A substantial expansion in cybercrime operations using tactics consistent with ShinyHunters-branded extortion campaigns.
These sophisticated operations employ advanced voice phishing (vishing) and victim-branded credential harvesting websites to compromise corporate environments by stealing single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
While the methodology of targeting identity providers and Software-as-a-Service (SaaS) platforms remains consistent with previous ShinyHunters operations, the breadth of targeted cloud platforms continues to expand as threat actors seek increasingly sensitive data for extortion purposes.
Between early and mid-January 2026, UNC6661 impersonated IT staff and contacted employees at targeted organizations, claiming the company was updating MFA settings.
Google Threat Intelligence Group (GTIG) tracked this escalating activity under multiple threat clusters UNC6661, UNC6671, and UNC6240 to better understand evolving partnerships and potential impersonation tactics.
The threat actors directed victims to credential harvesting domains commonly formatted as companyname-sso.com or companyname-internal.com and registered through NICENIC to capture SSO credentials and MFA codes before registering their own devices for authentication.
The activity affected Okta customers in multiple incidents. Following the initial compromise, UNC6661 moved laterally through the victim environment to exfiltrate data from various SaaS platforms, including SharePoint, Salesforce, DocuSign, and Slack.
Analysis indicates the threat actors conducted targeted searches for documents containing keywords such as “confidential,” “internal,” “proposal,” and “vpn,” along with personally identifiable information stored in cloud applications.
Persistence Techniques
In at least one incident involving an Okta customer account, UNC6661 enabled the ToogleBox Recall add-on for the victim’s Google Workspace account a tool designed to search and permanently delete emails.
The threat actors subsequently deleted a “Security method enrolled” email from Okta to prevent the employee from discovering the unauthorized MFA device registration.
Further demonstrating operational sophistication, UNC6661 leveraged compromised email accounts to send phishing emails to contacts at cryptocurrency-focused companies, then deleted the outbound messages to obscure malicious activity.
This suggests threat actors may be building relationships with potential victims to expand access or conduct follow-on operations.
GTIG attributes subsequent extortion activity to UNC6240, based on overlaps including a common Tox account for negotiations, ShinyHunters-branded extortion emails, and Limewire hosting for stolen data samples.
Mid-January 2026 extortion emails specified payment amounts with Bitcoin addresses and threatened consequences if ransoms were not paid within 72 hours.
Recent incidents have featured increasingly aggressive tactics including harassment of victim personnel, extortion text messages to employees, and distributed denial-of-service (DDoS) attacks against victim websites.
In late January 2026, a new ShinyHunters-branded data leak site emerged listing several alleged victims from these operations.
Parallel Operations by UNC6671
Beginning in early January 2026, UNC6671 conducted similar vishing operations but used domains registered through Tucows rather than NICENIC.
Organizations should prioritize migrating to phishing-resistant MFA methods such as FIDO2 security keys or passkeys, which resist social engineering unlike push-based or SMS authentication.
Mandiant observed evidence that UNC6671 leveraged PowerShell to download sensitive data from SharePoint and OneDrive.
While TTPs remained consistent with UNC6661, extortion emails were unbranded and used a different Tox ID, suggesting separate individuals may be involved.
Google emphasizes this activity exploits social engineering rather than security vulnerabilities in vendor products.
Mandiant has published comprehensive hardening and detection recommendations to help organizations defend against these evolving threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.