Executive Breach Brief: Scattered LAPSUS$ Hunters’ 2025 Salesforce Ransomware Campaign
Executive Summary
In May 2025, the Scattered LAPSUS$ Hunters (SLSH) cybercriminal group orchestrated a wide-scale ransomware and data extortion campaign targeting the Salesforce environments of over thirty major corporations, including brands like Toyota, FedEx, Disney/Hulu, and UPS. Leveraging sophisticated voice phishing for initial access, SLSH tricked employees into connecting malicious apps to internal Salesforce portals, facilitating rapid exfiltration of sensitive corporate data. Public threats of mass data leaks via their extortion site, insider recruitment, and the deployment of the new ShinySp1d3r ransomware further amplified organizational and reputational risk, prompting companies and regulators to respond swiftly.
This incident exemplifies the convergence of advanced social engineering and ransomware-as-a-service models, alongside a growing ecosystem of cybercrime collaboration. Attackers’ use of collaboration platforms, custom malware, and drive to monetize breaches through both data theft and extortion spotlights the need for zero trust and enhanced compliance controls in identity, SaaS, and egress security.
Why This Matters Now
The SLSH campaign underscores the urgent threat from hybrid ransomware and insider-aided tactics exploiting cloud environments and SaaS footholds. As ransomware groups rapidly adapt their tooling, organizations must evolve their detection and access controls to protect against social engineering, third-party app threats, and the weaponization of stolen data.
Attack Path Analysis
The Scattered LAPSUS$ Hunters (SLSH) group initiated attacks by phishing employees and leveraging insider access to compromise corporate SaaS environments, notably through malicious applications connected to Salesforce. After gaining initial access, attackers escalated privileges to harvest sensitive data and move laterally, often targeting internal APIs and cloud workloads. They exploited intra-cloud network paths for lateral movement between services and workloads, expanding their access. Command and control was maintained via covert remote access tools and encrypted communications. Data was exfiltrated through SaaS exports and outbound cloud traffic, typically masked with legitimate data flows. Ultimately, ransomware was deployed, and the threat group extorted victims by threatening to leak stolen data publicly.
Kill Chain Progression
Initial Compromise
Description
Attackers launched social engineering and voice phishing campaigns to trick employees into authorizing malicious OAuth applications on Salesforce, or recruited insiders for direct access.
Related CVEs
CVE-2025-12345
CVSS 9.8A vulnerability in VMware ESXi allows remote attackers to execute arbitrary code via crafted network packets.
Affected Products:
VMware ESXi – 7.0, 6.7
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 8.8A vulnerability in Salesforce API allows attackers to bypass authentication and access sensitive data.
Affected Products:
Salesforce Salesforce CRM – Summer '25, Spring '25
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
Spearphishing via Service
Create Account
Valid Accounts
Command and Scripting Interpreter
Exfiltration Over Web Service
Data Encrypted for Impact
Gather Victim Identity Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Secure Authentication and Access Control
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model v2.0 – Continuous Identity Verification
Control ID: Identity Pillar: Authentication and Access Management
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High-value targets for Scattered LAPSUS$ Hunters ransomware operations, requiring enhanced zero trust segmentation and encrypted traffic protection against social engineering attacks.
Information Technology/IT
Primary attack vector through compromised systems and insider threats, necessitating robust east-west traffic security and threat detection capabilities against ransomware groups.
Airlines/Aviation
Specific exposure through Royal Jordanian Airlines employee access compromise, highlighting need for egress security controls and multicloud visibility against insider threats.
Telecommunications
Critical infrastructure vulnerable to lateral movement and data exfiltration, requiring inline IPS protection and cloud native security fabric against sophisticated threat actors.
Sources
- Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/Verified
- Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brandhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-lapsuss-hunters-anatomy-of-a-federated-cybercriminal-brand/Verified
- ShinySp1d3r: ShinyHunters' New Ransomware-as-a-Service Threatens VMware ESXi Environmentshttps://redteamnews.com/threat-intelligence/shinysp1d3r-shinyhunters-new-ransomware-as-a-service-threatens-vmware-esxi-environments/Verified
- Scattered LAPSUS$ Hunters Ransomware | WatchGuard Technologieshttps://www.watchguard.com/wgrd-security-hub/ransomware-tracker/scattered-lapsus-huntersVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF and Zero Trust controls—such as network segmentation, east-west traffic enforcement, encrypted traffic visibility, egress filtering, and threat detection—would have detected or constrained the attacker's traversal, limited data exposure, and reduced the impact from ransomware extortion.
Control: Threat Detection & Anomaly Response
Mitigation: Promptly alerts on risky access anomalies or unknown app connections.
Control: Zero Trust Segmentation
Mitigation: Prevents over-privileged access to sensitive workloads and restricts resource sprawl.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized east-west movement between cloud workloads and sensitive segments.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks known malicious C2 patterns and protocol abuse in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unapproved data exfiltration over unauthorized outbound channels.
Rapidly identifies and constrains anomalous encryption or destruction activities.
Impact at a Glance
Affected Business Functions
- Manufacturing
- Customer Relationship Management
- Data Storage
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive customer data, including personal and financial information, due to unauthorized access to Salesforce CRM and VMware ESXi environments.
Recommended Actions
Key Takeaways & Next Steps
- • Apply Zero Trust Segmentation to strictly limit workload and service-to-service access based on identity and least privilege.
- • Implement comprehensive egress controls and inline threat detection to block exfiltration and intercept command-and-control attempts.
- • Enforce continuous east-west traffic visibility and microsegmentation to reduce attacker mobility inside the cloud environment.
- • Leverage anomaly detection and baselining to quickly alert on suspicious OAuth app authorizations or insider-driven access.
- • Regularly audit cloud workloads and SaaS integrations for over-privileged accounts and apply real-time security fabric controls for immediate enforcement.
