Salesforce-Gainsight Data Breach

Targeted Sectors

·         Technology

·         Financial Services

·         Cloud Services

·         Critical Infrastructure

Countries

·         Primarily United States

·         Impacting global customers of affected companies.

BLUF

A large-scale supply chain breach involving Salesforce via the Gainsight integration has exposed sensitive customer data from over 200 companies, including Cloudflare, Zscaler, and Palo Alto Networks.

Date of First Reported Activity

·         September 2025 (initial incident timeline); new reports December 3, 2025.

Date of Last Reported Activity Update

·         December 3, 2025

APT Names

·         Unknown at this time

Associated Criminal Organization Names

·         UNC6040 and UNC6240 (which is associated with the ShinyHunters extortion group), are suspected in the Salesforce-Gainsight data breach.

o   The investigation points to the reuse of infrastructure previously used by this cluster in an earlier attack against Salesforce environments. IOCs

CVEs

·         Unknown at this time

o   Breach likely leveraged misconfigurations or existing access, not specific public CVEs

Nessus ID

·         No CVEs have been identified at this time

Patching/Mitigation Data:

Mitigation

·         Review and enforce the principle of least privilege for third-party integrations (e.g., Gainsight) accessing core CRM data.

·         Implement robust access controls and continuous monitoring for API access to sensitive cloud platforms.

Malware Names

·         SmokeLoader

·         Stealc

·         DCRat

·         Vidar

Malware Samples

SmokeLoader

Sha256

5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14

Link to sample

hxxps://www.virustotal.com/gui/file/5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14

StealC

sha256

9ff0db8efd0060e7194975ae5174a399a6b2cbffdaeb2f3f23244d0cce50b7b6

Link to sample

hxxps://www.virustotal.com/gui/file/9ff0db8efd0060e7194975ae5174a399a6b2cbffdaeb2f3f23244d0cce50b7b6

DCRat

Sha256

fdd552b4f74f4a1609f86101977d288302f145cec93d973fd377a2f34fa9381d

Link to sample

hxxps://www.virustotal.com/gui/file/fdd552b4f74f4a1609f86101977d288302f145cec93d973fd377a2f34fa9381d

Vidar

Sha256

27e8a91f6006e57f8e2370fdabed117932b147d39a04df1ea7bb3572536d4fe0

Link to sample

hxxps://www.virustotal.com/gui/file/27e8a91f6006e57f8e2370fdabed117932b147d39a04df1ea7bb3572536d4fe0

TTPs

·         T1526: Compromise Infrastructure (SaaS integration point)

·         T1078.004: Valid Accounts: Cloud Accounts

·         T1530: Data from Cloud Storage

·         T1041: Exfiltration Over C2 Channel

Suggested Rules / Hunts

Rules / Hunts are indicators only, they are likely to be noisy

Suggested Suricata Rules:

Monitor for high-volume data exfiltration from Salesforce API endpoints to unusual destinations.

Suggested Sentinel Rules

Alert on bulk data access via third-party application integrations that fall outside established baseline behavior.

Suggested Splunk Hunts

index=* sourcetype=salesforce_event_monitoring "event.type"=ApiEvent | where integration="Gainsight" | stats count by user_id, requested_data

Delivery Method

·         Exploitation of access via a vulnerable or compromised third-party integration (Gainsight) to the Salesforce platform.

Email Samples

·         Not applicable

References

Kaseya

·         hxxps://www.kaseya.com/?post_type=post&p=25760

Research CheckPoint

·         hxxps://research.checkpoint.com/2025/8th-september-threat-intelligence-report/

VirusTotal

·         hxxps://www.virustotal.com/gui/file/5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14

·         hxxps://www.virustotal.com/gui/file/9ff0db8efd0060e7194975ae5174a399a6b2cbffdaeb2f3f23244d0cce50b7b6

·         hxxps://www.virustotal.com/gui/file/fdd552b4f74f4a1609f86101977d288302f145cec93d973fd377a2f34fa9381d

·         hxxps://www.virustotal.com/gui/file/27e8a91f6006e57f8e2370fdabed117932b147d39a04df1ea7bb3572536d4fe0