Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion

    Monday, September 15, 2025 In: Threat Research Print

    Date: 09/15/2025

    Severity: High

    Summary

    This FLASH is being issued to share Indicators of Compromise (IOCs) linked to recent malicious cyber activities carried out by cybercriminal groups UNC6040 and UNC6395. These groups are responsible for a growing number of data theft and extortion incidents and have recently been observed targeting organizations' Salesforce platforms through various initial access methods.

    Indicators of Compromise (IOC) List

    URL/Domain

    Login.salesforce.com/setup/connect?user_code=aKYF7V5N

    Login.salesforce.com/setup/connect?user_code=8KCQGTVU

    https://help[victim].com

    https://login.salesforce.com/setup/connect

    http://64.95.11.112/hello.php

    91.199.42.164/login

    IP Address

    13.67.175.79

    20.190.157.98

    23.162.8.66

    31.58.169.92

    37.19.200.132

    37.19.221.179

    64.95.11.225

    68.235.43.202

    68.235.46.208

    79.127.217.44

    96.44.189.109

    104.193.135.221

    146.70.173.60

    146.70.198.112

    147.161.173.90

    163.5.149.152

    185.141.119.166

    185.141.119.185

    198.44.129.88

    198.54.130.100

    206.217.206.14

    206.217.206.84

    208.131.130.71

    64.95.11.225

    20.190.130.40

    23.145.40.165

    23.234.69.167

    31.58.169.96

    37.19.200.141

    38.22.104.226

    64.95.84.159

    68.235.46.22

    68.63.167.122

    83.147.52.41

    96.44.191.141

    141.98.252.189

    146.70.185.47

    146.70.211.55

    149.22.81.201

    185.141.119.136

    185.141.119.168

    185.209.199.56

    195.54.130.100

    198.54.130.108

    206.217.206.25

    206.217.206.104

    208.131.130.91

    163.5.149.152

    20.190.151.38

    23.145.40.167

    23.94.126.63

    34.86.51.128

    37.19.200.154

    45.83.220.206

    66.63.167.122

    68.235.46.202

    69.246.124.204

    87.120.112.134

    96.44.191.157

    146.70.165.47

    146.70.189.47

    146.70.211.119

    151.242.41.182

    185.141.119.138

    185.141.119.181

    191.96.207.201

    196.251.83.162

    198.54.133.123

    206.217.206.26

    206.217.206.124

    31.58.169.96

    192.198.82.235

    20.190.157.160

    23.145.40.99

    31.58.169.85

    35.186.181.1

    37.19.200.167

    51.89.240.10

    67.217.228.216

    68.235.46.151

    72.5.42.72

    94.156.167.237

    104.223.118.62

    146.70.168.239

    146.70.189.111

    146.70.211.183

    151.242.58.76

    185.141.119.151

    185.141.119.184

    198.44.129.56

    198.244.224.200

    205.234.181.14

    206.217.206.64

    208.131.130.53

    64.94.84.78

    208.68.36.90

    44.215.108.109

    154.41.95.2

    176.65.149.100

    185.220.101.133

    185.207.107.130

    185.130.47.58

    179.43.159.198

    185.220.101.143

    185.220.101.164

    185.220.101.167

    185.220.101.169

    192.42.116.179

    185.220.101.33

    185.220.101.185

    185.220.101.180

    192.42.116.20

    194.15.36.117

    195.47.238.178

    195.47.238.83

    Useragent

    Salesforce-Multi-Org-Fetcher/1.0

    Salesforce-CLI/1.0

    python-requests/2.32.4

    Python/3.11 aiohttp/3.12.15

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "Login.salesforce.com/setup/connect?user_code=aKYF7V5N" or siteurl like "Login.salesforce.com/setup/connect?user_code=aKYF7V5N" or url like "Login.salesforce.com/setup/connect?user_code=aKYF7V5N" or domainname like "Login.salesforce.com/setup/connect?user_code=8KCQGTVU" or siteurl like "Login.salesforce.com/setup/connect?user_code=8KCQGTVU" or url like "Login.salesforce.com/setup/connect?user_code=8KCQGTVU" or domainname like "https://helpvictim.com" or siteurl like "https://helpvictim.com" or url like "https://helpvictim.com" or domainname like "https://login.salesforce.com/setup/connect" or siteurl like "https://login.salesforce.com/setup/connect" or url like "https://login.salesforce.com/setup/connect" or domainname like "http://64.95.11.112/hello.php" or siteurl like "http://64.95.11.112/hello.php" or url like "http://64.95.11.112/hello.php" or domainname like "91.199.42.164/login" or siteurl like "91.199.42.164/login" or url like "91.199.42.164/login"

    Detection Query 2 :

    dstipaddress IN ("13.67.175.79","20.190.157.98","23.162.8.66","31.58.169.92","37.19.200.132","37.19.221.179","64.95.11.225","68.235.43.202","68.235.46.208","79.127.217.44","96.44.189.109","104.193.135.221","146.70.173.60","146.70.198.112","147.161.173.90","163.5.149.152","185.141.119.166","185.141.119.185","198.44.129.88","198.54.130.100","206.217.206.14","206.217.206.84","208.131.130.71","64.95.11.225","20.190.130.40","23.145.40.165","23.234.69.167","31.58.169.96","37.19.200.141","38.22.104.226","64.95.84.159","68.235.46.22","68.63.167.122","83.147.52.41","96.44.191.141","141.98.252.189","146.70.185.47","146.70.211.55","149.22.81.201","185.141.119.136","185.141.119.168","185.209.199.56","195.54.130.100","198.54.130.108","206.217.206.25","206.217.206.104","208.131.130.91","163.5.149.152","20.190.151.38","23.145.40.167","23.94.126.63","34.86.51.128","37.19.200.154","45.83.220.206","66.63.167.122","68.235.46.202","69.246.124.204","87.120.112.134","96.44.191.157","146.70.165.47","146.70.189.47","146.70.211.119","151.242.41.182","185.141.119.138","185.141.119.181","191.96.207.201","196.251.83.162","198.54.133.123","206.217.206.26","206.217.206.124","31.58.169.96","192.198.82.235","20.190.157.160","23.145.40.99","31.58.169.85","35.186.181.1","37.19.200.167","51.89.240.10","67.217.228.216","68.235.46.151","72.5.42.72","94.156.167.237","104.223.118.62","146.70.168.239","146.70.189.111","146.70.211.183","151.242.58.76","185.141.119.151","185.141.119.184","198.44.129.56","198.244.224.200","205.234.181.14","206.217.206.64","208.131.130.53","64.94.84.78","208.68.36.90","44.215.108.109","154.41.95.2","176.65.149.100","185.220.101.133","185.207.107.130","185.130.47.58","179.43.159.198","185.220.101.143","185.220.101.164","185.220.101.167","185.220.101.169","192.42.116.179","185.220.101.33","185.220.101.185","185.220.101.180","192.42.116.20","194.15.36.117","195.47.238.178","195.47.238.83") or srcipaddress IN ("13.67.175.79","20.190.157.98","23.162.8.66","31.58.169.92","37.19.200.132","37.19.221.179","64.95.11.225","68.235.43.202","68.235.46.208","79.127.217.44","96.44.189.109","104.193.135.221","146.70.173.60","146.70.198.112","147.161.173.90","163.5.149.152","185.141.119.166","185.141.119.185","198.44.129.88","198.54.130.100","206.217.206.14","206.217.206.84","208.131.130.71","64.95.11.225","20.190.130.40","23.145.40.165","23.234.69.167","31.58.169.96","37.19.200.141","38.22.104.226","64.95.84.159","68.235.46.22","68.63.167.122","83.147.52.41","96.44.191.141","141.98.252.189","146.70.185.47","146.70.211.55","149.22.81.201","185.141.119.136","185.141.119.168","185.209.199.56","195.54.130.100","198.54.130.108","206.217.206.25","206.217.206.104","208.131.130.91","163.5.149.152","20.190.151.38","23.145.40.167","23.94.126.63","34.86.51.128","37.19.200.154","45.83.220.206","66.63.167.122","68.235.46.202","69.246.124.204","87.120.112.134","96.44.191.157","146.70.165.47","146.70.189.47","146.70.211.119","151.242.41.182","185.141.119.138","185.141.119.181","191.96.207.201","196.251.83.162","198.54.133.123","206.217.206.26","206.217.206.124","31.58.169.96","192.198.82.235","20.190.157.160","23.145.40.99","31.58.169.85","35.186.181.1","37.19.200.167","51.89.240.10","67.217.228.216","68.235.46.151","72.5.42.72","94.156.167.237","104.223.118.62","146.70.168.239","146.70.189.111","146.70.211.183","151.242.58.76","185.141.119.151","185.141.119.184","198.44.129.56","198.244.224.200","205.234.181.14","206.217.206.64","208.131.130.53","64.94.84.78","208.68.36.90","44.215.108.109","154.41.95.2","176.65.149.100","185.220.101.133","185.207.107.130","185.130.47.58","179.43.159.198","185.220.101.143","185.220.101.164","185.220.101.167","185.220.101.169","192.42.116.179","185.220.101.33","185.220.101.185","185.220.101.180","192.42.116.20","194.15.36.117","195.47.238.178","195.47.238.83")

    Detection Query 3 :

    useragent like "Salesforce-Multi-Org-Fetcher/1.0" or useragent like "Salesforce-CLI/1.0" or useragent like "python-requests/2.32.4" or useragent like "Python/3.11 aiohttp/3.12.15"

    Reference:    

    https://www.ic3.gov/CSA/2025/250912.pdf               


    Tags

    Threat ActorUNC6040UNC6395Salesforce

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.