims | Impersonating internal IT support with convincing social engineering |
| Initial Access | T1078.004 | Valid Accounts: Cloud Accounts | Abusing legitimate Salesforce accounts through social engineering | Leveraging compromised user accounts with appropriate Salesforce permissions |
| Initial Access | T1199 | Trusted Relationship | Exploiting trust relationship between users and IT support via phone calls | Exploiting inherent trust in IT support relationships |
| Execution | T1059.006 | Command and Scripting Interpreter: Python | Custom Python scripts replacing Salesforce Data Loader for automated exfiltration | Deploying custom Python scripts for automated bulk data extraction |
| Persistence | T1098.001 | Account Manipulation: Additional Cloud Credentials | Creating malicious OAuth applications disguised as legitimate Salesforce tools | Registering apps named “”My Ticket Portal”” to appear legitimate |
| Credential Access | T1528 | Steal Application Access Token | Stealing OAuth tokens through malicious connected app authorization | Obtaining persistent API access through OAuth app authorization |
| Credential Access | T1621 | Multi-Factor Authentication Request Generation | Tricking users into approving MFA requests during vishing calls | Requesting MFA approval during fake IT support calls |
Indicators of Compromise (IoCs)
| IoC Type | Indicator | Category | Description | Confidence | First Observed | Status |
|---|---|---|---|---|---|---|
| Email Address | shinycorp@tuta[.]com | Communication | Primary extortion email used by UNC6240 for ransom demands | High | 2025-06-01 | Active |
| Email Address | shinygroup@tuta[.]com | Communication | Secondary extortion email address used by threat actors | High | 2025-06-01 | Active |
| Domain | dashboard-salesforce[.]com | Infrastructure | Active phishing domain hosting fake Salesforce login pages | High | 2025-08-01 | Active |
| Domain | ticket-dior[.]com | Infrastructure | Phishing domain impersonating Dior for ticket-themed attacks | High | 2025-06-20 | Inactive |
| Domain | ticket-lvmh[.]com | Infrastructure | Phishing domain targeting LVMH with ticket portal theme | High | 2025-06-20 | Inactive |
| Domain | ticket-louisvuitton[.]com | Infrastructure | Domain impersonating Louis Vuitton for credential harvesting | High | 2025-06-20 | Inactive |
| Domain | ticket-nike[.]com | Infrastructure | Phishing domain targeting Nike with ticket dashboard theme | High | 2025-06-26 | Inactive |
| Domain | ticket-audemarspiguet[.]com | Infrastructure | Domain impersonating Audemars Piguet for social engineering | High | 2025-06-20 | Inactive |
| Domain | *-my-salesforce[.]com | Infrastructure Pattern | Pattern for company-specific Salesforce phishing domains | Medium | 2025-06-01 | Active |
| Domain | *-ticket[.]com | Infrastructure Pattern | Pattern for ticket-themed phishing targeting luxury brands | Medium | 2025-06-01 | Active |
| Connected App ID | 889Kb100000KFJc | Application | Malicious Connected App ID observed in Salesforce logs | High | 2025-06-15 | Blocked |
| User Agent | SalesforceDataLoader/* | Network | User agent string associated with malicious Data Loader variants | Medium | 2025-06-01 | Monitored |
| API Endpoint | /services/data/v62.0/query | Network | Salesforce REST API endpoint used for bulk data queries | High | 2025-06-01 | Monitored |
| IP Range | Mullvad VPN IP Ranges | Network | VPN service used for traffic obfuscation and anonymity | Medium | 2025-06-01 | Active |
Security analysts should monitor for the following comprehensive set of indicators associated with the ShinyHunters Salesforce campaign:
Victim Impact Analysis
The campaign has affected organizations across multiple industry sectors, with confirmed and suspected victims spanning technology, luxury goods, aviation, insurance, and retail:
| Organization | Industry | Breach Date | Confirmation Status | Data Compromised | Response Actions |
|---|---|---|---|---|---|
| Technology | June 2025 | Confirmed by Google | SMB contact information, business names, phone numbers | Access terminated, customers notified, analysis completed | |
| Adidas | Retail/Fashion | July 2025 | Media Reports | Customer data, internal communications | Investigation ongoing, security measures implemented |
| Louis Vuitton (LVMH) | Luxury Goods | July 2025 | Media Reports | Customer databases, PII | Breach investigation, customer notification |
| Dior (LVMH) | Luxury Goods | July 2025 | Media Reports | Customer records, transaction data | Incident response activated, forensic analysis |
| Chanel | Luxury Goods | August 2025 | Media Reports | US customer database | Data breach disclosure, customer alerts |
| Qantas Airways | Aviation | July 2025 | Media Reports | Passenger data, booking information | Payment made, investigation ongoing |
| Allianz Life | Insurance | July 2025 | Media Reports | Policy holder information | Security review, policy updates |
| Cisco Systems | Technology | June 2025 | Media Reports | Internal communications, customer data | Incident containment, security hardening |
High-Profile Confirmed Breaches
Google (June 2025): Google confirmed a compromise of a corporate Salesforce instance containing contact information for small and medium businesses. Approximately 2.55 million records were allegedly accessed, including business names, phone numbers, and sales notes. Google responded rapidly, terminating attacker access and completing customer notifications by August 8, 2025.
LVMH Luxury Brands: Multiple LVMH subsidiaries were targeted, including Louis Vuitton, Dior, and Tiffany & Co. Domain registration evidence shows ticket-themed phishing infrastructure specifically targeting these brands between June 20-30, 2025, coinciding with reported data breaches.
Aviation Sector: Qantas Airways reportedly paid 4 Bitcoin (~$400,000) to prevent data leakage, while Air France-KLM also suffered confirmed breaches. These attacks demonstrate the campaign’s effectiveness across international aviation companies with substantial customer databases.
Extortion and Monetization
The ShinyHunters campaign employs a delayed extortion model, with ransom demands occurring weeks or months after initial data theft. Key characteristics include:
Ransom Amounts: Demands range from 4 Bitcoin (~$400,000) to 20 Bitcoin (~$2.3 million), with Google receiving the highest reported demand (though claimed as a joke by the attackers).
Data Leak Site Preparation: GTIG warns that ShinyHunters may be preparing to escalate tactics by launching a dedicated data leak site (DLS) to increase pressure on victims.
Infrastructure Analysis and Domain Patterns
Comprehensive analysis of malicious infrastructure reveals coordinated domain registration patterns supporting the attribution of this campaign to ShinyHunters in collaboration with Scattered Spider:
Ticket-Themed Phishing Domains
ReliaQuest researchers identified multiple malicious domains registered between June and August 2025 following consistent naming patterns:
LVMH Targeting: ticket-lvmh[.]com, ticket-dior[.]com, ticket-louisvuitton[.]com (registered June 20-30, 2025)
Extended Targeting: ticket-nike[.]com, ticket-audemarspiguet[.]com (registered June 2025)
Salesforce Impersonation: dashboard-salesforce[.]com (registered August 1, 2025, actively hosting phishing pages)
Registry Characteristics
All identified malicious domains share common infrastructure indicators:
Registrar: GMO Internet is consistently used across malicious infrastructure.
Email Patterns: Temporary registrant addresses using mailshan[.]com domain.
DNS Configuration: Cloudflare-masked nameservers to obscure true hosting infrastructure.
Phishing Kits: Domains host Okta-branded phishing pages mimicking legitimate SSO portals.
Technical Countermeasures and Detection Strategies
Salesforce-Specific Protections
Organizations must implement comprehensive Salesforce security hardening measures:
Connected App Management: Restrict powerful permissions including “API Enabled” and “Manage Connected Apps” to essential administrative personnel only. Implement regular audits of authorized connected applications and remove unused or suspicious entries.
IP Allowlisting: Enforce IP address restrictions for user profiles and connected app policies to prevent access from unexpected or non-corporate IP addresses. This measure specifically counters VPN-based obfuscation techniques observed in the campaign.
Event Monitoring: Deploy Salesforce Shield with Transaction Security Policies to monitor large data downloads and unusual API activity patterns. Automated alerts should trigger on bulk Contact object queries exceeding normal usage baselines.
OAuth Governance: Implement strict approval processes for connected app installations, potentially allowlisting known safe applications to prevent unauthorized OAuth grants.
Detection and Monitoring
Security operations centers should implement the following detection capabilities:
Behavioral Analysis: Monitor for unusual REST API request volumes, particularly bulk queries to Contact objects returning consistent data sizes (~2.3MB). Establish baselines for normal API usage and alert on statistical anomalies.
Network Traffic Analysis: Detect connections to Mullvad VPN IP ranges and Tor exit nodes originating from corporate networks. Correlation of VPN usage with Salesforce API activity should trigger immediate investigation.
Social Engineering Indicators: Monitor for unusual 8-digit authorization codes in Salesforce logs and investigate OAuth app authorizations from unknown IP addresses.
Domain Intelligence: Implement automated monitoring for newly registered domains following observed patterns (ticket-companyname[.]com, companyname-salesforce[.]com) to identify targeting infrastructure.
The ShinyHunters Salesforce attack campaign represents one of the most sophisticated and successful social engineering operations observed in recent years, successfully compromising dozens of high-profile organizations across multiple industries.
The suspected collaboration between ShinyHunters and Scattered Spider has produced a hybrid threat actor with enhanced capabilities, combining traditional data theft expertise with advanced social engineering techniques.
The campaign’s technical sophistication lies not in novel exploitation techniques but in the masterful combination of human psychology, legitimate platform features, and advanced obfuscation methods.
By abusing OAuth mechanisms and exploiting trust relationships, the threat actors achieved persistent access to sensitive customer data across numerous organizations while evading traditional technical security controls.
For cybersecurity professionals, this campaign underscores the critical importance of addressing human factors in security architectures. While technical controls remain essential, the most sophisticated defenses prove inadequate when users can be manipulated into authorizing malicious applications through convincing social engineering.
Organizations must adopt comprehensive defense strategies combining restrictive OAuth governance, enhanced user education, behavioral monitoring, and incident response capabilities specifically designed to counter social engineering threats.
The continued evolution of this campaign, potential law enforcement disruption efforts, and suspected expansion into ransomware operations will require sustained vigilance and adaptive security measures across all industry sectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post How ShinyHunters Breached Google, Adidas, Louis Vuitton and More in Ongoing Salesforce Attack Campaign appeared first on Cyber Security News.