SOCRadar named the 2025 Salesforce SaaS supply chain attack—attributed to the Scattered Lapsus$ Hunters (a Scattered Spider and ShinyHunters collaboration)—the top incident, exposing tens of millions of customer records and compromising OAuth tokens, CRM data, and support/travel records across technology, aviation, and luxury customers. Follow-up analysis of IoC lists from LevelBlue and Seqrite plus WHOIS, DNS Chronicle and other feeds identified 39 initial IoCs and uncovered 8,318 related artifacts including domains, IPs, email-connected domains and string-connected domains. #Salesforce #ScatteredLapsusHunters
Keypoints
- SOCRadar ranked the 2025 Salesforce SaaS supply chain attack—attributed to the Scattered Lapsus$ Hunters—as the top ransomware incident, with tens of millions of customer records exposed and OAuth tokens and CRM/support/travel data compromised.
- Researchers aggregated IoCs from LevelBlue and Seqrite and compiled five domains, 33 IP addresses, and three email addresses, analyzing 39 IoCs in total for further investigation.
- One domain (ticket-audemarspiguet[.]com) was registered with malicious intent on 20 June 2025—76 days before it was labeled as an IoC in the Seqrite report.
- Network telemetry showed 1,722 potential victim IP addresses communicated with 24 IP addresses identified as IoCs between 30 December 2025 and 30 January 2026.
- WHOIS and DNS Chronicle queries showed the three flagged domains were created between 20 and 29 June/September 2025 and produced 28 domain-to-IP resolutions collectively, with ticket-nike[.]com recording 20 resolutions.
- Further DNS and historical WHOIS analysis uncovered 405 email-connected domains (four weaponized), two additional malicious IPs (e.g., 104[.]21[.]78[.]124), 11 IP-connected domains and 7,900 string-connected (ticket-*) domains, totaling 8,318 new artifacts.
MITRE Techniques
- [T1078 ] Valid Accounts – Use of stolen OAuth tokens to access SaaS/CRM accounts and services (‘the threat actors got hold of OAuth tokens’)
- [T1566 ] Phishing – Use of phishing infrastructure and weaponized domains to deliver lures and collect credentials (‘Phishing’)
- [T1583 ] Acquire Infrastructure – Registration and use of malicious domains to support the campaign and host malicious content (‘registered with malicious intent’)
- [T1105 ] Ingress Tool Transfer – Distribution of malware through weaponized domains discovered in the string-connected and email-connected domain sets (‘malware distribution’)
- [T1041 ] Exfiltration – Large-scale exposure and likely exfiltration of CRM and customer records from affected Salesforce customers (‘exposed tens of millions of customer records’)
Indicators of Compromise
- [Domains ] initial IoCs and related malicious domains – ticket-audemarspiguet[.]com, ticket-nike[.]com, and 3 other domains from the compiled lists
- [IP addresses ] IoC IP set and discovered additions – 208[.]68[.]36[.]90, 104[.]21[.]78[.]124, and 31 other initial IPs (33 initially identified, plus 2 additional IPs found later)
- [Email addresses ] WHOIS/IoC email entries used for domain registrations – three email addresses were identified as IoCs (not publicly disclosed) and were validated as existing but unable to receive messages
- [Email-connected domains ] domains discovered via historical Reverse WHOIS tied to IoC emails – join-meets[.]com, and 404 more email-connected domains (total 405 discovered; four weaponized)
- [String-connected domains ] ticket- prefixed domains discovered via string search – ticket-aviata[.]info, ticket-escrow[.]com, and 7,898 additional ticket-* domains (total 7,900)
- [IP-connected domains ] domains resolved to IoC IPs discovered via Reverse IP queries – 11 unique IP-connected domains linked to the analyzed IPs (examples resolved from the 35 analyzed IPs)