The notorious cybercriminal collective known as Scattered Lapsus$ Hunters has escalated their extortion campaign by launching a dedicated leak site to threaten organizations with the exposure of stolen Salesforce data.
This supergroup, comprised of established threat actors including ShinyHunters, Scattered Spider, and Lapsus$, represents a sophisticated evolution in ransomware-as-a-service operations that targets one of the world’s most widely used customer relationship management platforms.
The group’s emergence signifies a dangerous consolidation of cybercriminal expertise, combining the technical capabilities and operational knowledge of multiple established threat actors.
Their coordinated approach demonstrates how modern cybercriminal organizations are becoming increasingly organized and specialized, focusing on high-value targets that can yield substantial ransom payments.
The collective’s decision to specifically target Salesforce instances reflects their understanding of the platform’s critical business value and the sensitive customer data it contains.
Operating through the TOR Onion network, their extortionware portal lists compromised Salesforce customers alongside claims of how much data the group has allegedly exfiltrated during their attacks.
UpGuard analysts noted that the website threatens affected organizations with public data exposure unless payment demands are met, with an initial deadline set for October 10th, 2025.
The site’s existence marks a troubling milestone in the commercialization of data theft, transforming stolen information into leverage for systematic extortion operations.
The attack campaign demonstrates sophisticated technical execution across multiple vectors, beginning with social engineering attacks that exploited human vulnerabilities rather than technical flaws.
The threat actors employed vishing techniques, impersonating IT support personnel to manipulate authorized users into installing malicious Salesforce integrations, providing the attackers with API-level access to target systems.
OAuth Token Exploitation and Persistence Mechanisms
The group’s most sophisticated attack vector involved compromising Salesloft’s GitHub repositories and leveraging valid OAuth integration tokens to maintain persistent access to connected Salesforce environments.
After gaining initial access to Salesloft’s corporate GitHub account through suspected social engineering, the attackers methodically downloaded repository contents, created unauthorized user accounts within the organization, and established custom workflows to facilitate ongoing access.
The attack progression followed a calculated approach where the threat actors discovered embedded AWS credentials within the compromised repositories, enabling them to access Salesloft Drift’s cloud infrastructure.
Within this environment, they successfully identified and exfiltrated OAuth tokens belonging to Salesloft Drift clients, effectively transforming legitimate integration credentials into weapons for widespread data theft.
This technique demonstrates how attackers can leverage the interconnected nature of modern SaaS platforms to achieve lateral movement across multiple organizations through a single compromised integration provider.
The persistence mechanism relied heavily on the legitimate OAuth authorization framework, making detection particularly challenging for security teams who might not immediately recognize malicious activity disguised as authorized API calls.
By utilizing valid integration tokens, the attackers could maintain access even if initial entry points were discovered and remediated, highlighting the critical importance of comprehensive token management and monitoring within enterprise environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
