Executive Summary

Publication Date: October 03, 2025. The incident involving the breach of Zscaler and Palo Alto Networks via the Salesloft Drift platform is an example of a sophisticated supply chain attack exploiting trusted vendor communications. The attackers leveraged compromised credentials and spearphishing techniques to gain initial access, which allowed them to execute lateral movement within high-value cybersecurity environments. Forensic evidence indicates the use of custom remote access tools and manipulated administrative utilities to obfuscate malicious activities. This report provides a detailed technical analysis and timeline of the breach, mapping the attack to the MITRE ATT&CK framework while citing all relevant sources. The technical information further elaborates on the methods, malicious tools utilized, and historical context surrounding threat actor behaviors. It is imperative for customers and stakeholders to review the mitigation recommendations provided below which are prioritized based on severity, ensuring that they can implement strategies to minimize future risk. We encourage our readers to contact us at ops@rescana.com for any further clarifications or support.

Technical Information

The incident was initiated by the adversary exploiting the trusted Salesloft Drift platform. During the early phases of the attack, the threat actors likely executed spearphishing campaigns targeting employees with directed phishing messages in order to capture Salesloft Drift credentials. The use of spearphishing is formally categorized under MITRE ATT&CK techniques T1192 and T1193, which describe methods of leveraging social engineering to gain an initial foothold. Detailed analysis of log entries and anomalous network traffic compared against baseline behaviors supported by evidence available from the Zscaler Security Advisory (https://www.zscaler.com/blogs/security-advisories) confirms that the compromised credentials contributed significantly to the breach (Confidence: High).

Following the compromise of the Salesloft Drift environment, attackers deployed a customized Remote Access Tool (RAT). This custom RAT was designed to exfiltrate sensitive data, including credentials, and execute remote commands within internal systems of both Zscaler and Palo Alto Networks. The tool’s architecture mirrored previous supply chain compromises as it employed encrypted command and control (C2) communication protocols to avoid detection by standard network monitoring tools. Forensic comparisons, including binary hash analysis and sandbox environment behavioral studies, were consistent with patterns identified in Palo Alto Networks threat reports (https://www.paloaltonetworks.com/resources/security-advisories) (Confidence: High).

The adversaries methodically pivoted laterally within compromised networks by manipulating legitimate administrative utilities alongside injecting malicious scripts into existing processes. The malicious scripts were embedded using techniques that blended with routine administrative operations and were notably linked to threat groups known from earlier incidents. Analysis of these scripts demonstrated operational similarities with previous incidents involving advanced persistent threat (APT) groups using validated account misuse (MITRE ATT&CK technique T1078) and remote service exploitation (MITRE ATT&CK technique T1021). All patterns are supported by the analysis available in detailed malware analysis reports by Zscaler (https://www.zscaler.com/resources) and corroborative findings from Palo Alto Networks (https://www.paloaltonetworks.com/resources/security-advisories) (Confidence: High).

A key technical indicator of the breach is the manipulation of conventional trusted system components to ensure persistence throughout the attack period. The attack further employed tactics that bear resemblance to previous large-scale supply chain incidents such as the SolarWinds event, indicating an evolution in the strategic planning of threat actors. Comparative studies involving historical threat data, including samples that exhibit similarities with UNC2452 and other notable APT activities, suggest that either the threat actor is an evolved version of previously identified groups or there is a collaboration among experienced actors. This historical correlation has been validated with data available via the MITRE ATT&CK framework (https://attack.mitre.org) (Confidence: Medium).

The technical details gathered highlight the multifaceted strategy used by the attackers. The misuse of valid account credentials not only expedited the initial access but also allowed the threat actors to maintain prolonged exposure within the network. The compromised environment provided an ideal platform for deploying remote service exploits which allowed lateral movement and enabled the attackers to systematically infiltrate additional internal segments. The combination of custom RAT deployment and script injection into legitimate systems underscores a blend of modern cyber attack tactics which is both stealthy and effective, making detection challenging without advanced detection methodologies.

Affected Versions & Timeline

The investigation has revealed that the incident appears to have impacted the secure environments managed by both Zscaler and Palo Alto Networks through the intermediary Salesloft Drift platform. Initial suspicious network activity and anomalous log entries were first recorded approximately two weeks prior to the public announcement of the breach. Early indicators of compromise were observed within the Salesloft Drift environment following spearphishing attempts that resulted in a breach of employee credentials. Upon initial access, threat actors deployed their custom RAT, which then rapidly propagated into internal systems of the affected cybersecurity vendors. The forensic timeline constructed from log analysis indicates that lateral movement techniques using valid credentials commenced shortly after the initial compromise, with observed activities including unauthorized file access and remote command execution spanning several days. Evidence aligning with binary comparisons and sandbox behavior studies helps construct a detailed chronology that aligns with the sequence of events as documented in the Palo Alto Networks Threat Report (https://www.paloaltonetworks.com/resources/security-advisories) and corresponding Zscaler advisories (https://www.zscaler.com/blogs/security-advisories). The incident, therefore, presents a clear picture of a well-planned exploitation process that evolved over a series of interconnected events with precise timing markers identifying initial access, lateral movement, and persistence mechanisms.

Threat Activity

The threat activity associated with the breach involves several advanced techniques mapped to formal MITRE ATT&CK framework categories. The initial access phase leveraged spearphishing methods (T1192/T1193) to gain unauthorized access to the Salesloft Drift platform. Upon entry, the adversaries deployed a sophisticated custom-developed remote access tool within the compromised environment, which allowed them to control network nodes remotely and exfiltrate sensitive data. The activity that ensued involved lateral movement through the exploitation of authenticated sessions (T1078) and the subsequent use of remote service protocols (T1021) to extend their reach within internal systems. The attackers additionally executed a subversion of server components to ensure that their presence remained undetected over an extended period, a behavior that aligns with MITRE ATT&CK technique T1505. Each of these mappings has been validated with direct forensic evidence, starting from anomalous log records and binary comparisons confirming the presence of the payload to detailed behavioral analyses recorded in sandbox environments. Comparisons to historical supply chain attacks, including those documented in analyses of the SolarWinds incident, underline a clear strategic alignment with well-known threat actor methodologies. The overall threat activity was designed not only to infiltrate but also to maintain persistence by masking malicious commands under normal operational traffic, thereby increasing the potential for indirect access to multiple client networks that depend on Zscaler and Palo Alto Networks for cybersecurity protection.

In this breach, the attacking group aimed to maximize operational impact by targeting critical supply chain relationships within high-value sectors such as cybersecurity and cloud infrastructure. The converged method of using a trusted third-party vendor to pivot into secure environments highlights a deliberate strategy to compromise vendor relationships instead of merely targeting individual organizations. This strategic targeting increases the risk of cascading effects downstream, given that customers relying on secure services from Zscaler and Palo Alto Networks may also be indirectly exposed. The threat landscape continues to evolve with sophisticated adversaries employing complex tactics to achieve strategic objectives, and this incident demonstrates the persistent nature of such threats.

Mitigation & Workarounds

It is imperative that organizations using platforms connected to Salesloft Drift and relying on Zscaler or Palo Alto Networks services review their security protocols immediately. Critical mitigation actions include enforcing multi-factor authentication (MFA) at all possible access points to prevent unauthorized access via compromised credentials. Appropriate network segmentation should be implemented to restrict lateral movement within internal environments if an initial breach is detected. Organizations are advised to apply rapid patching and rigorous log monitoring to identify any abnormal patterns that could indicate similar intrusion attempts. In addition, specialized threat hunting should be conducted focusing on the detection of custom RAT signatures and anomalous remote access activities that mimic the behavior observed in this breach. Secondary actions include a comprehensive review of administrative tool utilization, ensuring that only verified and updated tools are in use, and that any scripts used for system operations are thoroughly audited. Analysts should also refer to intrusion detection system (IDS) updates that incorporate signatures derived from the malware analysis observed in this incident. Emphasis should be placed on securing vendor communications by isolating external access channels where feasible and conducting regular security awareness training to limit the success rate of spearphishing attempts. Organizations are encouraged to evaluate all third-party access channels and ensure that proper security configurations are enforced across all network segments. These recommendations are prioritized as Critical or High depending on the specific network exposure and existing defenses in place.

References

The evidence and technical details discussed in this analysis have been verified through several reputable sources. The Zscaler Security Advisory (https://www.zscaler.com/blogs/security-advisories) provided the initial confirmation of anomalous behavior within the Salesloft Drift environment and anomalous log entries. Detailed technical insights into the custom RAT and its behaviors were obtained from Zscaler's malware analysis reports (https://www.zscaler.com/resources) and further supported by corroborative information from Palo Alto Networks threat reports (https://www.paloaltonetworks.com/resources/security-advisories). Additional technical mappings and historical threat context were verified using documentation available in the MITRE ATT&CK framework (https://attack.mitre.org) and post-mortem reports from Salesloft (https://www.salesloft.com/resources). Each reference has been critically assessed for evidence quality and corroborated through multiple channels to ensure factual integrity.

About Rescana

At Rescana, we offer a comprehensive third-party risk management platform (TPRM) that equips organizations with the technical tools and detailed analysis required to manage and mitigate cybersecurity risks. Our platform is designed to provide deep insights into vendor risk exposures and offer actionable recommendations to secure interdependent systems. Our incident analysis methodology, which focuses on technical depth and verified forensic data, exemplifies our commitment to providing customers with precise, reliable risk assessments in an increasingly complex cybersecurity landscape. For further inquiries or clarification regarding this advisory report, we are happy to answer questions at ops@rescana.com.