Skip to main content
Mallory
Back to threat actors
1 malware family

UNC6395

Also known asUNC6395

UNC6395 is a threat actor tracked by Google Threat Intelligence Group/Mandiant and also referred to in the provided content as GRUB1. The actor was attributed to a widespread 2025 data-theft campaign targeting Salesforce customer instances by abusing compromised OAuth and refresh tokens associated with the Salesloft Drift integration. Activity was reported from at least August 8 through August 18, 2025, and the campaign affected hundreds of organizations, with reporting citing more than 700 potentially impacted organizations. According to the provided content, UNC6395 systematically queried and exported large volumes of data from connected Salesforce environments, including objects such as Cases, Accounts, Contacts, Opportunities, and Users. The actor used legitimate stolen OAuth tokens to impersonate the trusted Drift application, bypassing normal authentication controls, and in some reporting also accessed connected Google Workspace environments and, in some cases, Slack integrations. The content states the actor’s primary objective was credential harvesting: after exfiltration, UNC6395 searched stolen data for AWS access keys, passwords, Snowflake-related tokens, cloud credentials, API keys, and other secrets embedded in support cases or CRM records. The content also states that UNC6395 demonstrated operational security awareness by deleting query jobs to conceal activity, while logs remained available for investigation. Investigators cited use of DigitalOcean and AWS infrastructure to support or obfuscate operations. Separate reporting in the content says Google-owned Mandiant observed UNC6395 accessing Salesloft’s GitHub account from March through June 2025, downloading repository content, adding a guest user, and setting up workflows over a months-long period preceding the August campaign. Victim organizations named in the provided content include Cloudflare, Zscaler, Palo Alto Networks, Workday, Workiva, Proofpoint, Qualys, Tenable, HackerOne, BeyondTrust, Bugcrowd, Cato Networks, CyberArk, Elastic, Fastly, JFrog, Nutanix, PagerDuty, Rubrik, and others. The content explicitly notes that the issue did not stem from a vulnerability in the core Salesforce platform, but from compromise of the third-party Drift integration and its OAuth trust relationship.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
MITRE ATT&CK

Tradecraft

26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics34 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
4 techniques
T1078×13
Valid Accounts
T1078.004
Cloud Accounts
T1133×2
External Remote Services
T1195×12
Supply Chain Compromise
T1195.001
Compromise Software Dependencies and Development Tools
T1566
Phishing
TA0003
Persistence
4 techniques
T1078×13
Valid Accounts
T1078.004
Cloud Accounts
T1098×2
Account Manipulation
T1133×2
External Remote Services
T1136×3
Create Account
TA0004
Privilege Escalation
2 techniques
T1078×13
Valid Accounts
T1078.004
Cloud Accounts
T1098×2
Account Manipulation
TA0005
Stealth
2 techniques
T1070×4
Indicator Removal
T1078×13
Valid Accounts
T1078.004
Cloud Accounts
TA0006
Credential Access
4 techniques
T1111
Multi-Factor Authentication Interception
T1528×13
Steal Application Access Token
T1552×3
Unsecured Credentials
T1649×5
Steal or Forge Authentication Certificates
TA0007
Discovery
1 technique
T1526×6
Cloud Service Discovery
TA0008
Lateral Movement
1 technique
T1550
Use Alternate Authentication Material
TA0009
Collection
4 techniques
T1005
Data from Local System
T1119
Automated Collection
T1213×13
Data from Information Repositories
T1530
Data from Cloud Storage
TA0011
Command and Control
1 technique
T1090
Proxy
TA0010
Exfiltration
4 techniques
T1020×2
Automated Exfiltration
T1041×5
Exfiltration Over C2 Channel
T1537×3
Transfer Data to Cloud Account
T1567×2
Exfiltration Over Web Service
T1567.002×2
Exfiltration to Cloud Storage
TA0040
Impact
1 technique
T1657
Financial Theft
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Evilginx2"...with the help of an Adversary-in-the-Middle (AitM) toolkit like EvilGinx2, could quickly provision most of the necessary infrastructure to perpetrate an attack..."1Mar 18, 2026
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
dark readingNews
May 29, 2026
With Complex Cloud Integrations, Small Errors Lead to Major Compromises

Stole data from companies' Salesforce instances by abusing OAuth tokens tied to the third-party sales automation app Salesloft Drift.

Read more
osint team blogNews
May 14, 2026
Salesforce API Attack Surface: A Practical Recon Guide | by Dzianis Skliar | May, 2026 | OSINT Team

Stole OAuth tokens from third-party Salesforce integrations and used them to query hundreds of Salesforce instances, exfiltrating massive volumes of records and secrets embedded in support cases.

Read more
mitiga blogNews
Apr 14, 2026
An Uninvited Guest

Referenced in connection with Salesforce-targeting breach activity, but no distinct operational details are provided in the content.

Read more
securityNews
Mar 31, 2026
Workday Data Breach 2025: What Was Exposed, How It Happened, and What to Do | Security.org

Conducted a supply-chain intrusion via the Salesloft Drift integration, using stolen OAuth tokens to access and export Salesforce data from hundreds of organizations, including Workday, and searching exfiltrated CRM data for embedded credentials and secrets.

Read more
+48 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping26

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.