ShinyHunters-Linked Vishing Campaign Steals MFA Codes to Breach SaaS Platforms for Extortion
Google-owned Mandiant reported an expansion in ShinyHunters-style intrusions using voice phishing (vishing) and spoofed credential-harvesting sites to steal SSO credentials and MFA codes, enabling unauthorized access to cloud SaaS environments. Mandiant tracked the activity across multiple clusters (UNC6661, UNC6671, and UNC6240 / ShinyHunters) and assessed the objective as data theft from cloud applications (including internal communications) followed by extortion, with some incidents involving escalatory pressure such as harassment of victim personnel. In observed tradecraft, operators impersonated IT staff, directed employees to phishing links under the pretext of updating MFA settings, then used captured credentials to enroll attacker-controlled devices for MFA.
Separate reporting characterized the same campaign as a broad vishing operation with hundreds of organizations in scope, reinforcing that the activity is not limited to a single SaaS provider and is focused on identity-layer compromise rather than software exploitation. Other items in the set were unrelated: a supply-chain compromise of eScan antivirus update infrastructure distributing a backdoor, a Fortinet write-up on Interlock ransomware tradecraft, an article on EU vulnerability identifier policy, and general security-awareness/detection-engineering content; these do not describe the ShinyHunters vishing activity and should not be treated as part of the same incident thread.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Mandiant publicly links multiple vishing clusters to ShinyHunters-style tradecraft
On January 31, 2026, Mandiant published research describing multiple related clusters—UNC6661, UNC6671, and UNC6240/ShinyHunters—behind the campaign. It said the activity was driven by social engineering rather than vendor vulnerabilities and released hardening, logging, and detection guidance, including use of phishing-resistant MFA.
CSO reports ShinyHunters vishing campaign is expanding to hundreds of targets
CSO Online highlighted reporting that ShinyHunters had ramped up a new vishing campaign, with hundreds of organizations or individuals in the crosshairs. The report framed the activity as a significant escalation in the scope of targeting.
Compromised accounts used to target cryptocurrency-sector contacts
In at least one case during the campaign, attackers used a compromised email account to phish contacts in the cryptocurrency sector and then deleted sent messages to reduce evidence. This reflected a further operational step beyond initial access and SaaS compromise.
Attackers expand intrusions into SaaS environments and data theft
During the January 2026 activity, the threat clusters used stolen credentials to enroll attacker-controlled MFA devices, move into cloud SaaS platforms, and exfiltrate sensitive data for extortion. Mandiant also noted harassment of victim personnel as part of the escalation.
Mandiant observes ShinyHunters-style vishing activity begin
Mandiant said it observed extortion-focused activity in early to mid-January 2026 using tradecraft consistent with the ShinyHunters ecosystem. Attackers impersonated IT staff in voice phishing calls and used victim-branded credential-harvesting pages to steal SSO credentials and MFA codes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
May 6, 2026
Voice and SMS phishing campaigns abused Okta workflows to breach hundreds of firms
A series of social-engineering campaigns targeted organizations that relied on **Okta** and similar identity systems, using SMS phishing, fake login portals, and later voice calls impersonating IT staff to steal credentials, MFA codes, and session tokens. Group-IB said the **0ktapus** operation targeted **136 organizations**, used **169** lookalike domains, and compromised thousands of accounts, with victims concentrated in technology, software, and cloud sectors in the United States and Canada. Reporting tied the same activity to breaches at **Twilio**, **Cloudflare**, **DoorDash**, and later **Coinbase**, where an attacker obtained an employee username and password and accessed limited corporate directory data but was blocked from broader access by MFA controls and incident response. Subsequent reporting described an evolution from SMS phishing to **vishing** and adversary-in-the-middle phishing kits that mirrored corporate SSO flows in real time, enabling theft of session tokens even after MFA was completed. Mandiant and other researchers linked a 2026 wave under the **ShinyHunters** banner to more than **400 organizations**, with attackers using branded phishing sites, harvesting cloud data from **SharePoint**, **OneDrive**, **Salesforce**, and **Slack**, and following theft with extortion demands. Across the incidents, phishing-resistant **FIDO2** security keys stood out as an effective defense, while earlier disputes over Okta-related intrusions, including claims by **Lapsus$**, underscored how compromises of identity providers and support channels can cascade into downstream customer exposure.
May 25, 2026
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026