Campaign · all campaigns
Salesforce Data ExfiltrationC0059 unknown
aka Salesforce Data Exfiltration
Last updated: 2026-07-03
About this actor
The [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059) campaign began in October 2024 with financially-motivated threat actor UNC6040 using [Spearphishing Voice](https://attack.mitre.org/techniques/T1598/004) (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the [Salesforce Data Exfiltration](https://attack.mitre.org/campaigns/C0059) campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.(Citation: FBI Salesforce Data Theft SEP 2025)(Citation: Google Salesforce JUN 2025)
Source: MITRE ATT&CK
Activity timeline
No activity events recorded.
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
| No attributed CVEs. | |||||
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
AC-3 | 10 / 27 | 37% |
CM-6 | 10 / 27 | 37% |
SI-4 | 10 / 27 | 37% |
CA-7 | 9 / 27 | 33% |
AC-2 | 8 / 27 | 30% |
AC-6 | 8 / 27 | 30% |
CM-7 | 7 / 27 | 26% |
AC-4 | 6 / 27 | 22% |
CM-2 | 6 / 27 | 22% |
SI-3 | 6 / 27 | 22% |
AC-5 | 5 / 27 | 19% |
CM-5 | 5 / 27 | 19% |
IA-2 | 5 / 27 | 19% |
SC-7 | 5 / 27 | 19% |
SI-10 | 5 / 27 | 19% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- Star Blizzard 0.26
- Operation AkaiRyū 0.24
- Silent Librarian 0.21
- Contagious Interview 0.18
- Cinnamon Tempest 0.18