Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC6395 Salesforce support-case credential-hunting campaign

Campaign
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

The UNC6395 campaign is actively harvesting Salesforce support cases to find credentials and secrets that can unlock follow-on cloud access. The operation matters because the stolen material can be reused to pivot into other services and widen compromise across many organizations. The activity has involved mass exfiltration from Salesforce objects and automated searching for tokens, passwords, and cloud secrets. Operators also deleted queries and used Tor to hide the collection effort.

Related Happenings

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Open Happening

ShinyHunters voice-phishing campaign targeting SSO accounts for extortion

Campaign
First: 24.01.2026 01:35 Last: 24.01.2026 01:35 Sources 1

About this happening: A **ShinyHunters**-linked extortion campaign is using **voice phishing** to target **Salesforce customers** and steal data for ransom, with the operation first surfacing in **May...

Latest development: 27.04.2026 17:43

ShinyHunters breached ADT after compromising an employee's Okta single sign-on (SSO) account in a vishing attack, then used that access to reach ADT's Salesforce instance and steal data. Have I Been Pwned said the exposed data affected 5.5 million people and included names, phone numbers, addresses, and in a small percentage of cases dates of birth and partial Social Security numbers or Tax IDs; the group later leaked an 11GB archive after extortion failed.

Open Happening

Timeline

  1. 02.09.2025 15:00 2 articles · 8mo ago

    UNC6395 targets Salesforce support cases for credentials

    Campaign Scope Update

    UNC6395 targeted Salesforce support cases and related Salesforce objects to mass-exfiltrate data, then searched the stolen material for AWS access keys (AKIA), Snowflake tokens, VPN and SSO login strings, and keywords such as password, secret, and key. Palo Alto Networks said the exposed material in its own environment was limited to Salesforce CRM data, including business contact and related account information, internal sales account records, and basic case data, and that the attacker used automated Python tooling, deleted queries, and Tor to hide the collection effort.

    Show sources
    Open in new tab