Bitdefender Threat Debrief | September 2025

Salesloft Drift supply chain attack lands a devastating blow to tech and connected customers 

This edition of the Bitdefender Threat Debrief covers several recent developments, including a supply chain attack, an offer made to Qilin and LockBit, a manufactured ransomware powerhouse, and more. 

As ransomware continues to evolve, our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) - things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time. 

 For this month's report, we analyzed data from August 1 to August 31 and recorded a total of 496 claimed ransomware victims.

Featured Story: Salesloft Drift supply chain attack lands a devastating blow 

What Happened? 

A Salesloft Drift supply chain attack with incidents dating back to early August has impacted more than 700 organizations worldwide with IT firms, MSSPs, Managed Security Service Providers, and their customers taking the brunt of these attacks.

The breaches have affected several data types, including unique customer information, support tickets, and credentials to access APIs and other services. Salesloft is a SaaS offering designed to manage sales and project management processes, while Drift is the chat agent that supports Salesloft functions, with the assistance of AI. Those using Drift alongside Salesloft and Drift’s integrated services were advised to disconnect Drift, reauthenticate with a new API key, and leave synchronization functions inactive.

The Attack's Origin

The findings published from a recent investigation established that the Salesloft Drift supply chain attack started with a threat actor’s access to a GitHub account from March to June 2025. The threat actor extracted data from connected repositories, created a guest user account, and conducted reconnaissance on the Salesloft and Drift ecosystems. OAuth tokens were a key component of the supply chain attack. After conducting reconnaissance, the threat actor gained access to a Drift AWS environment and obtained the necessary tokens, which they used to locate data stored in Drift-integrated platforms.

Is Scattered LAPSUS$ Hunters Behind This Attack?

Threat activity associated with the Salesloft Drift supply chain attack has been connected to the threat actor known as UNC6395. While a channel named after the Scattered Spider, LAPSUS$, and Shiny Hunters in late July claimed responsibility for the attack, these claims were lacking significant evidence to support that stance.  

At the time of this debrief, there is, however, supporting information that the threat actor responsible for the supply chain attack is distinct from Scattered LAPSUS$ Hunters due to the method used to gain initial access to target systems and the scope of the attack.

Rather than rely on social engineering to enter an environment, the threat actor breaches a third-party software that integrates with multiple platforms, making the consequences of their breach far more extensive than for instance one affected group of machines or accounts. The outcome of such a compromise also differs from the tactics associated with Scattered LAPSUS$ Hunters, who prioritize extortion.

What are the lessons learned?

Customers, service providers, and vendors share a responsibility to secure applications and data. The Salesloft Drift supply chain attack also underscores the importance of maintaining mature risk assessment and incident response programs. It is imperative for teams to assess critical applications used in the environment in addition to the resources connected to those applications.  

Access controls, including the enforcement of separation of duties and credential rotation, provide a barrier to protect against unauthorized users and devices. Finally, testing and continuously updating detection parameters for anomalous activity, including logons, new user/account additions, and data retrieval/removal, can help proactively enhance threat detection efforts to spot threat actor activity earlier.

Other Notable Ransomware News

Now, let’s explore the notable news and findings since the last Threat Debrief release.

• Qilin claims the top rank for the third consecutive month: Qilin has placed in our Top 10 Groups for a year. It’s no surprise that another ransomware group would voice a desire to collaborate with them. Qilin’s status, however, also makes them a target. This was observed several weeks ago when a bounty for Qilin admins disguised as a Europol notice was shared in a Telegram channel. Whether this action was executed by a scorned rival or internal staff is unknown.
• DragonForce offers LockBit and Qilin an opportunity to join forces: At the time of this release, details surrounding the opportunity, including the expected profit-sharing ratio is not known. There is great speculation about whether this proposition by DragonForce is a ruse to save face before a takeover attempt. The group made headlines back in April for their involvement with the competitor RansomHub and a DLS post announcing RIP RansomHUb shortly thereafter.
• WarLock Group exploits SharePoint zero-day flaws: WarLock has exploited a ToolShell flaw in recent campaigns. A threat actor exploiting the SharePoint zero-day flaw can declare a domain Group Policy Object, escalate privileges, and establish a covert command and control channel to transfer data and perform lateral movement before deploying ransomware. Organizations using SharePoint Server 2016 or 2019 and the SharePoint Subscription Edition are advised to update the software to the latest version and check that AMSI in the SharePoint integration settings with HTTP Request Body scanning in Full Mode.
• The PromptLock powerhouse was invented by researchers: Last month, reports of an AI-powered ransomware sewed fear in the hearts of business owners and great doubt in the minds of security engineers. Many wondered how processes central to ransomware operations could be automated further with the support of LLMs to create code that performs scanning activities, identifies target files, exfiltrates, and encrypts data. In response to this growing curiosity, NYU Tandon engineering students created the proof of concept Ransomware 3.0. The code was later uploaded to VirusTotal where researchers flagged it as malicious and assumed it was present in attacks in the wild until NYU Tandon students came forward, disclosing the role in the project.
• Another EDR killer enters the fray: The tool, unnamed, has multiple builds; it has been used by Qilin, DragonForce, BlackSuit, and the former RansomHub. Executed in the context of a legitimate application via code injection, the EDR killer references a digitally signed driver that has a stolen or invalid (expired) certificate. This certificate enables the malicious driver to be loaded into the kernel, allowing it to disable security tools. The various builds of the tool leveraged by different threat actors indicate that tool-sharing activities persist beyond affiliate partnerships.
• Newcomer Sinobi emerges: Sinobi ranked in third place, surpassing SafePay. The group claims to be financially and not politically motivated, encrypting systems and then offering victims seven days to contact them and negotiate a ransom payment. Sinobi has a data leak site that has accrued thousands of views in a short time span. Their site diverges from other ransomware groups as it does not feature more immediate visibility to preview or access impacted files.  

Top 10 Ransomware Families

Bitdefender's Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method only captures the number of victims claimed, not the actual financial impact of these attacks. 

Top 10 Countries

Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. This often means focusing on developed countries.  Let’s see the top 10 countries that took the biggest hit from these attacks. 

Top 10 Industries

Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to the consumer marketplace, or attack both. Here are the Top 10 industries that were hit by ransomware groups.

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.  

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discovers 400+ new threats each minute and validates 30 billion threat queries daily. This provides us with one of the industry’s most comprehensive real-time views of the evolving threat landscape. 

We would like to thank Bitdefenders Vlad Craciun, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Rares Radu (sorted alphabetically) for their help with putting this report together.