Investigate how the ShinyHunters used vishing to compromise Salesforce instances
In June 2025, Google’s Threat Intelligence Group (GTIG) publicly documented a financially motivated threat cluster, UNC6040, that specializes in voice‑phishing (vishing) to compromise enterprise Salesforce instances at scale.
Let’s take a closer look at what exactly is vishing, and how UNC6040, aka ShinyHunters, operated during this attack.
What is vishing?
Attackers use phone calls, often with spoofed caller ID, to impersonate IT, help desk, HR, vendors, or even executives.
The goal is to create urgency and nudge employees into taking actions such as approving MFA prompts, sharing one-time codes, installing remote tools, or resetting access.
Typical vishing attack flow
There are few types of vishing commonly employed by malicious actors:
- MFA fatigue + “IT assist”: The attacker floods your phone with push approvals, then calls, pretending to be “IT.” They say they’re fixing a sync issue and ask, “Please accept the next prompt to clear the queue.
- Help desk reset: Caller claims, “priority outage” and asks you to read an SMS code or approve a password reset “to prevent suspension.”
- Vendor callback scam: An email or SMS tells you to “call Microsoft/Okta/Payroll” at a number controlled by the attacker.
- The phone agent walks you through “verification” that harvests codes or sets up a new authenticator.
- Remote support pretext: The caller instructs you to install remote tools, such as AnyDesk, “to remove malware”, then disables EDR and exfiltrates data.
- Executive/CEO voice: With AI voice cloning, the “exec” calls for an urgent payment or access exception, discouraging customary approvals, to avoid missing a deal.
Anatomy of the UNC6040 (aka ShinyHunters) attack chain
The core technique used in this attack follows the typical vishing flow, aiming to convince employees over the phone, often while impersonating IT support, to authorize a malicious or actor‑controlled Salesforce connected app, frequently presented as a modified or rebranded ‘Data Loader’ tool.
The authorization grants API-level access, which adversaries then use to query and bulk-export CRM data.
Months later, the threat group ShinyHunters emerged, an associated extortion group, identified by Google as UNC6240.
Overview of the attack flow
Pretexted phone call (“IT support”) and reconnaissance: Operators often utilize both publicly available information and internal cues to establish trust and credibility with their targets.
Guided authorization of a malicious connected app: During the call, the employee is directed to the Salesforce connected app setup page (e.g., login.salesforce.com/setup/connect) to approve an app that appears to be Data Loader (or a renamed version such as ‘My Ticket Portal’).
Bulk data exfiltration via API: With OAuth access and API‑enabled privileges, the actor enumerates objects and exports records at scale.
Infrastructure and credential capture: GTIG reports the use of “Mullvad VPN” and TOR for access, as well as actor-hosted credential/MFA capture panels during calls.
Extortion window (UNC6240): Weeks to months later, employees receive emails or calls demanding payment in Bitcoin.
Evolving tradecraft: Over time, actors transitioned from utilizing modified Data Loader binaries to developing custom Python collectors.
What you’ll learn in this spotlight
Dive into the spotlight above to learn everything you need to know about the UNC6040 threat group and this recent attack.
- Gain a deeper understanding of the vishing technique and the red flags you need to look for
- Explore the anatomy of the UNC6040 attack chain details of the attack flow
- Learn how to mitigate against vishing attempts
