high_confidence

Salesforce Data Exfiltration

The [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059) campaign began in October 2024 with financially-motivated threat actor UNC6040 using [Spearphishing Voice](https://attack.mitre.org/techniques/T1598/004) (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059) campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.(Citation: FBI Salesforce Data Theft SEP 2025)(Citation: Google Salesforce JUN 2025)

Start date

1 October 2004

End date

1 September 2025

Techniques

Attributed actors

Sandworm Team· primary

Techniques (18)

collection1

T1213.004Customer Relationship Management Software

command-and-control2

T1090Proxy

T1090.003Multi-hop Proxy

discovery1

T1083File and Directory Discovery

execution1

T1059.006Python

exfiltration2

T1567Exfiltration Over Web Service

T1020Automated Exfiltration

initial-access1

T1078.002Domain Accounts

persistence2

T1078.002Domain Accounts

T1671Cloud Application Integration

privilege-escalation1

T1078.002Domain Accounts

reconnaissance1

T1598.004Spearphishing Voice

resource-development6

T1587.001Malware

T1588.002Tool

T1585.002Email Accounts

T1586.002Email Accounts

T1585Establish Accounts

T1608.005Link Target

stealth3

T1684.001Impersonation

T1078.002Domain Accounts

T1036Masquerading

Indicators of compromise

No IOCs linked to this campaign yet.