Tanay Rai
The FBI's September 2025 alert spotlights two advanced criminal operations, UNC6040 and UNC6395, whose tactics are redefining supply chain attacks and extortion across cloud CRMs, with Salesforce customers among the most impacted.
UNC6040: Vishing, OAuth Abuse, and Data Theft
Since October 2024, UNC6040 has spearheaded meticulously planned voice phishing (vishing) attacks targeting corporate help desks. The attackers impersonate IT support and trick staff into authorizing malicious "Connected Apps" within Salesforce, often cloned versions of Salesforce's Data Loader app. This social engineering grants attackers OAuth tokens from Salesforce, which:
Blend malicious API traffic with legitimate user activity, hiding their operations.
Bypass multi-factor authentication (MFA) and password reset protections.
They are commonly registered through Salesforce trial accounts, complicating detection.
After gaining access, UNC6040 uses Python-based scripts to extract large volumes of sensitive CRM data, including names, email addresses, phone numbers, sales notes, and, in several high-profile breaches, financial and client-care information. Confirmed victims include Google (2.55 million records), Allianz Life (1.4 million customers), LVMH (Louis Vuitton, Dior, Tiffany), Adidas, Qantas, and Chanel's US division.
Following data exfiltration, victims often receive extortion emails signed by the "ShinyHunters" threat actor group, demanding Bitcoin payments to prevent the public release of stolen data.
UNC6395: SaaS Interconnectivity Exploitation and Token Chain Attacks
In August 2025, UNC6395 revealed a new attack vector leveraging compromised OAuth tokens from the Drift AI chatbot, a Salesloft application deeply integrated with Salesforce. This campaign bypasses user credentials and malware by exploiting legitimate app sessions to:
Access Salesforce environments without triggering MFA alerts.
Move laterally to other SaaS platforms, including Google Workspace and Slack.
Exfiltrate further sensitive data such as API keys and cloud credentials.
This breach stemmed from a prolonged compromise of Salesloft's GitHub repository between March and June 2025. Over 700 organizations were impacted, including major cybersecurity firms Zscaler and Palo Alto Networks. Salesforce and Salesloft have responded by revoking OAuth tokens and removing Drift from their AppExchange, illustrating the complex challenges of OAuth governance and multi-cloud supply chain security.
Indicators of Compromise (IOCs)
The FBI lists IOCs as markers for detecting and investigating potential compromise. These include:
IP Addresses: Servers used by attackers for phishing, exfiltration, and command-and-control traffic. Both UNC6040 and UNC6395 control a large, diverse set of IPs across multiple hosting providers and regions.
URLs/Links: Crafty web addresses resembling legitimate Salesforce environments or company portals, used for credential harvesting and malicious app authorization.
User-Agent Strings: Unique identifiers found in bulk data extraction scripts, signaling automation tools accessing Salesforce APIs undetected.
UNC6040 IOCs
IP Addresses:
IoC Type
Indicator
IP Address
13.67.175[.]79
IP Address
20.190.130[.]40
IP Address
20.190.151[.]38
IP Address
20.190.157[.]160
IP Address
20.190.157[.]98
IP Address
23.145.40[.]165
IP Address
23.145.40[.]167
IP Address
23.145.40[.]99
IP Address
23.162.8[.]66
IP Address
23.234.69[.]167
IP Address
23.94.126[.]63
IP Address
31.58.169[.]85
IP Address
31.58.169[.]92
IP Address
31.58.169[.]96
IP Address
34.86.51[.]128
IP Address
35.186.181[.]1
IP Address
37.19.200[.]132
IP Address
37.19.200[.]141
IP Address
37.19.200[.]154
IP Address
37.19.200[.]167
IP Address
37.19.221[.]179
IP Address
38.22.104[.]226
IP Address
45.83.220[.]206
IP Address
51.89.240[.]10
IP Address
64.95.11[.]225
IP Address
64.95.84[.]159
IP Address
66.63.167[.]122
IP Address
67.217.228[.]216
IP Address
68.235.43[.]202
IP Address
68.235.46[.]22
IP Address
68.235.46[.]202
IP Address
68.235.46[.]151
IP Address
68.235.46[.]208
IP Address
68.63.167[.]122
IP Address
69.246.124[.]204
IP Address
72.5.42[.]72
IP Address
79.127.217[.]44
IP Address
83.147.52[.]41
IP Address
87.120.112[.]134
IP Address
94.156.167[.]237
IP Address
96.44.189[.]109
IP Address
96.44.191[.]141
IP Address
96.44.191[.]157
IP Address
104.223.118[.]62
IP Address
104.193.135[.]221
IP Address
141.98.252[.]189
IP Address
146.70.165[.]47
IP Address
146.70.168[.]239
IP Address
146.70.173[.]60
IP Address
146.70.185[.]47
IP Address
146.70.189[.]47
IP Address
146.70.189[.]111
IP Address
146.70.198[.]112
IP Address
146.70.211[.]55
IP Address
146.70.211[.]119
IP Address
146.70.211[.]183
IP Address
147.161.173[.]90
IP Address
149.22.81[.]201
IP Address
151.242.41[.]182
IP Address
151.242.58[.]76
IP Address
163.5.149[.]152
IP Address
185.141.119[.]136
IP Address
185.141.119[.]138
IP Address
185.141.119[.]151
IP Address
185.141.119[.]166
IP Address
185.141.119[.]168
IP Address
185.141.119[.]181
IP Address
185.141.119[.]184
IP Address
185.141.119[.]185
IP Address
185.209.199[.]56
IP Address
191.96.207[.]201
IP Address
192.198.82[.]235
IP Address
195.54.130[.]100
IP Address
196.251.83[.]162
IP Address
198.44.129[.]56
IP Address
198.44.129[.]88
IP Address
198.244.224[.]200
IP Address
198.54.130[.]100
IP Address
198.54.130[.]108
IP Address
198.54.133[.]123
IP Address
205.234.181[.]14
IP Address
206.217.206[.]14
IP Address
206.217.206[.]25
IP Address
206.217.206[.]26
IP Address
206.217.206[.]64
IP Address
206.217.206[.]84
IP Address
206.217.206[.]104
IP Address
206.217.206[.]124
IP Address
208.131.130[.]53
IP Address
208.131.130[.]71
IP Address
208.131.130[.]91
URLs/Links:
IoC Type
Indicator
URL
Login[.]salesforce[.]com/setup/connect?user_code=aKYF7V5N
URL
Login.salesforce.com/setup/connect?user_code=8KCQGTVU
URL
https://help[victim][.]com
URL
https://login[.]salesforce[.]com/setup/connect
URL
http://64.95.11[.]112/hello.php
URL
91.199.42.164/login
UNC6395 IOCs
IP Addresses:
IoC Type
Indicator
IP Address
208.68.36[.]90
IP Address
44.215.108[.]109
IP Address
154.41.95[.]2
IP Address
176.65.149[.]100
IP Address
179.43.159[.]198
IP Address
185.130.47[.]58
IP Address
185.207.107[.]130
IP Address
185.220.101[.]33
IP Address
185.220.101[.]133
IP Address
185.220.101[.]143
IP Address
185.220.101[.]164
IP Address
185.220.101[.]167
IP Address
185.220.101[.]169
IP Address
185.220.101[.]180
IP Address
185.220.101[.]185
IP Address
192.42.116[.]20
IP Address
192.42.116[.]179
IP Address
194.15.36[.]117
IP Address
195.47.238[.]83
IP Address
195.47.238[.]178
User-Agent Strings:
IoC Type
Indicator
User-Agent
Salesforce-Multi-Org-Fetcher/1.0
User-Agent
Salesforce-CLI/1.0
User-Agent
python-requests/2.32.4
User-Agent
Python/3.11 aiohttp/3.12.15
How IOCs Are Used
Defenders should cross-check logs, API access trails, and traffic sources for any of these IPs, URLs, or user-agent strings. Their appearance may indicate attempted or successful intrusion linked to these threat groups.
Not all IOCs necessarily indicate compromise; each must be verified within the broader security context, as attackers frequently rotate their infrastructure.
Fluidity of Threat Groups and Ongoing Risks
INTELLIGENCE shows UNC6040's activities overlap with "ShinyHunters" and link to the larger "Scattered LAPSUS$ Hunters" Telegram community, which openly targets data leaks and sells ransomware tools. Attempts at shutdowns by these groups often result in rebirths under new guises, signaling that ongoing vigilance is a necessity.
Practical Defensive Measures Recommendations by the FBI
Enhanced Security Awareness: Train help desk and call center staff specifically on the risks of vishing and app authorization fraud.
Phishing-Resistant MFA: Enforce strong multi-factor authentication across all cloud platforms and continuously monitor API and integration activity.
Vetting and Credential Hygiene: Rotate credentials and OAuth tokens frequently, thoroughly vet all third-party app integrations, and challenge any authorization requests received via phone.
Rapid Incident Response: Maintain and exercise playbooks for compromised integrations, considering downstream SaaS and user impacts.
