Scattered Lapsus$ Hunters, a notable threat group previously linked to significant data breaches, has announced that it has compromised more than one billion records from Salesforce environments across the globe. This alarming disclosure highlights the evolving complexity of cyber threats faced by organizations relying on cloud services for operational efficiency.
Emerging in mid-2025, this group has refined its methodologies to capitalize on vulnerabilities, particularly through exploiting misconfigurations in cloud identities and exposed APIs. The first indicators of the breach surfaced when numerous Salesforce clients reported unusual queries against their customer relationship management (CRM) systems during late-night hours, hinting at the use of automated extraction tools designed for data theft.
As investigation logs amassed, cybersecurity professionals recognized that the breadth of data accessed far surpassed earlier breaches, highlighting both the scale and severity of this incident. Reports indicate that the attackers employed a combination of targeted phishing techniques and credential stuffing attacks to secure initial access into their victims’ systems, illustrating the group’s sophisticated tactics.
.webp)
Victims reported receiving seemingly legitimate emails that prompted them to undertake essential security updates. However, these updates contained a malicious Office macro capable of executing code that established contact with a remote command-and-control server, leading to the installation of a lightweight data loader. Analysts from Palo Alto Networks confirmed that this loader, developed in Go, was intentionally designed to complicate reverse engineering efforts, showcasing the attackers’ technical prowess.
The identified loader verified API tokens and initiated a multi-faceted data collection process. The repercussions of the breach extend beyond mere exposure of personal data, as sensitive information such as proprietary sales strategies, pipeline forecasts, and confidential client negotiations now lie at risk, significantly impacting businesses that depend on Salesforce for essential operations.
Initial assessments suggest that the group may have been extracting data at an unprecedented rate of over 500 gigabytes per hour, utilizing encrypted channels for data transmission to evade detection. The attackers exhibited advanced proficiency in using MITRE ATT&CK tactics, employing strategies from initial access through persistent mechanisms to ensure ongoing data exfiltration.
The infection mechanism reflects a calculated emphasis on stealth and durability. Upon executing the malicious macro, a PowerShell script stager is triggered, designed to assess the environment for sandbox indicators before retrieving the complete loader. This loader then decrypts credentials stored in the Windows Credential Manager, allowing it to authenticate to Salesforce’s REST API utilizing the minimum necessary privileges.
Once authenticated, the malware enumerates object schemas and assembles SOQL queries for record retrieval, processing these records in batches that are encrypted using the ChaCha20 algorithm before transmission. To maintain persistence, the malware schedules a task named “UpdaterSvc” that runs bi-hourly to verify the loader’s integrity and resume data extraction, illustrating the group’s meticulous strategy for maintaining access.
Scattered Lapsus$ Hunters’ methodical approach to API rate-limit evasion and credential harvesting indicates a sophisticated understanding of contemporary cloud environments. By merging intricate social engineering with custom tooling and a commitment to persistent operations, the group has demonstrated their capacity to breach enterprise Salesforce implementations on a massive scale.
Businesses utilizing Salesforce must remain vigilant, reassessing their security postures and implementing robust defenses against this rising threat. The implications of operational disruptions and reputational damage from such breaches cannot be overstated.
Follow us on Google News, LinkedIn, and X for More Instant Updates, Set CSN as a Preferred Source in Google.
