Elizabeth Montalbano, Contributing Writer February 2, 2026 5 Min Read Source: Fran Rodriguez via Alamy Stock Photo ShinyHunters has expanded its extortion attacks to various software-as-a-service (SaaS) environments, with multiple threat clusters using voice phishing (vishing) and credential harvesting to compromise targeted organizations. Mandiant has been tracking an evolution in ShinyHunters' activity since its attacks targeting Salesforce instances last year, which resulted in the breaches of multiple organizations. Researcher tied various threat clusters, tracked as UNC6661, UNC6671, and UNC6240, to the notorious cybercrime collective, which is using sophisticated vishing and victim-branded credential-harvesting sites to gain initial access to corporate environments, according to a recent post on the Google Threat Intelligence blog. ShinyHunters members use these attacks to steal single sign-on (SSO) credentials and multifactor authentication (MFA) codes, which they then use as entry to organizations' networks, according to Mandiant. Once inside, the threat actors target SaaS applications to exfiltrate sensitive data and internal communications, which they then use as leverage in extortion demands. ShinyHunters attacks against Salesforce already are well-documented, but the recent attacks — which Mandiant tracked from early to mid-January — are against a wider scope of targeted platforms, including Microsoft 365, SharePoint, Slack, and other popular SaaS services, according to the post. The activity represents "an expansion in the number and type of targeted cloud platforms, suggesting that the associated threat actors are modifying their operations to gather more sensitive data for extortion operations," according to the post. Specific Threat Clusters Tied to ShinyHunters While clusters of evolving activity discovered by Mandiant is tied to ShinyHunters, each has its own specific attack characteristics and goes beyond previous attacks by the collective to infiltrate Salesforce instances. Those attacks resulted in the compromise of Google , as well as other organizations, including Cisco , Adidas, and Workday . Recent threat activity linked to UNC6661 used social-enginnering exclusively in a series of attacks against organizations in early to mid-January, according to Mandiant. The attacks relied on impersonation, credential harvesting, and lateral movement through cloud environments to steal sensitive data from multiple SaaS platforms. Specifically, attackers posed as internal IT staff and contacted employees by phone, claiming the company was in the process of updating multifactor authentication (MFA) settings. They directed victims to company-branded credential harvesting websites designed to mimic legitimate single sign-on (SSO) portals. Attackers used these sites to capture both SSO credentials and MFA codes. After obtaining credentials, the attackers registered their own devices for MFA, allowing them to maintain persistent access to compromised accounts. In several cases, the compromised accounts belonged to customers of identity provider Okta, which separately reported on phishing and vishing attacks targeting identity platforms and cryptocurrency services in December. Okta attributed the activity to multiple threat clusters; Mandiant found that some of the attack behavior is consistent with ShinyHunters. Once initial access was established, UNC6661 moved laterally within victim environments and exfiltrated data from a range of SaaS applications. In some cases, the threat actors appeared to target specific types of sensitive information — using search terms such as "confidential," "internal," “proposal," "poc," "vpn," and "salesforce," as well as personally identifiable information (PII) — presumably to gain optimal leverage for extortion attempts. ShinyHunters Gets (More) Aggressive UNC6661 also engaged in post-intrusion activity in at least one of the cases observed by Mandiant, using their newly obtained access to compromised email accounts to send additional phishing emails to contacts at cryptocurrency-focused companies. They then deleted the outbound emails, probably in an attempt to cover up the activity. Another threat cluster, UNC6240, carried out post-intrusion extortion activity against the victims using a Tox instant-messaging account for negotiations, ShinyHunters-branded extortion emails, and Limewire to host samples of stolen data, according to Mandiant. In their emails with victims, attackers outlined what data they allegedly stole, specified a payment amount and destination BTC address, and threatened consequences such as distributed denial-of-service (DDoS) attacks if the ransom was not paid within 72 hours — all activity consistent with prior ShinyHunters extortion emails, according to the post. They also provided proof of data theft via samples hosted on Limewire. Another ShinyHunters threat cluster, UNC6671, conducted vishing operations by impersonating IT staff and directing victims to enter their credentials and MFA authentication codes on a victim-branded credential harvesting site. "The credential harvesting domains used the same structure as UNC6661, but were more often registered using [domain name service] Tucows," according to Mandiant. UNC6671 also employed more aggressive tactics than other threat clusters, "including harassment of victim personnel," as well as other tactics that went beyond the typical ShinyHunters' typical playbook, according to Mandiant. "The extortion tactics and difference in domain registrars suggests that separate individuals may be involved with these sets of activity," according to the post. Furthermore, in at least some cases, UNC6671 gained access to Okta customer accounts; they also used PowerShell to download sensitive data from SharePoint and OneDrive. ShinyHunters' Evolution Demands Defensive Measures The recent activity detected by Mandiant demonstrates how ShinyHunters continues to evolve its SaaS attacks since it teamed up with Scattered Spider and Lapus$ to act collectively as Scattered Lapsus$ Hunters , and in spite of the fact that federal authorities shuttered the collective's Salesforce extortion site in October. To help organizations protect their environments, Mandiant last month published comprehensive and proactive hardening and detection recommendations to organizations to defend against ShinyHunters' branded SaaS theft. The post also includes common phishing domain lure patterns used by ShinyHunters, which frequently registers domains designed to impersonate legitimate corporate portals that can be detected if defenders know what they're looking for. Google also has added all identified phishing domains to Chrome Safe Browsing to protect Chrome users. Similarly, Okta last month published a blog post that warned of threat actors using custom phishing kits that had been adapated for vishing attacks . The identity and access management vendor said the kits were being used by a growing number of attackers "targeting Google, Microsoft, Okta and a range of cryptocurrency providers," though the blog post did not attribute any activity to ShinyHunters. To mitigate such social engineering attacks, Okta recommended using phishing-resistant authentication such as passkeys , as well as setting up network zones and tenant access control lists. About the Author Elizabeth Montalbano, Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano, Contributing Writer