The cybercriminal collective known as Scattered Lapsus$ Hunters has intensified their extortion efforts by launching a dedicated leak portal aimed at publishing stolen Salesforce data.
This alliance, which includes prominent threat actors such as ShinyHunters, Scattered Spider, and Lapsus$, represents a new level of sophistication in ransomware-as-a-service operations, specifically targeting one of the most widely used customer relationship management (CRM) platforms worldwide.
Consolidation of Cybercriminal Expertise
The group’s emergence highlights the merging of skills and knowledge from multiple established threat actors, creating a highly organized and specialized cybercriminal network. Their coordinated operations focus on high-value targets capable of yielding significant ransom payments.
Targeting Salesforce specifically demonstrates their awareness of the platform’s business-critical importance and the sensitivity of customer data stored within it.
TOR-Based Extortion Portal
Operating through the TOR Onion network, the leak site lists affected Salesforce clients alongside claims of data exfiltrated during attacks. According to UpGuard analysts, the site threatens organizations with public disclosure unless ransom demands are met, initially setting a deadline of October 10th, 2025.
This marks a worrying trend in the commercialization of stolen data, turning confidential information into a tool for systematic extortion.
Sophisticated Attack Techniques
The campaign relies on advanced tactics, primarily exploiting human vulnerabilities rather than technical flaws. Threat actors used social engineering and vishing, impersonating IT support staff to trick authorized users into installing malicious Salesforce integrations, granting attackers API-level access.
OAuth Token Exploitation and Persistence
The most complex attack vector involved compromising Salesloft’s GitHub repositories to obtain valid OAuth integration tokens. These tokens provided persistent access to connected Salesforce environments.
After gaining entry into Salesloft’s corporate GitHub account, attackers downloaded repository contents, created unauthorized user accounts, and established workflows to maintain long-term access. Embedded AWS credentials enabled lateral movement across Salesloft Drift’s cloud infrastructure, allowing exfiltration of OAuth tokens belonging to clients.
By turning legitimate integration tokens into tools for widespread data theft, attackers leveraged the interconnected nature of modern SaaS platforms. This persistence mechanism relied on the official OAuth authorization framework, making detection difficult for security teams. Even if initial access points are discovered, attackers could retain control, underlining the importance of thorough token monitoring and management in enterprise systems.
