Unc6395 — Threat Actor Profile, Campaigns & Targets

Threat entity extracted from intelligence sources

Frequency
2
occurrences
First Seen
May 29, 2026
Last Seen
June 21, 2026

Unc6395 is a apt_group tracked across 2 threat clusters and 2 intelligence report mentions on ThreatCluster. First observed May 29, 2026; most recent activity June 21, 2026.

Related Threat Clusters

  • Salesloft Drift OAuth Token Breach Exposes Salesforce Data

    Between August 9 and August 17, 2025, the threat actor UNC6395 exploited stolen OAuth tokens from Salesloft's Drift integration to access Salesforce environments of over 700 organizations, including major tech firms.…

    3 articles · Updated June 21, 2026
  • Zapier Exploit Chain Grants Unauthorized NPM Access

    Researchers at Token Security disclosed a five-stage exploit chain that allowed a free Zapier account to gain write access to both public and internal NPM packages. Each stage of the chain exploited known anti-patterns,…

    8 articles · Updated May 28, 2026

Recent Intelligence Reports

  • Data Theft Salesforce Instances Via Salesloft Drift — cloud.google.com · June 21, 2026
  • With Complex Cloud Integrations, Small Errors Lead to Major Compromises — Darkreading · May 29, 2026

CVSS v3.1 Breakdown