The US Federal Bureau of Investigation (FBI) has issued a flash alert to release Compromise Indicators (IOCs) related to two cybercrime groups tracked as UNC6040 and UNC6395 due to a series of data theft and tor attacks.
“It has been observed that both groups have recently been targeting their organization’s Salesforce platform through various early access mechanisms,” the FBI said.
UNC6395 is a threat group caused by a wide range of data theft campaigns targeting Salesforce instances in August 2025 by leveraging compromised OAUTH tokens from the SalesLoft Drift application. In an update published this week, SalesLoft said that violations of GitHub accounts from March to June 2025 made the attack possible.
As a result of the violation, SalesLoft has isolated the drift infrastructure and took the Artificial Intelligence (AI) chatbot application offline. The company also said it is in the process of implementing a new multifactor certification process and GitHub cure countermeasure.
“We are focusing on the continuous curing of our drift application environment,” the company said. “This process involves rotating credentials, temporarily disabling certain parts of the drift application and enhancing security configurations.” “At this point, we advise all drift customers to treat all drift integrations and related data as potentially impaired.”
The second group the FBI calls attention is UNC6040. UNC6040, rated active since October 2024, is the name Google has assigned to a financially motivated threat cluster, engaged in a billing campaign to gain initial access and hijack sales force instances for large-scale data theft and fear tor.
These attacks use a modified version of Salesforce Data Loader app and custom Python scripts to violate the victim’s Salesforce portal and remove valuable data. At least some of the incidents involved fear tor activity after the UNC6040 break-in, and took place several months after the initial data theft.
“The UNC6040 threat actors use phishing panels and are instructing victims to visit from their mobile phones or work computers during social engineering calls,” the FBI said. “After gaining access, the UNC6040 threat actors used API queries to remove a large amount of data.”
The Fear Tor stage is attributed to another uncategorized cluster tracked by Google as UNC6240, which consistently claims to be the Shinyhunters group in emails and phone calls to employees of the victim organization.
“We also believe that threat actors using the ‘Shinyhunters’ brand may be preparing to escalate the tactics of fear tor by launching a data leak site (DLS),” Google said last month. “These new tactics may be aimed at increasing pressure on victims, including those related to the recent UNC6040 Salesforce-related data breaches.”
Most notable since then is the team-up of Shinyhunters, Spricded Spider and Lapsus $ to integrate and consolidate criminal efforts. Then, on September 12, 2025, the group claimed they were shutting down on their telegram channel with “scattered Lapsus $Hunters 4.0”.
“We decided that lapsus $, trihash, yurosh, yaxsh, wytrozz, n3z0x, nitroz, toxiqueroot, prosox, pertinax, kurosh, clown, intelbroker, spitsed spider spider spider and many others would be dark. “Our purpose has been fulfilled. Now is the time to say goodbye.”
It is currently unclear why the group started cutting their boots, but this movement could be a slow and attempt to avoid the attention of law enforcement agencies.
“The newly formed scattered Lapsus $Hunters 4.0 group said ‘Go Dark’ after French law enforcement allegedly arrested another wrong person in connection with a cybercrime group,” Sam Rubin, senior vice president of consulting and threat intelligence for Unit 42, told Hacker News. “These declarations rarely inform you of a true retirement.”
“Recent arrests may have made the group lower, but history tells us that this is often temporary. This shard, rebranding, resurfaced groups – even if the public works are suspended, stolen data could be played. It hasn’t disappeared, it’s just adapted.”
