Google owned cybersecurity firm Mandiant has reported a noticeable expansion in malicious activity associated with a financially motivated hacking group widely tracked as ShinyHunters. According to the company’s threat intelligence team, the latest activity involves extortion themed operations that rely heavily on advanced voice phishing techniques and fraudulent credential harvesting websites designed to impersonate legitimate organizations. The attacks are aimed at gaining unauthorized access to corporate environments by capturing single sign on credentials and multi factor authentication codes, allowing attackers to move deeper into victim networks.
Mandiant said the primary objective of these campaigns is to compromise cloud based software as a service platforms in order to extract sensitive data, internal communications, and proprietary information that can later be used to pressure organizations into paying extortion demands. The activity is being monitored under several internal tracking clusters, including UNC6661, UNC6671, and UNC6240, the latter being commonly associated with ShinyHunters. Mandiant noted that tracking the activity across multiple clusters allows analysts to account for the possibility that different operators may be evolving their techniques or deliberately mimicking previously observed tradecraft to obscure attribution.
The threat intelligence team observed that while targeting identity providers and SaaS environments aligns with earlier ShinyHunters related extortion campaigns, the range of cloud platforms being targeted continues to grow. Mandiant also stated that recent incidents suggest an escalation in pressure tactics, including harassment of personnel at victim organizations. These developments indicate an increasing focus on extracting higher value data that can amplify leverage during extortion attempts, particularly as more enterprises rely on cloud hosted collaboration and productivity tools.
Further analysis revealed that UNC6661 has been actively impersonating internal IT staff during phone calls to employees at targeted organizations. Victims were directed to fraudulent credential harvesting links under the pretense of updating multi factor authentication settings. This activity was observed between early and mid January 2026. Once credentials were obtained, the attackers registered their own devices for MFA access and moved laterally within the environment, enabling data exfiltration from SaaS platforms. In at least one incident, compromised email accounts were used to send phishing messages to contacts at cryptocurrency focused companies, after which the emails were deleted in an attempt to conceal the activity. These intrusions were later followed by extortion efforts attributed to UNC6240.
Mandiant also identified similar tactics used by UNC6671, which has been impersonating IT staff to trick victims into submitting credentials and MFA codes through company branded phishing sites since early January 2026. In some cases, the attackers gained access to Okta customer accounts and used PowerShell tools to download sensitive information from SharePoint and OneDrive environments. While the techniques overlap with those of UNC6661, differences were noted in domain registration practices and extortion indicators. UNC6661 relied on domains registered through NICENIC, while UNC6671 used Tucows. Additionally, extortion emails sent after UNC6671 intrusions did not match known UNC6240 patterns, suggesting that multiple groups or loosely affiliated actors may be involved.
The findings highlight the fluid and loosely organized nature of financially motivated cybercrime operations, where tools and methods are often shared or replicated across different actors. Mandiant also pointed out that the focus on cryptocurrency related firms suggests continued exploration of additional revenue opportunities beyond traditional corporate extortion targets.
To reduce risk to SaaS environments, Google has issued a series of security recommendations focused on identity protection and monitoring. These include strengthening help desk verification processes, limiting access to trusted locations, enforcing strong authentication policies, and improving logging around identity related actions and data exports. Google emphasized that the activity does not stem from vulnerabilities in vendor infrastructure, but instead demonstrates the continued effectiveness of social engineering attacks. The company reiterated the importance of adopting phishing resistant MFA solutions such as FIDO2 security keys or passkeys, which are less susceptible to manipulation than SMS or push based authentication methods.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
