Seqrite Reveals Critical Insights into Google Salesforce Breach by UNC6040 Threat Group

Seqrite, the enterprise arm of Quick Heal Technologies Limited, a global provider of cybersecurity solutions, has unveiled comprehensive insights into the sophisticated vishing-extortion campaign that compromised Google’s corporate Salesforce instance in June 2025, exposing small and medium-sized business client data to cybercriminals. The attack was orchestrated by the threat group UNC6040 (linked to ShinyHunters), showing an alarming evolution in social engineering tactics that successfully bypassed Google’s security measures through a combination of voice phishing, OAuth abuse, and advanced anonymization techniques.

The threat research, conducted by the team at Seqrite Labs, India’s largest malware analysis facility, reveals that the breach involved a calculated multi-vector approach where attackers impersonated IT staff through convincing phone calls, persuading a Google employee to approve a malicious application connected to Salesforce. Once inside, criminals deployed custom Python scripts that emulated Salesforce’s DataLoader functionality, enabling automated bulk exports of business names, email addresses ...