Google-owned Mandiant on Friday said it identified an “expansion in threat activity” that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters.
The attacks leverage advanced voice phishing (aka vishing) and bogus credential harvesting sites mimicking targeted companies to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
The end goal of the attacks is to target cloud-based software-as-a-service (SaaS) applications to siphon sensitive data and internal communications and extort victims.
The tech giant’s threat intelligence team said it’s tracking the activity under multiple clusters, including UNC6661, UNC6671, and UNC6240 (aka ShinyHunters), so as to account for the possibility that these groups could be evolving their modus operandi or mimicking previously observed tactics.
“While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion,” Mandiant noted.
“Further, they appear to be escalating their extortion tactics with recent incidents, including harassment of victim personnel, among other tactics.”
Details of the vishing and credential theft activity are as follows –
- UNC6661 has been observed pretending to be IT staff in calls to employees at targeted victim organizations, directing them to credential harvesting links under the guise of instructing them to update their multi-factor authentication (MFA) settings. The activity was recorded between early and mid-January 2026.
- The stolen credentials are then used to register their own device for MFA and then move laterally across the network to exfiltrate data from SaaS platforms. In at least one case, the threat actor weaponized their access to compromised email accounts to send more phishing emails to contacts at cryptocurrency-focused companies. The emails were subsequently deleted to cover up the tracks. This is followed by extortion activity conducted by UNC6240.
- UNC6671 has also been identified as impersonating IT staff to deceive victims as part of efforts to obtain their credentials and MFA authentication codes on victim-branded credential harvesting sites since early January 2026. In at least some instances, the threat actors gained access to Okta customer accounts. UNC6671 has also leveraged PowerShell to download sensitive data from SharePoint and OneDrive.
- The differences between UNC6661 and UNC6671 relate to the use of different domain registrars for registering the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671), as well as the fact that an extortion email sent following UNC6671 activity did not overlap with known UNC6240 indicators.
- This indicates that different sets of people may be involved, illustrating the amorphous nature of these cybercrime groups. What’s more, the targeting of cryptocurrency firms suggests that the threat actors may also be looking to explore further avenues for financial gain.
It’s worth noting that UNC6661 and UNC6671 are far from the only clusters to have engaged in vishing attacks to breach enterprise networks. In June 2025, Google Threat Intelligence Group (GTIG) exposed another threat actor known as UNC6040 that carried out voice phishing campaigns to breach organizations’ Salesforce instances for large-scale data theft and extortion attacks.
“We haven’t seen any indications that UNC6040 was involved in the extortion activity for this latest campaign,” Mandiant told The Hacker News via email. “While we cannot rule out future UNC6040 activity, we attribute the latest extortion activity to UNC6661, which GTIG tracks as a separate actor. To date, we’ve seen no overlap in activity between UNC6661 and UNC6040.”
To counter the threat posed to SaaS platforms, Google has outlined a long list of hardening, logging, and detection recommendations –
- Improve help desk processes, including requiring personnel to require a live video call to verify their identity
- Limit access to trusted egress points and physical locations; enforce strong passwords; and remove SMS, phone call, and email as authentication methods
- Restrict management-plane access, audit for exposed secrets and enforce device access controls
- Implement logging to increase visibility into identity actions, authorizations, and SaaS export behaviors
- Detect MFA device enrollment and MFA life cycle changes; look for OAuth/app authorization events that suggest mailbox manipulation activity using utilities like ToogleBox Email Recall, or identity events occurring outside normal business hours
“This activity is not the result of a security vulnerability in vendors’ products or infrastructure,” Google said. “Instead, it continues to highlight the effectiveness of social engineering and underscores the importance of organizations moving towards phishing-resistant MFA where possible. Methods such as FIDO2 security keys or passkeys are resistant to social engineering in ways that push-based, or SMS authentication are not.”
(The story was updated after publication on February 3, 2026, to include a response from Google Mandiant.)
