
ecrime
SaaS Data Theft: How UNC3944, UNC6040, and UNC6395 Quietly Redefined Cloud Risk
Three financially motivated clusters—UNC3944 (“Scattered Spider”), UNC6040, and UNC6395—are driving a surge in SaaS and cloud data theft via social engineering, OAuth abuse, and supply-chain attacks. Their evolving TTPs and anti-forensics are raising the stakes for defenders..