Data Is the New Diamond: Latest Moves by Hackers and Defenders

Recent weeks have seen escalating data theft targeting Salesforce instances through supply chain attacks such as the Salesloft Drift incident attributed to UNC6395, with threat actors focused on exfiltrating Account, Contact, Case, and Opportunity records for financial gain. Telegram channels linked to groups like Muddled Libra/Scattered Spider and Bling Libra have promoted stolen data and a planned RaaS called “ShinySpider,” while law enforcement actions and Salesforce mitigations are prompting anticipated shifts in tactics. #UNC6395 #Salesloft

Keypoints

Salesloft Drift supply chain attack involved reconnaissance as early as March 2025 and is attributed by Google to UNC6395 targeting Salesforce data objects.
Threat actors claim stolen customer data from Salesforce is being marketed via Telegram channels associated with Muddled Libra/Scattered Spider and Bling Libra, and a new RaaS “ShinySpider” was boasted about.
Some Telegram channels have been banned or disabled, but many remain active and continue to facilitate extortion and sales of stolen data.
Many actors are affiliated with “The Com,” a young, English-fluent group that relies heavily on social engineering rather than zero-day technical exploits.
One Muddled Libra member received a 10-year federal prison sentence and $13M+ restitution, and recent UK arrests reportedly spooked threat actors.
Salesforce will restrict use of uninstalled connected applications to hinder abuse of modified Data Loader and similar tools; attackers are expected to adapt tactics and target other platforms.
Retail-focused cybercrime is shifting from POS/skimming monetization to RaaS and data theft extortion, with recommendations to join information-sharing groups like RH-ISAC and emphasize social engineering defenses.

MITRE Techniques

[T1592] Gather Victim Network Information – Used for reconnaissance of Salesforce instances dating back to March 2025 (“may date as far back as March 2025 in terms of threat actor reconnaissance”).
[T1005] Data from Local System – Exfiltration of Salesforce object records (Account, Contact, Case, Opportunity) to steal sensitive credentials and customer data (“stealing sensitive credentials and data from various Salesforce objects (Account, Contact, Case and Opportunity records)”).
[T1192] Exploit Public-Facing Application – Supply chain compromise via Salesloft Drift allowed access to Salesforce tenants (“Fallout From Salesloft Drift Attack” and supply chain attack enabling data theft).
[T1586] Compromise Third-Party Services – Abuse of third-party connected applications and modified Data Loader to access and exfiltrate data (“using a modified version of their Data Loader or other applications”).
[T1598] Phishing for Information – Social engineering and vishing campaigns by Com-affiliated actors to manipulate people and processes rather than exploiting software vulnerabilities (“focus on exploiting inherent flaws within people and processes…social engineering activity”).
[T1490] Inhibit System Recovery – Threat actors launching RaaS and claiming high encryption speeds for extortion, implying use of encryption or destruction to pressure victims (“claim…could reach encryption speeds of one GB per second”).

Indicators of Compromise

[Threat Actor Names] Actors and affiliates observed – UNC6395, Muddled Libra (Scattered Spider), Bling Libra, UNC6040.
[Tool/Application] Abused applications – modified Data Loader (used to access/exfiltrate Salesforce data) and uninstalled connected applications (Salesforce mitigation target).
[Service/Platform] Compromise vectors – Salesloft Drift supply chain (supply chain attack), Telegram channels used for data sales and communication (some channels banned or disabled).
[Campaign/RaaS] Named services – “ShinySpider” RaaS claimed by actors and referenced as a potential extortion/encryption capability.