Hackers abuse malicious version of Salesforce tool for data theft, extortion - Cybersecurity Dive

Hackers abuse malicious version of Salesforce tool for data theft, extortion A threat group is using voice phishing to trick targeted organizations into sharing sensitive credentials. Published June 4, 2025 David Jones Reporter Share License Add us on Google The Salesforce corporate headquarters on Aug. 21, 2019, in San Francisco. A threat group has been abusing a malicious, unauthorized version of a Salesforce tool for social engineering attacks since early 2025. Getty Images A financially motivated hacker group has been targeting Salesforce instances for months in a campaign that uses voice phishing to engage in data theft and follow-on extortion attempts, according to Google Threat Intelligence Group.  The hackers, whom Google tracks as UNC6040, impersonated IT workers and tricked employees at often English-speaking branches of multinational companies into sharing sensitive credentials that were then used to access the organizations’ Salesforce data, Google said in a blog post published Wednesday. As part of the social engineering campaign, the hackers tricked workers at these companies into visiting the Salesforce-connected app setup page, at which point the attackers used an unauthorized, malicious version of the Salesforce Data Loader app to access and steal sensitive information from the customers’ Salesforce environments.  Beyond the immediate data thefts, the hackers were able to move laterally within target networks, accessing victims’ other cloud services and moving into internal corporate networks. Salesforce warned about these social engineering attacks in a March blog post. A company spokesperson told Cybersecurity Dive that there is no indication the attacks are linked to any vulnerability in the Salesforce platform. “Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices,” the spokesperson said via email. Salesforce urged customers to enable multifactor authentication, limit access privileges and restrict login IP addresses, in the blog. It wasn’t immediately clear why Salesforce instances were particularly being targeted or how the hackers learned about the Salesforce tool. Google researchers have not observed other threat actors using this tool.  Different attacks exhibited differences in how proficient the attackers were in deploying the malicious version of the tool, researchers said. “The difference in proficiency likely reflects a team with different skills and knowledge of the Salesforce platform,” Austin Larsen, principal threat analyst at GTIG, said via email. “It’s probable this expertise was acquired through prior operations or research, not from insider knowledge.” Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter Email: Sign up In a number of cases, hackers have launched extortion attempts months after gaining initial access, according to researchers. There is evidence that the hackers have been working with an outside partner, because in some cases the hackers extorting their targets claim to be affiliated with the ShinyHunters threat group. The Salesforce activity mirrors a recent increase in the use of voice phishing as a tool for social engineering attacks.  Larsen said there are broad overlaps between the Salesforce hackers and an underground collective known as “The Com,” which includes the notorious cybercrime gang dubbed Scattered Spider. Larsen cautioned, however, that the threat actor involved in the Salesforce attacks is a distinct group from the threat group tracked as UNC3944, which overlaps with a subset of Scattered Spider activity Add us on Google Share PURCHASE LICENSING RIGHTS Filed Under: Breaches, Cyberattacks, Threats