The US Federal Bureau of Investigation (FBI) has issued a flash alert to issue indicators of agreement (IOCs) associated with two cyber criminal groups tracked as UnC6040 and UNC6395 for data theft and forced recovery attacks.
The FBI said, “Both groups have recently been seen targeting salesforce platforms of organizations through various early access mechanisms.”
UnC6395 is a danger group that has been held responsible for a comprehensive data theft campaign targeting salesforce examples in August 2025 by exploiting the Oauth Tokens compromised for the salesloft flow application. In an update issued this week, Slesloft said the attack became possible due to its Github account violation from March to June 2025.
As a result of the breech, Salesloft has separated the drift infrastructure and has taken offline to Artificial Intelligence (AI) Chatbot application. The company also said that it is in the process of implementing new multi-factor authentication procedures and github strict measures.
“We focus on the ongoing strict atmosphere of the flowing application,” the company said. “This process includes rotating credentials, temporarily disabled parts of the flow application and strengthening the safety configuration.” “At this time, we are advising all the flow customers to compromise any and all the flow integration and related data potentially.”
The FBI has noticed the second group on UNC6040. Evalted to be activated from October 2024, the name assigned to an economically motivated danger cluster by UNC6040 Google, which is engaged in wishing campaigns to achieve early access and kidnapping salesforce examples for large -scale data theft and forced recovery.
These attacks include the use of a modified version of the data loader applications and custom python scripts of the salesfors that include dissolving the cellsforce portals of the victims and exfiltrate valuable data. At least some of the incidents include forcible recovery activities after the UNC6040 infiltration, taking place with early data theft with them.
The FBI said, “UNC6040 threat actors have used fishing panels, who direct the victims to travel through their mobile phone or work computers during social engineering calls.” “After achieving access, the UNC6040 danger actors then used the API Query, which is to exfiltrate large versions of data in bulk.”
The forced recovery phase has been attributed to another unwanted cluster tracked by Google as UnC6240, which has consistently claimed to have a shinniers group in emails and calls to employees of aggrieved organizations.
Google said last month, “In addition, we believe that the danger actors using the ‘Shinyhunters’ can be prepared to increase their forced recovery strategy by launching data leak site (DLS).” “These new strategies are likely to increase pressure on the victims, including recent people associated with UnC6040 salesforce-related data violations.”
Since then, there has been a hurry of developments, the most notable shiny, scattered spider and lapsus $ to consolidate and unite their criminal efforts. Then on September 12, 2025, the group claimed its telegram channel “scattered Lapsus $ Hunters 4.0” that they were shutting down.
“We Lapsus $, Trihash, Yurosh, Yaxsh, Wytrozz, N3Z0X, Nitroz, Toxiqueroot, Prosox, Pertinax, Kurosh, Prank, Intelbrokar, Spread Spide, Spread, Yukri, Yukari and many others have decided to go,” said the group said. “Our objectives are fulfilled, now it’s time to say goodbye.”
It is not currently clear what the group inspired to hang their shoes, but it is possible that this step is attempted to keep low and avoid further law enforcement.
Sam Rubin, Senior Vice President of Unit 42 Consulting and Threat Intelligence, said, “The newly formed Lapsus $ Hunters 4.0 Group said it is hanging on shoes and after ‘Go Dark’, it has been alleged that French law enforcement has arrested another wrong person in relation to the cybercrime group.” “These announcements rarely indicate a true retirement.”
“Recent arrests may have been motivated to reduce the group, but history tells us that it is often temporary. Like groups-shiny like this splinter, rebrand, and revival. Even if public operations stop, the risks can be resumed: the stolen data can be resurved, and the actor should not work again. This danger is not detected.”
