The Trinity of Chaos, a ransomware collective presumably associated with Lapsus$, Scattered Spider, and ShinyHunters groups, launched a Data Leak Site (DLS) on the TOR network containing 39 companies including but not limited to Aeromexico, AirFrance, Google, Cisco, Stellantis, Qantas Airlines impacted by the malicious cyber activity targeting vulnerable Salesforce instances and other vulnerabilities.
As detailed by Resecurity in the previous threat intelligence report, the group aims to continue its activities and has shifted toward a traditional ransomware modus operandi.
The listing on the Data Leak Site (DLS) includes references to the most recent victims, including Stellantis, the automotive giant that disclosed a data breach affecting its North American customers a few weeks ago (September 21, 2025). This incident followed an attack on the British luxury carmaker Jaguar Land Rover, which severely disrupted its retail and production activities.
Notably, the majority of leaked data samples lack passwords but contain substantial amounts of PII data, which may confirm that the stolen records likely originate from the impacted Salesforce instances through vishing attacks and stolen OAuth tokens used for Salesloft’s Drift AI chat integration. This has prompted a recent flash warning issued by the FBI, outlining technical indicators that organizations should monitor to determine if attackers have infiltrated their Salesforce environments.
A previous Resecurity report has uncovered a rapidly unfolding—and potentially much larger—global cybercrime campaign led by the notorious alliance of LAPSUS$, ShinyHunters, and Scattered Spider. Contrary to recent claims of “retirement,” the so-called “Trinity of Chaos” continues to conduct coordinated hacks and extortion operations against leading enterprises, with multiple major data breaches yet to be disclosed to the public. This timely report highlights a surge of private extortion attempts, signaling that the true blast radius of these threat actors may far exceed what has so far come to light. The group claims to have updated the Data Leak Site (DLS) after October 10 in the event of non-payment. According to them, the new DLS will feature over 1.5 billion records.
Resecurity analysts warn that only now are new victims and incidents coming to the surface. With confidential extortion activity ongoing—and the group leveraging its notoriety to coerce companies into silence—the full extent of compromised data across the Fortune 100, financial services, technology, aviation, retail, and auto sectors is just beginning to emerge.
According to cybersecurity experts, cybercriminals may exploit stolen data for malicious purposes on a large scale, including in harmful artificial intelligence (AI) applications. By having context about the affected victims and their industries, threat actors could perform data mining to extract valuable insights and correlate victim data sets with other available information. This could lead to sophisticated social engineering schemes, targeted phishing campaigns, and identity theft, especially targeting large enterprises and government sectors.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ShinyHunters)