Risky Bulletin Newsletter
June 06, 2025
Risky Bulletin: APTeens go after Salesforce data
Presented by

News Editor
A new hacking group that spawned out of TheCom has breached over 20 companies and stolen their Salesforce data for extortion attempts.
The group, which Google calls UNC6040, operates by calling employees at large companies and posing as their IT support—a now tried and tested technique that's being abused by multiple other threat actors.
The end goal is to get victims to install a modified version of the Salesforce Data Loader app that grants the group's members access to a company's Salesforce backend databases.