Tycoon2FA, a sophisticated phishing-as-a-service platform tracked by Microsoft as Storm-1747, has emerged as the dominant threat targeting Office 365 accounts throughout 2025. The cybercriminal operation has launched an aggressive campaign involving nearly one million attacks, establishing itself as the most prolific phishing platform observed by security researchers this year. In October 2025 alone, Microsoft Defender […]
Microsoft has officially acknowledged a significant disruption affecting Windows 11 version 24H2 users, specifically after installing the cumulative update KB5062553 released in July 2025.
The issue primarily affects environments using Virtual Desktop Infrastructure (VDI) and devices undergoing their first user logon.
Reports indicate that essential shell components, including the Start Menu, Taskbar, and System Settings, are failing to initialize correctly, leaving users with a severely degraded or unusable desktop experience.
The disruption stems from the operating system’s inability to register specific dependency packages in time during the logon process. This behavior is particularly acute in non-persistent OS installations where application packages must be provisioned fresh for each user session.
Administrators managing virtual environments have reported that users are frequently greeted with empty taskbars, unresponsive Start buttons, or immediate crashes of the explorer.exe process upon signing in.
The problem is not limited to VDI; standard physical workstations can also exhibit these symptoms during the initial user profile creation immediately following the update application.
The root cause has been identified as a race condition involving XAML (Extensible Application Markup Language) components. These components are critical for rendering the modern Windows UI.
When the update is applied, the dependent packages required by the shell do not register before the shell attempts to load them. This results in silent failures or explicit error messages from processes such as StartMenuExperienceHost.exe and ShellHost.exe.
The following table details the specific components and packages involved in this failure:
Component
Reported Symptom
Affected XAML Dependency
Explorer.exe
Runs without a visible taskbar window or crashes repeatedly
MicrosoftWindows.Client.CBS_cw5n1h2txyewy
Start Menu
Fails to launch; displays critical error message
Microsoft.UI.Xaml.CBS_8wekyb3d8bbwe
System Settings
Silently fails to launch when accessing Start > Settings > System
MicrosoftWindows.Client.Core_cw5n1h2txyewy
ImmersiveShell
Fails to initialize, causing black screen or limited UI
All XAML island views
Workaround and Mitigation Strategies
Microsoft is actively developing a permanent resolution for this regression. In the interim, IT administrators and affected users can restore functionality by manually registering the missing packages. For persistent installs, these commands must be run within the user session, followed by a restart of the SiHost process.
For VDI and non-persistent environments where this issue recurs at every logon, a synchronous logon script is the recommended solution. This script ensures that explorer.exe is blocked from launching until the necessary XAML packages are fully provisioned, preventing the race condition.
VDI Logon Script Wrapper:
text@echo off
REM Register MicrosoftWindows.Client.CBS
powershell.exe -ExecutionPolicy Bypass -Command "Add-AppxPackage -Register -Path 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\appxmanifest.xml' -DisableDevelopmentMode"
REM Register Microsoft.UI.Xaml.CBS
powershell.exe -ExecutionPolicy Bypass -Command "Add-AppxPackage -Register -Path 'C:\Windows\SystemApps\Microsoft.UI.Xaml.CBS_8wekyb3d8bbwe\appxmanifest.xml' -DisableDevelopmentMode"
REM Register MicrosoftWindows.Client.Core
powershell.exe -ExecutionPolicy Bypass -Command "Add-AppxPackage -Register -Path 'C:\Windows\SystemApps\MicrosoftWindows.Client.Core_cw5n1h2txyewy\appxmanifest.xml' -DisableDevelopmentMode"
Administrators are advised to test these scripts in a staging environment before broad deployment to production VDI pools.
The China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025 while staying undetected for extended periods of time.
“In the period from 2024 to 2025, the Russian IT sector, especially companies working as contractors and integrators of solutions for government agencies,
Remote monitoring tools are essential for managing and maintaining the health and performance of IT infrastructure and systems.
Remote monitoring tools provide continuous oversight of network devices, servers, applications, and other critical components from a remote location. These tools help identify and resolve issues proactively by offering real-time alerts, performance metrics, and detailed reports.
With features like remote access, automated maintenance, and comprehensive dashboards, remote monitoring tools ensure optimal system performance, minimize downtime, and enhance overall operational efficiency.
They are invaluable for IT administrators in maintaining robust and secure IT environments.
20 Best Remote Monitoring Tools
SolarWinds Remote Monitoring & Management (RMM): Comprehensive monitoring, patch management, and security tools for proactive IT management.
NinjaRMM: Lightweight, user-friendly RMM solution with real-time monitoring and automated patch management.
Kaseya VSA: Integrated IT management solution offering remote monitoring, endpoint management, and automated workflows.
Atera: An all-in-one RMM platform that provides remote monitoring, helpdesk, and billing in a single interface.
ManageEngine Remote Access Plus: Secure remote access and troubleshooting with real-time IT asset management features.
TeamViewer Remote Monitoring & Management: Seamless remote access with integrated monitoring and management capabilities.
LogMeIn Central: Centralized IT management with remote access, monitoring, and endpoint security.
Pulseway: Real-time monitoring and management solution with mobile access and automation features.
Domotz: Network monitoring and management tool with real-time alerts and remote troubleshooting.
Splashtop Remote Support: Reliable remote support and monitoring with high-performance access and management.
AnyDesk Remote Monitoring: Fast, secure remote access and monitoring with low latency performance.
Continuum RMM: Managed IT services platform offering remote monitoring, automation, and advanced security features.
N-able RMM: Comprehensive IT management with monitoring, automation, and integrated security features.
SyncroMSP: Combined RMM and PSA solution offering real-time monitoring and business management tools.
Zoho Corporation: Integrated remote monitoring, IT management, and automation platform for streamlined operations.
Manages multiple clients or sites. Monitors network devices and performance. Compatible with other SolarWinds products. Controls user roles and permissions. Creates customized monitoring views.
Comprehensive IT management and monitoring solution.
Documents are printed locally. Real-time session communication. works with other products from ManageEngine. Access devices even when the user is not there. It can encrypt data and verify users.
Manages the roles and permissions of users. Access devices even when the user is not there. It gives devices security features. Reports on the status of the system are made. Recordings of remote sessions can be looked at later.
Remote support and monitoring integrated platform.
Records remote sessions so they can be looked back on. Sends alerts for events in real time. Changes the settings and rules. Access devices even when the user is not there. Makes reports about what the system is doing.
Takes care of several clients or sites. Makes individual monitoring views Integrations add to the functionality. Security measures are added to the tool. Reports on the status of the system are made.
Real-time monitoring and mobile device management.
Proactively keeps an eye on networks. Takes care of several clients or sites. monitors things from afar. Reports on the performance of the network are made. Provides an API for integration with third-party apps.
Changes the settings and rules. works well with other tools and systems. Access devices even when the user is not there. Reports on activities from a distance Recordings of remote sessions can be looked at later.
Prints documents on printers in the local area. works with more than one screen. Devices and systems are kept an eye on. Access devices even when the user is not there. works with many different running systems.
Offers the ability to back up and restore. Security steps are added to the tool. Commands are carried out on remote machines. Makes information about what the system is doing. System management is done through a mobile app.
Security steps are added to the tool. Makes information about the health of the system. System management is done through a mobile app. Integrations add to the utility.
Comprehensive RMM with proactive maintenance tools.
Offers the ability to back up and restore. System management is done through a mobile app. Takes care of several companies or sites. Integrations add more features. Commands are carried out on remote machines.
Offers mobile tools for managing things from afar. Works well for companies of all kinds. Includes robotic features to save time. Features that are automated to save time. Integrated features make it easier for people to work together.
SolarWinds Remote Monitoring & Management (RMM) is a comprehensive solution designed for IT service providers to monitor and manage their clients’ IT infrastructure remotely.
It offers a robust set of features including automated monitoring, patch management, and data-driven insights to ensure the optimal performance and security of network devices, servers, and workstations.
With real-time alerts, detailed reporting, and remote access capabilities, SolarWinds RMM enables proactive issue resolution and efficient IT management, helping service providers deliver exceptional support and maintain system health with minimal downtime.
Why Do We Recommend It?
Access devices securely and fix problems from anywhere.
Automated patching is a way to keep software up to date.
Find out about the health and performance of the system.
Endpoints can be kept safe with built-in antivirus and malware detection.
Set up backups and easily get your data back.
What is Good ?
What Could Be Better ?
Offers a lot of ways to monitor devices and systems.
Some users find it hard to set up and set up the system.
Scripting and patch management can be done automatically.
It may take time to learn and master all of the features.
It lets you control the device from a distance and fix problems.
Can use a lot of resources, especially for large deployments.
Includes monitoring of network devices and insights into their performance.
Updates can sometimes cause new problems or need to be changed.
NinjaRMM is a comprehensive remote monitoring and management (RMM) tool designed for IT professionals and managed service providers (MSPs).
It offers a wide range of features to monitor, manage, and secure endpoints from a centralized dashboard. With NinjaRMM, users can perform tasks such as patch management, antivirus monitoring, remote control, and automated maintenance.
The platform is known for its user-friendly interface, robust automation capabilities, and real-time alerts, making it easier for IT teams to proactively address issues, enhance security, and maintain optimal system performance across multiple devices and locations.
Why Do We Recommend It?
Check for problems with devices and systems from a distance.
Control and management of endpoints should be centralized.
Patching software should be done automatically to keep it safe.
Access devices remotely and fix problems.
Make and use custom tasks for automation.
What is Good ?
What Could Be Better ?
Strong abilities to keep an eye on devices and systems.
There could be more ways to change things.
Powerful tools for controlling the remote and troubleshooting.
When environments get bigger, some users have trouble scaling.
Kaseya VSA is a comprehensive remote monitoring and management (RMM) tool designed for IT professionals and managed service providers (MSPs).
It provides robust features for monitoring, managing, and securing IT infrastructure remotely. With Kaseya VSA, administrators can automate routine IT tasks, deploy software, manage patches, and ensure compliance across all endpoints.
The platform offers real-time visibility into system performance, enabling proactive issue resolution and minimizing downtime.
Kaseya VSA’s centralized dashboard and extensive reporting capabilities enhance operational efficiency, making it a valuable tool for maintaining optimal IT health and performance.
Why Do We Recommend It?
Remotely manage and watch over devices and systems.
Control the endpoints from one place to make management easier.
Automated patch management makes it easy to keep software up to date.
Get real-time notifications of system events.
Put security measures in place and keep an eye out for threats.
What is Good ?
What Could Be Better ?
Software patches and updates that work well.
It takes time to learn all of the features.
Works well with tools from other companies.
Larger deployments can be hard on resources when they use a lot of them.
Watches over network devices and how well they work.
Some users find it harder to figure out how to use the interface.
Atera is a comprehensive remote monitoring and management (RMM) tool designed for managed service providers (MSPs) and IT professionals.
It offers an all-in-one platform that integrates remote monitoring, help desk, and IT automation to streamline operations and enhance service delivery.
Atera provides real-time monitoring, patch management, network discovery, and remote access, allowing IT teams to proactively manage and resolve issues.
With its user-friendly interface and powerful features, Atera helps organizations improve efficiency, reduce downtime, and deliver exceptional IT support to their clients.
Why Do We Recommend It?
Control and maintain endpoints from a central location.
Automate security and update patches for software.
Make your own scripts to automate tasks.
Make detailed reports on the status of the system.
What is Good ?
What Could Be Better ?
Managing problems with an integrated service desk.
There could be more ways to change things.
Custom automation and task execution are possible.
Some users say that scaling doesn’t work well in bigger environments.
RMM and PSA tools are combined into one platform.
Support can be different for different users.
It can be used to manage more than one client or site.
You might want some more advanced security measures.
ManageEngine Remote Access Plus is a remote monitoring and management (RMM) solution that allows IT administrators and managed service providers (MSPs) to monitor and manage client endpoints, servers, and networks from a single console.
The ability to control client systems remotely allows for real-time interaction, facilitating efficient problem resolution. MSPs can automate the distribution of software updates and security patches to client devices, keeping systems up to-date and protected against emerging threats.
ManageEngine Remote Access Plus reporting and analytics give MSPs insight into system performance, resource utilization, and user activity. Customized reports and dashboards assist in demonstrating the value of services and making data-driven decisions.
Why Do We Recommend It?
Access and control devices from a distance to fix problems.
Transfer files between nearby and faraway devices safely.
Manage systems from afar, even when users aren’t there.
Use and work on multiple screens without any trouble.
Turn on devices from a distance to start remote sessions.
What is Good ?
What Could Be Better ?
Recordings of remote sessions can be used for review and training.
Some users said there were not enough integrations with third-party apps.
works well with more than one screen.
In larger deployments, some users have had trouble with scaling.
Provides encryption and authentication to make connections more secure.
Support can be different for different users.
Records detailed information about each session for auditing.
TeamViewer Remote Monitoring and Management (RMM) is a comprehensive solution for managed service providers (MSPs) that allows them to remotely monitor and manage client endpoints, servers, and networks.
MSPs can use the remote control feature to take control of endpoints, perform tasks, and troubleshoot issues without having to access the devices physically. It enables MSPs to continuously monitor system performance, network health, and security vulnerabilities.
MSPs can track hardware and software assets, manage warranties, and monitor license compliance in client environments. TeamViewer RMM’s reporting and analytics give MSPs insight into system performance, response times, and ticket trends.
MSPs can demonstrate the value of their services and make data-driven decisions by using customizable reports and dashboards.
Why Do We Recommend It?
Get alerts about important events and problems.
Set up security measures that include an antivirus program.
To do maintenance, run commands on devices that are far away.
Access and control devices with different operating systems.
Print documents from devices far away to printers nearby.
What is Good ?
What Could Be Better ?
Gives remote access to devices that is fast and safe.
Can use a lot of resources, especially for larger deployments.
Allows devices to be controlled so that problems can be fixed.
Compared to competitors, it might not have as many advanced features.
checks for problems with devices and systems.
In larger environments, users have said that scaling doesn’t work well.
Allows local and remote devices to securely send and receive files.
IT administrators and MSPs may monitor and manage client endpoints, servers, and networks using LogMeIn Central, a dashboard-based RMM solution.
Powerful remote access with LogMeIn Central lets technicians securely connect to client devices and troubleshoot issues.Remote control enables real-time client system involvement and faster problem resolution.
IT administrators and managed service providers may monitor system performance, network health, and security vulnerabilities in real time with LogMeIn Central’s endpoint monitoring.
MSPs can automate software upgrades and security patches across client devices to keep systems up to date and safe from new threats. It provides warranty, license, and hardware lifecycle management insights.
Why Do We Recommend It?
You can use computers and other devices from anywhere and control them.
Control and management of endpoints should be centralized.
Diagnose and fix problems from a distance.
Transfer files between nearby and faraway devices safely.
During remote sessions, you can use more than one screen.
What is Good ?
What Could Be Better ?
Gives remote access to devices that is fast and safe.
Can use a lot of resources, especially for larger deployments.
Allows devices to be controlled so that problems can be fixed.
Compared to competitors, it might not have as many advanced features.
works with many different operating systems.
In larger environments, users have said that scaling doesn’t work well.
Provides encryption and authentication to make connections more secure.
Some users said there were not enough integrations with third-party apps.
Technical support can remotely access client devices and fix issues. Remote control offers real-time client system involvement, improving problem-solving.
Pulseway monitors system performance, network health, and security vulnerabilities in real time.MSPs can proactively monitor client environments and receive warnings and notifications for quick problem response.
Programmable scripts and workflows automate software installations, system setups, and maintenance. MSPs can also use Pulseway to manage hardware and software assets across client settings.
Pulseway reporting and analytics lets MSPs track KPIs, create customized reports, and show clients their worth.
Why Do We Recommend It?
Automated patching is a way to keep software up to date.
Find out about problems with the system and other events.
Scripts and workflows can be used to automate tasks.
Set up policies and security measures.
Set up backups and easily get your data back.
What is Good ?
What Could Be Better ?
Strong abilities to keep an eye on devices and systems.
Some parts may take time to figure out.
It gives you tools for remote control and troubleshooting.
There could be more ways to change things.
Lets you automate and run tasks in your own way.
Some users say that scaling doesn’t work well in bigger environments.
Offers management of mobile devices through a separate app.
You might want some more advanced security measures.
MSPs can use it to keep track of the health and performance of network devices such as routers, switches, and access points. Domotz’s remote access functionality enables technicians to securely connect to devices and troubleshoot problems remotely.
The remote control feature allows for real-time interaction with devices, facilitating troubleshooting and problem resolution. Domotz also provides comprehensive device discovery and inventory management features.
MSPs can automatically detect network devices and create an inventory of hardware and software assets. MSPs are capable of identifying security risks, performing network diagnostics, and implementing security measures for client networks.
Why Do We Recommend It?
Make visual maps of the devices and connections in your network.
Find and identify network devices on their own.
Get alerts when there are problems or changes on the network.
Use diagnostic tools to figure out what’s wrong with your network.
Scan networks to find possible security holes.
What is Good ?
What Could Be Better ?
Finds devices on the network and makes a map of them.
There may be limits on some advanced features.
It gives you tools for remote control and troubleshooting.
Splashtop Remote Support is a remote monitoring and management (RMM) solution designed for IT professionals and managed service providers (MSPs) to offer remote IT support to their customers.
Technicians can securely connect to client devices from any location, allowing them to troubleshoot problems and provide remote support. The remote control feature allows for real-time interaction with client systems, allowing for more efficient problem resolution.
Proactive alerts and notifications aid in the detection and resolution of problems before they affect end users. Splashtop Remote Support also includes file transfer capabilities, which enable technicians to securely transfer files between their device and the client’s device.
This function streamlines the process of exchanging files for troubleshooting or software updates.
Why Do We Recommend It?
Transfer files between nearby and faraway devices safely.
Print documents from devices far away to printers nearby.
Use and work on multiple screens without any trouble.
Record remote sessions for auditing and training purposes.
Talk to each other and work together during sessions.
What is Good ?
What Could Be Better ?
Remote access to devices that is fast and safe.
There may be limits on some advanced features.
Allows devices to be controlled so that problems can be fixed.
Some users find that some features are hard to use.
Allows for the safe transfer of files between devices.
AnyDesk Remote Monitoring is an RMM solution that allows IT professionals and managed service providers (MSPs) to remotely monitor and manage client endpoints, servers, and networks. AnyDesk Remote Monitoring’s primary feature is its remote access capability.
It enables technicians to securely connect to client devices and troubleshoot problems remotely. The remote control feature allows for real-time interaction with client systems, allowing for more efficient problem resolution.
Proactive alerts and notifications assist in identifying and addressing issues before they affect end users. Technicians can record remote sessions for auditing or training purposes, as well as generate reports to track their support activities and show the value of their services.
AnyDesk Remote Monitoring also integrates with third-party tools like professional service automation (PSA) and remote monitoring and management (RMM) platforms.
Why Do We Recommend It?
Access devices even when the user is not around.
Link up between different operating systems.
Add your brand to the experience of remote support.
Handle access levels and permissions.
Restart devices from afar to check for updates or fix problems.
What is Good ?
What Could Be Better ?
Offers remote access that is fast and safe.
There may be limits on some advanced features.
Allows devices to be controlled so that problems can be fixed.
Some parts may take time to figure out.
Allows for the safe transfer of files between devices.
Continuum RMM (Remote Monitoring and Management) is an all-in-one RMM solution for managed service providers (MSPs) to remotely monitor, manage, and support client IT infrastructure.
Its remote access feature enables technicians to securely connect to client devices and remotely troubleshoot issues. The remote control function allows for real-time interaction with client systems, which improves problem resolution.
MSPs can monitor client environments proactively, detect problems early, and take immediate action to resolve them. MSPs can write custom scripts and workflows to automate routine tasks like software installations, system configurations, and maintenance procedures.
MSPs have the ability to track and manage hardware and software assets across client environments, including warranty information, license compliance, and hardware lifecycle management.
Why Do We Recommend It?
Track issues and handle support tickets.
Use a mobile app to take care of systems.
Make reports about the health and activities of the system.
Plan and set up difficult automation tasks
Manage multiple clients or sites in an effective way.
What is Good ?
What Could Be Better ?
Strong abilities to keep an eye on devices and systems.
Setup and configuration at first can be hard.
Software patch management that works well.
It takes time to learn how to use all of the features.
It gives you tools for remote control and troubleshooting.
Larger deployments can use a lot of resources.
Lets you automate and run tasks in your own way.
A more expensive price tag may come with more features.
A complete RMM solution called N-able RMM (Remote Monitoring and Management) is made for managed service providers (MSPs) to remotely manage and support client IT infrastructure.
Remote problem-solving by technicians is made possible by a secure connection to client devices. Remote control allows for real-time interaction with client systems, allowing for more efficient problem resolution.
MSPs can continuously monitor system performance, network health, and security flaws. MSPs can use the automation features in N-able RMM to streamline routine tasks and increase efficiency.
Custom scripts and workflows can be written to automate software installations, system configurations, and maintenance procedures.
Why Do We Recommend It?
Updates and patches for software should be done automatically.
Get real-time alerts for system events.
Set up security measures that include an antivirus program.
Keep an eye on network devices and how they work.
Use a mobile app to take care of systems.
What is Good ?
What Could Be Better ?
Strong abilities to keep an eye on devices and systems.
It takes time to learn how to use all of the features.
Software patch management that works well.
A more expensive price tag may come with more features.
Offers remote control and tools to fix problems
Support can be different for different users.
Lets you automate and run tasks in your own way.
High customization could mean that you have to learn.
SyncroMSP is a remote monitoring and management (RMM) solution for managed service providers (MSPs) that allows them to remotely monitor, manage, and support their clients’ IT infrastructure.
MSPs can monitor client environments proactively, detect problems early, and take immediate action to resolve them. MSPs can automate the deployment of software updates and security patches across client devices, ensuring that systems are always up to date and safe from emerging threats.
MSPs can use SyncroMSP’s automation features to streamline repetitive tasks and increase efficiency. Workflows can be used to automate tasks such as software installations, system configurations, and maintenance procedures.
Support tickets, response times, and real-time client system monitoring can all be handled effectively by MSPs.
Why Do We Recommend It?
Install security measures that have built-in features.
Use security measures that have built-in features.
Keep track of your hardware and software.
Handle user roles and permissions.
Make reports about the health and activities of the system.
What is Good ?
What Could Be Better ?
Managing problems with an integrated service desk.
There could be more ways to change things.
Helps automate complex tasks.
Reporting options could use some work.
Good for managing more than one client or site
Some users might not have many options for how to integrate.
Offers management of mobile devices through a separate app.
Zoho Corporation’s RMM technology lets managed service providers (MSPs) remotely monitor and manage customer IT infrastructure. Zoho Corporation’s RMM solution allows personnel to securely connect to customer devices and troubleshoot issues remotely.
MSPs can automate software upgrades and security patches across client devices to keep systems up to date and safe from new threats.
MSPs can handle client hardware and software assets, including warranty information, license compliance, and hardware lifecycle management. MSPs may showcase their services and make data-driven decisions with configurable reports and dashboards.
Why Do We Recommend It?
Use sales reports and dashboards that you can change to learn more.
Match bank transactions and records automatically.
Give customers a place where they can look for answers.
Give employees access to their information and the ability to change it.
Make visual reports and dashboards to help you understand your data.
What is Good ?
What Could Be Better ?
Provides a wide range of business tools and applications.
There may be a learning curve for some of the more advanced features.
Works well with other Zoho tools and tools from other companies.
Some tools might not have as many advanced features as they could.
Offers ways to customize workflows to fit specific needs.
It might be hard to manage and integrate multiple tools.
The whole suite has interfaces that are easy to use.
Different tools can offer different kinds of support.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new Oracle vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that attackers are already exploiting it in real-world attacks. The bug, tracked as CVE-2025-61757, affects Oracle Identity Manager, part of Oracle Fusion Middleware. The flaw is rated as a “missing authentication for critical […]
Salesforce has disclosed a significant security incident involving unauthorized access to customer data through compromised Gainsight-published applications. The breach, detected in mid-November 2025, potentially exposed sensitive information from over 200 organizations that use the customer success platform integrated with Salesforce. Threat actors linked to the notorious ShinyHunters group exploited OAuth tokens to gain unauthorized access […]
Cybersecurity giant CrowdStrike has terminated an employee who allegedly shared sensitive internal system information with a notorious hacking collective. The incident involved the leak of internal screenshots posted on a public Telegram channel operated by the threat group known as “Scattered Lapsus$ Hunters“. Insider Threat Detected Through Screen Sharing The leaked images displayed internal dashboards, […]
A sophisticated supply chain attack has reportedly compromised data across hundreds of organizations, linking the breach to a critical integration between customer success platform Gainsight and CRM giant Salesforce.
The notorious hacking collective ShinyHunters is claiming responsibility for the intrusion, which allegedly affects over 200 companies. The attack vector did not rely on breaking into Salesforce directly but instead on exploiting the trusted connection established through third-party applications.
On November 20, 2025, Salesforce took emergency action to contain the threat. The company officially disabled the connection between Gainsight-published applications and the Salesforce ecosystem after detecting “unusual activity.”
According to a statement from Salesforce, their investigation suggests that the activity facilitated unauthorized access to customer data, specifically through the app’s external connection.
Exploiting Trusted OAuth Tokens
The mechanics of this campaign highlight a growing trend in modern cyber warfare: targeting the “keys” rather than the “locks.”
The Google Threat Intelligence Group (GTIG), including researchers from Mandiant, identified the threat actors as affiliates of ShinyHunters. These adversaries compromised third-party OAuth tokens.
In the SaaS environment, OAuth tokens function like digital permissions slips, allowing apps like Gainsight to talk to Salesforce without requiring a user to log in every time.
By stealing these tokens, the attackers could potentially bypass multi-factor authentication and standard login defenses, masquerading as the trusted application to exfiltrate sensitive corporate data. This method allows threat actors to move laterally within cloud environments while remaining undetected by traditional perimeter security.
While the scope of the data loss is potentially massive, Salesforce has been clear in its distinction regarding where the fault lies. The company emphasized that there is “no indication that this issue resulted from any vulnerability in the Salesforce platform.” Instead, the breach is strictly related to the external connection and the management of credentials for the Gainsight integration.
Currently, customers are unable to connect their Gainsight-published applications to Salesforce until further notice. Both Salesforce and Mandiant are actively notifying organizations that show signs of compromise.
This incident mirrors similar campaigns observed recently, such as attacks targeting Salesloft Drift, suggesting a concerted effort by threat groups to audit and exploit SaaS ecosystems where third-party permissions are often granted and forgotten.
Urgent Actions for SaaS Administrators
This incident serves as a critical wake-up call for organizations relying on interconnected SaaS platforms. Security teams are urged to immediately treat this as a signal to audit their entire cloud environment.
The primary recommendation is to review all connected apps within Salesforce instances and revoke OAuth tokens for any integration that is unused, suspicious, or related to the affected Gainsight applications.
Organizations using Gainsight integrations should monitor for official communications from both vendors, Salesforce and Gainsight.
However, proactive defense is required. If any anomalous activity is detected from an integration, administrators should rotate credentials immediately and assume a potential compromise.
As threat actors increasingly pivot toward identity-based attacks and token theft, the maintenance of third-party permissions has become just as vital as patching software vulnerabilities.
Here is the table of Indicators of Compromise (IoCs) associated with the ShinyHunters campaign targeting Salesforce and Gainsight integrations.
IOC Type
Value
First Seen (UTC)
Last Seen (UTC)
Observed Activity
IP Address
104.3.11[.]1
2025-11-08 13:11:29
2025-11-08 13:15:23
AT&T IP; reconnaissance and unauthorized access.
IP Address
198.54.135[.]148
2025-11-16 21:48:03
2025-11-16 21:48:03
Mullvad VPN proxy IP; reconnaissance and unauthorized access.
IP Address
198.54.135[.]197
2025-11-16 22:00:56
2025-11-16 22:06:57
Mullvad VPN proxy IP; reconnaissance and unauthorized access.
IP Address
198.54.135[.]205
2025-11-18 10:43:55
2025-11-18 12:09:35
Mullvad VPN proxy IP; reconnaissance and unauthorized access. obsi
IP Address
146.70.171[.]216
2025-11-18 20:21:48
2025-11-18 20:50:13
Mullvad VPN proxy IP; reconnaissance and unauthorized access.
IP Address
169.150.203[.]245
2025-11-18 20:54:02
2025-11-18 23:04:12
Surfshark VPN proxy IP; reconnaissance and unauthorized access.
IP Address
172.113.237[.]48
2025-11-18 21:23:29
2025-11-18 21:51:32
NSocks VPN proxy IP; reconnaissance and unauthorized access.
IP Address
45.149.173[.]227
2025-11-18 22:05:15
2025-11-18 22:05:18
Surfshark VPN proxy IP; reconnaissance and unauthorized access.
IP Address
135.134.96[.]76
2025-11-19 08:26:18
2025-11-19 10:30:37
IProxyShop VPN proxy IP; reconnaissance and unauthorized access.
IP Address
65.195.111[.]21
2025-11-19 10:57:37
2025-11-19 10:59:19
IProxyShop VPN proxy IP; reconnaissance and unauthorized access.
IP Address
65.195.105[.]81
2025-11-19 11:17:51
2025-11-19 11:48:07
Nexx VPN proxy IP; reconnaissance and unauthorized access.
IP Address
65.195.105[.]153
2025-11-19 12:23:17
2025-11-19 12:23:35
ProxySeller VPN proxy IP; reconnaissance and unauthorized access.
IP Address
45.66.35[.]35
2025-11-19 12:47:43
2025-11-19 12:47:45
Tor VPN proxy IP; reconnaissance and unauthorized access.
IP Address
146.70.174[.]69
2025-11-19 12:47:49
2025-11-19 12:47:49
Proton VPN proxy IP; reconnaissance and unauthorized access.
IP Address
82.163.174[.]83
2025-11-19 14:30:36
2025-11-19 22:26:46
ProxySeller VPN proxy IP; reconnaissance and unauthorized access.
IP Address
3.239.45[.]43
2025-10-23 00:17:22
2025-10-23 00:45:36
AWS IP; reconnaissance against customers with compromised Gainsight access token.
User Agent
python-requests/2.28[.]1
2025-11-08 13:11:19
2025-11-08 13:15:01
Not an expected user agent string used by Gainsight connected app; use in conjunction with other IOCs shared.
User Agent
python-requests/2.32[.]3
2025-11-16 21:48:03
2025-11-16 21:48:03
Not an expected user agent string used by Gainsight connected app; use in conjunction with other IOCs shared.
User Agent
python/3.11 aiohttp/3.13[.]1
2025-10-23 00:00:00
2025-10-23 00:01:00
Not an expected user agent string used by Gainsight connected app; use in conjunction with other IOCs shared.
User Agent
Salesforce-Multi-Org-Fetcher/1.0
2025-11-18 22:05:13
2025-11-19 22:24:01
Leveraged by threat actor for unauthorized access; also observed in Salesloft Drift activity.
Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2.
“This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems,” Blackfog researcher Brenda Robb said in a Thursday report.
In
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), a case of missing authentication for a critical function that can result in pre-authenticated
.webp)
.webp)