Cybercrime Alert: ShinyHunters Impersonators Exploit Salesforce to Breach Multinational Firms

How a Sophisticated Voice Phishing Campaign is Breaching CRM Defenses Across Global Enterprises

Google’s Threat Intelligence Group (GTIG) has sounded the alarm over a rising wave of cyberattacks targeting multinational corporations through a clever blend of social engineering and technical exploitation. These attacks, allegedly conducted by individuals claiming to be part of the notorious ShinyHunters extortion group, leverage Salesforce’s own Data Loader tool as the entry point to compromise sensitive enterprise data. By impersonating internal IT staff, attackers are tricking employees into unwittingly granting access to their organization’s Salesforce environment, initiating a cascade of data breaches across interconnected platforms like Okta, Microsoft 365, and Workplace.

Inside the Attack: How Hackers Weaponize Salesforce to Infiltrate Corporate Networks

In a newly released report, Google’s GTIG identifies a threat cluster dubbed UNC6040 as the main perpetrator behind a surge in social engineering campaigns targeting English-speaking employees. The attackers use voice phishing—also known as vishing—to impersonate IT support staff, persuading victims to connect a compromised version of Salesforce’s Data Loader tool to their CRM environment.

The method is deceptively simple but effective. Once the victim installs the Data Loader and enters a connection code supplied by the attacker, the tool links directly to Salesforce through OAuth-enabled “connected apps.” The attackers then exploit the permissions granted to exfiltrate sensitive data, not only from Salesforce but also from linked services like Okta, Microsoft 365, and Workplace.

In one notable tactic, the malicious app is renamed to appear legitimate—like “My Ticket Portal”—to blend seamlessly with the company’s software ecosystem. Victims, thinking they are resolving an IT ticket, unknowingly open a gateway for data theft.

Google’s GTIG notes that this threat group is financially motivated and quick to act. Once inside, UNC6040 immediately extracts data and begins lateral movement across connected systems. Although some attacks were halted mid-operation by automated defenses, the group adapted by tweaking data packet sizes and rerouting traffic through Mullvad VPN to evade detection.

Interestingly, the attackers sometimes delay their extortion attempts by months, later demanding ransoms while claiming affiliation with ShinyHunters, a well-known hacking group infamous for high-profile data thefts. These claims may serve to heighten the pressure on victims, although it’s unclear whether UNC6040 is directly linked to ShinyHunters or simply borrowing their name for leverage.

To defend against such intrusions, Google advises organizations to restrict API access, limit third-party app installations, and block traffic from commercial VPNs like Mullvad.

What Undercode Say:

The tactics used by UNC6040 highlight a growing evolution in cybercrime strategies. Gone are the days when malware or brute-force attacks dominated the threat landscape. Today, attackers are focusing on exploiting trust—one of the most fundamental human vulnerabilities. By impersonating internal staff, they sidestep technical barriers and infiltrate systems through human error.

Salesforce, like many cloud-based platforms, is trusted by millions of users and enterprises. It’s this trust that becomes the attack surface. When a CRM tool becomes the entry point for widespread data theft, it calls for a serious re-evaluation of how permissions and third-party integrations are handled.

The abuse of OAuth and connected apps is particularly concerning. These integrations are meant to streamline workflows and improve efficiency, yet they’re now being hijacked to facilitate mass data extraction. Once the attackers gain a foothold, they move laterally, effectively treating the company’s cloud infrastructure like an open network. Platforms like Okta and Microsoft 365, which contain sensitive communications and authentication tokens, become the next easy target.

Another notable strategy is the delay in extortion attempts. By waiting months before demanding a ransom, the attackers increase their chances of avoiding detection. It also suggests a more industrialized approach to cybercrime, where access and data are commoditized and sold off or exploited in phases.

Claiming affiliation with ShinyHunters might be psychological warfare. Whether true or false, the mention of a well-known hacking group raises the stakes for targeted organizations. It’s a fear tactic designed to push companies into rapid, quiet settlements.

The use of Mullvad VPN further complicates attribution and detection. By masking their traffic, attackers avoid IP-based blocklists and surveillance. It’s a textbook example of how modern threat actors blend social engineering, technical expertise, and anonymization tools to execute multi-stage attacks.

For organizations, the lesson is clear: trust no process blindly. Even internal requests for tool installations should be scrutinized. Every integration must be vetted, and permissions must be tightly controlled. Endpoint verification, real-time threat monitoring, and strict access controls aren’t just optional anymore—they’re critical.

Fact Checker Results:

✅ Social engineering is the primary method used by attackers, confirmed by GTIG
✅ Data exfiltration is conducted via a modified Salesforce Data Loader
✅ Delayed extortion claims are likely used to increase psychological pressure on victims 🧠💻🔍

Prediction:

As threat actors become more sophisticated in mimicking internal operations and exploiting cloud-based platforms, future attacks will likely expand to include AI-generated voices and even deepfake video calls to enhance social engineering tactics. Enterprises relying heavily on SaaS platforms will be forced to adopt zero-trust architecture models, automating verification at every level. Furthermore, attribution will become increasingly difficult, and partnerships between cybercrime groups will blur the lines of responsibility, making legal and cybersecurity responses more complex. Expect to see increased investment in behavioral analytics and identity threat detection technologies across major corporations.