Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC6040 / ShinyHunters Salesforce vishing campaign

Campaign
First reported
Last updated
Happening score
H score 43
2 unique sources, 2 articles

Summary

Hide ▲

UNC6040 / ShinyHunters is running a vishing-based Salesforce campaign that has now been tied to Workiva. Workiva said attackers used a third-party CRM system to steal a limited set of business contact information from some customers, while the Workiva platform itself was not accessed or compromised. The campaign has also hit other large organizations, and the stolen data can support spear-phishing and follow-on extortion.

Related Happenings

UNC6692 email bombing and Microsoft Teams impersonation campaign

Campaign
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....

Open Happening

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

DPRK-linked cryptoasset theft campaign continuing into 2026

Campaign
First: 03.04.2026 11:35 Last: 03.04.2026 11:35 Sources 1

About this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...

Open Happening

Google Ads tax-search ScreenConnect malvertising campaign

Campaign
First: 24.03.2026 19:05 Last: 24.03.2026 19:05 Sources 1

About this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...

Open Happening

Timeline

  1. 02.10.2025 00:17 3 articles · 7mo ago

    UNC6040 Salesforce vishing campaign and hardening guidance

    Technical Analysis Update

    Google and Mandiant describe UNC6040 as a vishing-driven campaign that has repeatedly compromised Salesforce instances, including Google's, by tricking employees into using a modified, unauthorized Salesforce Data Loader app or otherwise granting access, enabling credential theft, Salesforce data exfiltration, and possible lateral movement into Okta and Microsoft 365; Mandiant also recommends live video identity proofing, out-of-band verification for high-risk requests such as MFA resets, strict handling of third-party access requests, and a clear process for reporting suspicious communications.

    Show sources
    Open in new tab