Executive Summary

A new threat group, Scattered Lapsus$ Hunters, has publicly surfaced, claiming an affiliation with notorious groups like Scattered Spider, Lapsus$, and ShinyHunters. On the weekend of October 4-5, 2025, the group launched a dark web data leak site listing 39 high-profile organizations as victims of a large-scale data breach. The targeted data allegedly originates from the victims' Salesforce environments. The list of victims includes major brands like Cisco, Toyota, and Marriott. The group claims to have stolen nearly one billion records containing sensitive PII and has set an October 10, 2025, deadline for ransom negotiations. In a novel extortion tactic, the group has also demanded payment from Salesforce itself to prevent the data of the 39 victims from being leaked. The initial vector is believed to be social engineering, specifically vishing attacks targeting IT support staff to gain access to user credentials.

Threat Overview

Scattered Lapsus$ Hunters represents a potential evolution of social engineering-focused threat actors, combining the tactics of several infamous groups. Their primary objective is data theft for financial extortion. The current campaign targets organizations that rely on Salesforce for customer relationship management and other business functions. The group's decision to create a public leak site and engage in multi-pronged extortion (targeting both the victims and their software vendor) indicates a high degree of confidence and a desire for maximum psychological impact.

Attack Methodology

Based on reports and the known TTPs of the alleged affiliate groups, the attack likely follows this pattern:

1. Reconnaissance: The attackers identify employees at target organizations, particularly those with privileged access, using professional networking sites and data broker services. (T1592 - Gather Victim Host Information)
2. Initial Access: The group conducts vishing (voice phishing) attacks, impersonating IT help desk staff to trick employees into revealing their credentials or approving multi-factor authentication (MFA) prompts. (T1566.004 - Spearphishing Voice)
3. Credential Access: Once credentials are obtained, the attackers log into the victim's Salesforce instance and other connected corporate applications. (T1078 - Valid Accounts)
4. Exfiltration: The group exfiltrates large volumes of data, focusing on sensitive PII like Social Security numbers, driver's licenses, and dates of birth. (T1530 - Data from Cloud Storage Object)
5. Impact: The stolen data is listed on a public leak site to pressure victims into paying a ransom. The group employs a double-extortion strategy, threatening to release the data if payment is not made. (T1657 - Financial Extortion)

Technical Analysis

While Salesforce denies any vulnerability in its platform, the attack highlights the persistent threat of identity-based attacks. The success of this campaign hinges on the exploitation of the human element rather than software flaws. The TTPs are consistent with Scattered Spider and Lapsus$, who are known for their expertise in social engineering and bypassing MFA.

This incident underscores that even secure cloud platforms like Salesforce can be compromised if the identities and credentials used to access them are stolen. The perimeter has shifted from the network to the user's identity.

Impact Assessment

The potential impact is massive, affecting 39 major global corporations and their customers. The alleged theft of one billion records containing sensitive PII could lead to widespread identity theft and fraud. For the affected companies, the consequences include:

• Regulatory Fines: Significant penalties under regulations like GDPR and CCPA for failing to protect customer data.
• Litigation: The threat actors have explicitly stated they will cooperate with law firms, opening the door to class-action lawsuits.
• Reputational Damage: Being named on a public leak site causes immediate and lasting harm to a brand's reputation.
• Financial Loss: Costs will include incident response, legal fees, customer notifications, credit monitoring for affected individuals, and potentially the ransom payment.

Cyber Observables for Detection

Detection of this activity focuses on identity and access management logs and user behavior analytics.

Detection & Response

Defending against this requires a focus on identity security and employee awareness.

Detection Strategies

1. Identity Analytics: Implement User and Entity Behavior Analytics (UEBA) to detect anomalous login patterns. This aligns with D3FEND's User Geolocation Logon Pattern Analysis.
2. MFA Monitoring: Monitor for and alert on