Full Report
Google-owned Mandiant on Friday said it identified an "expansion in threat activity" that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters. The attacks leverage advanced voice phishing (aka vishing) and bogus credential harvesting sites mimicking targeted companies to gain unauthorized access to victim
Analysis Summary
# Threat Actor: ShinyHunters (Associated with UNC6240)
## Attribution & Identity
Financially motivated hacking group, tracked by Mandiant under multiple clusters including **UNC6661**, **UNC6671**, and **UNC6240** (the group branded as ShinyHunters). The activity is noted to have an "amorphous nature," suggesting varying personnel or evolving operations across these clusters.
## Activity Summary
Mandiant observed an expansion in threat activity consistent with ShinyHunters' extortion-themed attacks. Recent operations (early to mid-January 2026) focus heavily on gaining unauthorized access to victim environments, primarily targeting cloud-based Software-as-a-Service (SaaS) applications to siphon sensitive data for extortion. Escalation in tactics includes harassment of victim personnel. The activity is strongly associated with financially driven outcomes.
## Tactics, Techniques & Procedures
- **Voice Phishing (Vishing):** Advanced utilization of voice calls, often impersonating IT staff, to trick employees into providing credentials.
- **Credential Harvesting:** Directing victims to bogus credential harvesting sites mimicking targeted companies.
- **MFA Bypass:** Collecting sign-on (SSO) credentials *and* Multi-Factor Authentication (MFA) codes during Vishing calls.
- **Device Registration:** Using stolen credentials to register a new device for MFA to maintain persistence.
- **Lateral Movement:** Moving across the network post-compromise to exfiltrate data from SaaS platforms.
- **Email Compromise & Secondary Phishing:** Weaponizing compromised email accounts to launch subsequent phishing emails directed at contacts, particularly at cryptocurrency-focused companies.
- **Evasion:** Deleting follow-up malicious emails to cover tracks.
- **Data Exfiltration:** Leveraging PowerShell to download sensitive data from SharePoint and OneDrive.
## Targeting
- **Sectors:** General expansion, but specific mention of **cryptocurrency-focused companies** suggests exploration for lucrative financial gain. SaaS platforms are the primary target environment.
- **Geography:** Not explicitly specified, but targeting large cloud platforms implies global reach.
- **Victims:** Organizations utilizing cloud-based SaaS applications. At least one instance mentioned gaining access to **Okta customer accounts**.
## Tools & Infrastructure
- **Infrastructure Variation:** Different domain registrars used for credential harvesting domains:
- **UNC6661:** Used **NICENIC**.
- **UNC6671:** Used **Tucows**.
- **Tools:** PowerShell (used for SharePoint/OneDrive data exfiltration).
- **URLs/Domains:** Bogus credential harvesting sites mimicking legitimate companies (actual domains were not provided and are omitted/defanged).
## Implications
The group is demonstrating an evolution in their primary method, shifting strongly towards sophisticated Vishing augmented with social engineering to bypass modern security controls, specifically MFA. Their expanding targeting of SaaS platforms and related services (like Okta) combined with a focus on crypto firms signals an aggressive pursuit of high-value data for maximum extortion yield. The observed differences between UNC clusters suggest potential operational security compartmentalization or the opportunistic recruitment of different threat groups/individuals.
## Mitigations
- **Improve Help Desk Processes:** Require personnel to conduct a live video call to verify identity before assisting with MFA changes or credential resets.
- **Restrict Authentication Methods:** Remove weak authentication methods like SMS, phone calls, and email as primary or secondary MFA options. Enforce more robust methods.
- **Harden Access Controls:** Limit management-plane access, enforce strong passwords, and restrict access to trusted egress points/physical locations.
- **Visibility and Detection:** Implement comprehensive logging for identity actions, authorizations, and SaaS export behaviors.
- **Monitor MFA/Authorization Changes:** Specifically detect MFA device enrollment/lifecycle changes and watch for OAuth/app authorization events that suggest unauthorized mailbox manipulation.