Salesforce was targeted by the newly formed **Scattered LAPSUS$ Hunters (SLH)**, a federated cybercriminal collective merging the capabilities of **Scattered Spider, ShinyHunters, and LAPSUS$**. The attack involved **AI-driven vishing, spearphishing, and zero-day exploitations** (e.g., **CVE-2025-61882** in Oracle E-Business Suite) to compromise Salesforce’s cloud infrastructure. SLH leveraged **credential harvesting, lateral movement, and privilege escalation** to exfiltrate sensitive data, likely including **customer and enterprise SaaS records**. The group announced the breach on their **Telegram-based data-leak site (DLS)**, using psychological tactics to maximize reputational damage. Given SLH’s **Extortion-as-a-Service (EaaS) model** and history of targeting high-value enterprises, the attack likely resulted in **financial fraud, operational disruption, and erosion of customer trust**. The involvement of actors like **‘yuka’ (linked to BlackLotus UEFI bootkit)** suggests advanced persistence mechanisms, increasing the risk of **long-term data exposure or ransomware deployment**. The breach aligns with SLH’s strategy of **high-impact, brand-damaging extortion**, posing existential threats to Salesforce’s market position and regulatory compliance.
Source: https://gbhackers.com/scattered-lapsus-hunters/
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal5402554110625",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Customer Relationship Management (CRM)',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Salesforce',
'size': 'Enterprise',
'type': 'SaaS Provider'}],
'attack_vector': ['AI-automated vishing',
'Spearphishing',
'Credential Harvesting',
'Lateral Movement',
'Privilege Escalation',
'Zero-day Exploitation (e.g., CVE-2025-61882, '
'CVE-2025-31324)',
'Exploit Brokerage',
'Data Exfiltration',
'Extortion-as-a-Service (EaaS)'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'Likely (based on '
'target profile)',
'sensitivity_of_data': 'High (Enterprise SaaS and cloud '
'infrastructure)',
'type_of_data_compromised': ['Potentially PII, CRM Data, SaaS '
'Configuration Details']},
'date_detected': '2025-08-08',
'date_publicly_disclosed': '2025-08-08',
'description': 'The cybercriminal underground witnessed a significant '
'consolidation as three notorious threat actors—Scattered '
'Spider, ShinyHunters, and LAPSUS$—formally aligned to create '
'the **Scattered LAPSUS$ Hunters (SLH)**, a federated '
'collective that emerged in **early August 2025**. The '
'alliance operates primarily through **Telegram**, leveraging '
'it as both a coordination tool and a performative marketing '
'channel. SLH announced **Salesforce** as one of its victims, '
'targeting high-value enterprises including SaaS providers. '
'The group exhibits sophisticated technical capabilities, '
'including **AI-automated vishing, spearphishing, exploit '
'development (e.g., CVE-2025-61882, CVE-2025-31324), and '
'zero-day vulnerability brokerage**, while formalizing an '
'**Extortion-as-a-Service (EaaS) model**. Core operators '
"include **'shinycorp' (principal orchestrator)** and **'yuka' "
'(exploit developer linked to BlackLotus UEFI bootkit and '
'Medusa rootkit)**. The collective demonstrates **adaptive '
'resilience** through repeated Telegram channel recreations '
'and centralized decision-making, blending **theatrical brand '
'management** with calculated extortion tactics.',
'impact': {'brand_reputation_impact': ['High (Targeting of Salesforce and '
'public extortion tactics)'],
'data_compromised': ['Potential CRM/SaaS/Database Records '
'(Salesforce and other high-value '
'enterprises)'],
'identity_theft_risk': ['Potential (PII in compromised databases)'],
'operational_impact': ['Disruption of SaaS Operations',
'Potential Supply Chain Risks'],
'systems_affected': ['Cloud Infrastructure',
'SaaS Platforms (e.g., Salesforce)',
'Database Systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (based on EaaS '
'model and historical '
'LAPSUS$/ShinyHunters '
'activity)',
'entry_point': ['AI-automated vishing',
'Spearphishing',
'Credential Harvesting'],
'high_value_targets': ['Salesforce',
'SaaS Providers',
'Cloud Infrastructure',
'Database Systems']},
'investigation_status': 'Ongoing (as of 2025-2026)',
'lessons_learned': ['Cybercriminal consolidation enhances operational '
'resilience and technical sophistication.',
'Telegram’s role as both a coordination and performative '
'marketing tool amplifies psychological impact.',
'Exploit brokerage and zero-day vulnerabilities are '
'critical force multipliers for modern threat actors.',
'Extortion-as-a-Service (EaaS) models lower the barrier '
'to entry for affiliate-driven attacks.',
'Theatrical branding and narrative control are strategic '
'assets equivalent to technical capabilities.'],
'motivation': ['Financial Gain',
'Reputational Capital',
'Operational Resilience',
'Narrative Control',
'Psychological Impact (Theatrical Branding)'],
'post_incident_analysis': {'corrective_actions': ['Proactive zero-day patch '
'management and exploit '
'mitigation.',
'Behavioral analytics for '
'credential-based attacks.',
'Dark web monitoring for '
'emerging threat actor '
'alliances.',
'Cross-sector collaboration '
'to disrupt EaaS models.'],
'root_causes': ['Exploitation of zero-day '
'vulnerabilities (e.g., '
'CVE-2025-61882).',
'Lack of adaptive defenses against '
'AI-driven social engineering.',
'Fragmented cybercriminal '
'ecosystems enabling consolidation '
'(e.g., post-BreachForums vacuum).',
'Over-reliance on traditional '
'perimeter security in cloud/SaaS '
'environments.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor dark web/Telegram channels for SLH activity and '
'zero-day exploit discussions.',
'Enhance AI-driven phishing/vishing detection for '
'credential harvesting campaigns.',
'Implement zero-trust architectures to mitigate lateral '
'movement risks in cloud/SaaS environments.',
'Collaborate with vulnerability brokerage programs to '
'preempt exploit proliferation.',
'Develop counter-narrative strategies to disrupt threat '
'actor branding and psychological operations.'],
'references': [{'source': 'GBHackers (GBH)'},
{'source': "SLH Telegram Channels (e.g., 'scattered LAPSUS$ "
"hunters 7.0')"},
{'source': 'GitHub Repository (Yukari/Cvsp - '
'BlackLotus/Medusa)'}],
'threat_actor': [{'affiliated_groups': ['Scattered Spider',
'ShinyHunters',
'LAPSUS$',
'The Com'],
'aliases': ['SLH', 'scattered LAPSUS$ hunters 7.0'],
'core_members': [{'alias': 'shinycorp',
'handles': ['@sp1d3rhunters',
'@shinyc0rp'],
'role': 'Principal Orchestrator'},
{'alias': 'yuka',
'associated_malware': ['BlackLotus UEFI '
'bootkit',
'Medusa rootkit'],
'handles': None,
'role': 'Exploit Developer'},
{'alias': 'Alg0d',
'handles': None,
'role': 'Auxiliary Operator'},
{'alias': 'UNC5537',
'handles': None,
'role': 'Auxiliary Operator'}],
'name': 'Scattered LAPSUS$ Hunters (SLH)',
'operational_model': ['Extortion-as-a-Service (EaaS)',
'Crowdsourced Extortion',
'Vulnerability Brokerage']}],
'title': 'Formation of Scattered LAPSUS$ Hunters (SLH) Cybercriminal '
'Collective and Targeting of Salesforce',
'type': ['Cybercriminal Alliance Formation',
'Data Breach',
'Extortion',
'Exploit Development',
'Targeted Attack'],
'vulnerability_exploited': ['CVE-2025-61882 (Oracle E-Business Suite)',
'CVE-2025-31324 (unspecified CRM/DBMS/SaaS '
'target)',
'Zero-day vulnerabilities in cloud '
'infrastructure/SaaS platforms']}