Update: FBI Warns of Salesforce Data Theft by UNC6040 and UNC6395
The FBI has issued a FLASH advisory warning that two active threat clusters, UNC6040 and UNC6395, are breaching Salesforce environments to steal sensitive data and extort victims. UNC6040, first reported by Mandiant in June 2025, utilized vishing and social engineering tactics to persuade employees to authorize malicious Salesforce Data Loader OAuth apps, which were disguised as IT tools. Once connected, the actors mass-exfiltrated the Salesforce “Accounts” and “Contacts” tables, which were later monetized through ShinyHunters' extortion operations. The scope of impact has been extensive, affecting major global brands, including Google, Adidas, Cisco, Allianz Life, Dior, and Tiffany & Co. Attackers have weaponized stolen customer data to pressure victims into negotiations. UNC6395 activity, observed in mid-August, originated from Salesloft’s compromised GitHub repositories, enabling the theft of Drift OAuth and refresh tokens. These were later abused to infiltrate Salesforce support case data, extracting credentials, AWS keys, Snowflake tokens, and authentication secrets that allowed lateral movement into broader cloud environments. Victims included high-value technology and security vendors, including Cloudflare, Zscaler, Proofpoint, CyberArk, Nutanix, and Palo Alto Networks. Attribution points to overlaps between ShinyHunters, Scattered Spider, and Lapsus$ operators, who have since claimed responsibility. The FBI stresses that these campaigns highlight the growing abuse of OAuth integrations as a high-value attack vector, and organizations must revoke unused tokens, enable MFA, enforce strict app authorization reviews, and continuously monitor Salesforce and third-party integrations for anomalous access to mitigate future intrusions.
VoidProxy Phishing-as-a-Service Targets Microsoft 365, Google, and Okta SSO
Okta Threat Intelligence researchers have identified VoidProxy, a newly operational Phishing-as-a-Service (PhaaS) platform designed to compromise Microsoft 365 and Google accounts, including identities federated through Okta SSO. The platform employs adversary-in-the-middle (AitM) tactics to capture usernames, passwords, MFA tokens, and session cookies in real time, enabling attackers to bypass traditional authentication defenses. Campaigns typically begin with phishing lures sent from compromised accounts belonging to legitimate Email Service Providers (ESPs), which allows them to pass initial reputation checks. Victims are then redirected through multiple shortened links before arriving at attacker-controlled domains on disposable IP addresses, each shielded by Cloudflare. Targets are first presented with a Cloudflare CAPTCHA challenge to establish credibility. Afterward, VoidProxy dynamically serves phishing pages tailored to the user’s environment, including highly convincing replicas of Microsoft, Google, or Okta login portals. When credentials are entered, VoidProxy proxies the entire session to legitimate servers, harvesting authentication artifacts in transit and generating a cloned session cookie for attacker use. This provides operators with immediate access to victim accounts, bypassing standard alerts and enabling follow-on activities, including business email compromise (BEC), financial fraud, or data exfiltration. The service is backed by ephemeral infrastructure hosted on dynamic DNS, as well as a sophisticated admin panel where PhaaS customers can configure campaigns, monitor live logins, and export stolen data via webhook or Telegram integrations. Anti-analysis measures, including multiple redirects, polymorphic templates, and Cloudflare Workers, further complicate detection. To defend against this threat, organizations should enforce phishing-resistant MFA across critical accounts, restrict access to sensitive applications from managed endpoints, apply IP session binding to administrative consoles, and require step-up re-authentication for high-risk actions—ensuring attackers cannot progress even if primary credentials are stolen.
BlackNevas Ransomware: Global Operations and Technical Sophistication
BlackNevas has emerged as a major ransomware operator, executing campaigns across Asia-Pacific, Europe, and North America. Primary targets include industrial and technology-heavy economies, such as the U.S., South Korea, Thailand, the UK, Italy, and Japan. Unlike traditional Ransomware-as-a-Service (RaaS) groups, BlackNevas maintains full control over its infrastructure and leverages its proprietary data leak site and affiliate networks to conduct dual-extortion operations. Victims are pressured not only by file encryption but also by the threat of public exposure and underground resale of stolen data. The group’s ransom notes demand contact within seven days and emphasize its role as “professionals in file encryption and industrial espionage.” On the technical front, BlackNevas employs hybrid AES–RSA encryption, appending metadata structures and per-file symmetric keys encrypted with RSA, ensuring recovery is impossible without attacker cooperation. It supports multiple command-line modes to optimize deployment speed, evade defenses, and even shut down systems post-infection. Trial-recovery files are created as proof-of-encryption, while adaptive runtime analysis avoids critical directories, including System32, but targets all others. This sophistication, combined with encryption verification via appended 8-byte markers rather than extensions, enables stealth and operational resilience. Organizations must implement EDR solutions capable of spotting behavioral anomalies, restricting the execution of unauthorized scripts and binaries, and deploying threat hunting programs focused on detecting early-stage intrusion activity before BlackNevas’ encryption is triggered.
Yurei Ransomware Emerges with ChaCha20 Encryption and Double-Extortion Tactics
A newly identified ransomware group, named Yurei, has emerged with advanced encryption capabilities and a rapid expansion strategy, marking its presence with attacks on organizations in Sri Lanka, India, and Nigeria within days of its first observation on September 5, 2025. The group leverages ChaCha20 encryption, PowerShell commands, and a double-extortion model that combines file encryption with the exfiltration of sensitive data, threatening victims with both operational disruption and public exposure of stolen data. The malware enumerates local and network drives, encrypts files in parallel for speed, appends the [.]Yurei extension, and attempts to set a custom ransom wallpaper via PowerShell. A coding error, however, left the wallpaper feature broken, causing infected systems to default to a blank background instead of displaying a visual ransom notice. Despite its operational ambitions, Yurei’s developers reveal signs of limited technical maturity. They neglected to strip debugging symbols from the binary, allowing researchers to trace its origins easily, and critically failed to delete Volume Shadow Copies (VSS), enabling some victims to restore data without paying a ransom. Encrypted files follow a structured format with ChaCha20 keys and nonces protected by ECIES, ensuring that decryption is impossible without attacker-provided keys; however, VSS preservation remains a notable weakness. Submission patterns from Moroccan IPs, Arabic comments in ransom negotiation portals, and code overlaps suggest links to the SatanLockv2 ransomware family, indicating continuity with prior regional actors. Yurei’s reliance on PowerShell abuse, Go-based compilation, and open-source malware reuse demonstrates how easily less-skilled operators can scale campaigns using existing codebases. For defenders, the rise of Yurei underscores the urgency of adopting defense-in-depth measures: maintaining VSS and tested backups, implementing behavioral monitoring for PowerShell anomalies, and preparing incident response processes tailored to data-theft extortion scenarios, as traditional recovery strategies alone are no longer sufficient.
