Cyber Resilience

Campaign · all campaigns

Salesforce Data ExfiltrationC0059 unknown

aka Salesforce Data Exfiltration

Last updated: 2026-07-03

0attributed CVEs
27ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

The [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059) campaign began in October 2024 with financially-motivated threat actor UNC6040 using [Spearphishing Voice](https://attack.mitre.org/techniques/T1598/004) (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059) campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.(Citation: FBI Salesforce Data Theft SEP 2025)(Citation: Google Salesforce JUN 2025)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
AC-310 / 2737%
CM-610 / 2737%
SI-410 / 2737%
CA-79 / 2733%
AC-28 / 2730%
AC-68 / 2730%
CM-77 / 2726%
AC-46 / 2722%
CM-26 / 2722%
SI-36 / 2722%
AC-55 / 2719%
CM-55 / 2719%
IA-25 / 2719%
SC-75 / 2719%
SI-105 / 2719%

Co-occurring actors

None.

Similar actors