Google-owned Mandiant said Friday it has identified an “expanding threat activity” that uses tradecraft consistent with extortion-themed attacks carried out by a financially motivated hacking group called ShinyHunters.
The attacks take advantage of advanced voice phishing (aka vishing) and fake credential harvesting sites that mimic targeted companies to gain unauthorized access to victim environments by collecting single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
The ultimate goal of the attacks is to target cloud-based software-as-a-service (SaaS) applications to steal sensitive data and internal communications and extort money from victims.
The tech giant’s threat intelligence team said it is monitoring activity under several groups, including UNC6661, UNC6671, and UNC6240 (aka ShinyHunters), to account for the possibility that these groups may evolve their own methods or copy previously observed tactics.
“While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity prior to the ShinyHunters-branded extortion, the breadth of cloud platforms targeted continues to expand as these threat actors seek more sensitive data for extortion,” Mandiant said.
“Furthermore, they have been escalating their extortion tactics with recent events, including harassment of victimized personnel and other tactics.”
The details of vishing and credential theft activity are as follows –
- UNC6661 has been observed pretending to be IT staff in calls to employees of targeted victim organizations, directing them to credential harvesting links under the guise of instructing them to update their multi-factor authentication (MFA) settings. The activity was recorded between early and mid-January 2026.
- The stolen credentials are used to register their own devices for MFA and then taken across the network to exfiltrate data from SaaS platforms. In at least one case, threat actors weaponized their access to compromised email accounts to send more phishing emails to contacts at cryptocurrency-focused companies. The emails were later deleted to hide the tracks. The extortion activity is then conducted by the UNC6240.
- UNC6671 has also been identified as having been impersonating IT employees on victim-branded credential harvesting sites since early January 2026 to defraud victims in attempts to obtain their credentials and MFA authentication codes. In at least some instances, threat actors gained access to Okta customer accounts. UNC6671 also leveraged PowerShell to download sensitive data from SharePoint and OneDrive.
- The differences between UNC6661 and UNC6671 relate to the use of different domain registrars to register the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671), as well as the fact that an extortion email sent following UNC6671 activity did not overlap with known UNC6240 indicators.
- This indicates that a wide variety of people may be involved, which reflects the amorphous nature of these cyber crime groups. Furthermore, the targeting of cryptocurrency companies suggests that threat actors may also be looking for further avenues for financial gain.
To counter the threat posed to SaaS platforms, Google has outlined a long list of hardening, logging and detection recommendations –
- Improve help desk processes, including requiring live video calls for personnel to verify their identities
- Limit access to trusted exit points and physical locations; Enforce strong passwords; And remove SMS, phone calls and emails as authentication methods
- Restrict management-plane access, audit for exposed secrets, and enforce device access controls
- Implement logging to increase visibility into identity functions, authorizations, and SaaS export behaviors
- Detect MFA device enrollment and MFA life cycle changes; Look for OAuth/App Authorization events that suggest mailbox manipulation activity using utilities like ToogleBox Email Recall, or identity events that occur outside of normal business hours
“This activity is not the result of a security vulnerability in the vendors’ products or infrastructure,” Google said. “Instead, it continues to highlight the effectiveness of social engineering and underlines the importance of organizations moving toward phishing-resistant MFA where possible. Methods like FIDO2 security keys or passkeys are resistant to social engineering in ways that push-based, or SMS authentication are not.”
