ShinyHunters’ SaaS Extortion Campaign

Published Date: February 2, 2026
Category: ShadowOpsIntel
Share:

GTIG reported on the expansion of ShinyHunters-branded extortion operations focused on voice phishing (vishing) to compromise enterprise SSO and MFA credentials. Rather than exploiting software vulnerabilities, threat actors rely on social engineering to gain access, then exfiltrate data from cloud SaaS platforms for extortion. Activity intensified in January 2026, with escalation to harassment, SMS threats, and DDoS.

Severity: High

Threat Actors

GTIG tracks this activity across multiple clusters:

  • UNC6661 – Primary initial access cluster using vishing and credential harvesting
  • UNC6671 – Parallel vishing operations with similar TTPs but distinct infrastructure
  • UNC6240 – Conducts ShinyHunters-branded extortion, negotiation, and data leak site (DLS) operations

Initial Access: Vishing And Mfa Bypass

The campaigns rely heavily on social engineering:

  • Attackers impersonate internal IT staff via phone calls.
  • Victims are told MFA settings need to be updated.
  • Employees are redirected to victim-branded phishing domains (e.g., sso[.]com, internal[.]com).
  • Credentials and real-time MFA codes are harvested.
  • Threat actors register their own MFA device, establishing persistent access.

No vendor vulnerabilities are exploited; success depends entirely on human manipulation.

Post-Compromise Activity

Once authenticated, attackers pivot through the victim’s SaaS ecosystem using the permissions tied to the compromised SSO session. Observed activities include:

  • Bulk file downloads from Microsoft 365 (SharePoint, OneDrive)
  • Targeted searches for sensitive keywords (“confidential,” “internal,” “vpn,” “salesforce”)
  • Salesforce data access, including PII
  • Slack and DocuSign data exfiltration in some cases
  • Access patterns are largely opportunistic, driven by what applications the compromised user can reach.

Defense Evasion

Threat actors actively attempt to conceal their activity:

  • Abuse of OAuth applications such as ToogleBox Recall to delete security notification emails from compromised inboxes.
  • Deletion of MFA enrollment alerts to prevent victims from noticing unauthorized device registration.
  • Use of commercial VPNs and residential proxies to obscure true origin.

Extortion Phase

After data theft:

  • UNC6240 issues extortion demands using ShinyHunters branding.
  • Ransom emails specify stolen data, a Bitcoin payment address, and a 72-hour deadline.
  • Proof of compromise is provided via data samples hosted on Limewire.
  • Additional pressure tactics include SMS harassment of employees and DDoS attacks against victim websites.
  • A new ShinyHunters-branded data leak site emerged in late January 2026 listing alleged victims.

Recommendations

  1. Mandate FIDO2 security keys or passkeys for all users, especially administrators and SaaS power users.
  2. Disable or tightly restrict SMS- and push-based MFA, which were explicitly bypassed in this campaign.
  3. Prevent self-service MFA device enrollment without secondary verification.
  4. For suspected compromise:
    • Revoke all active sessions and OAuth tokens across IdPs and SaaS platforms.
    • Disable self-service password resets.
    • Restrict VPN, VDI, and remote access from unmanaged or unknown devices.
    • Enforce “shields-up” procedures across IT and service desks.
  5. Restrict IdP and SaaS access to managed, compliant devices only.
  6. Block or heavily limit downloads from unmanaged devices.
  7. Apply Conditional Access / Context-Aware Access using device posture, location, and network trust.
  8. Ensure ingestion of:
    • IdP logs: MFA enrollment, authentication method changes, admin actions
    • Google Workspace: OAuth authorizations, Gmail deletions, Takeout exports
    • Microsoft 365: SharePoint/OneDrive file downloads with user-agent context
    • Salesforce: API usage, bulk exports, connected apps
    • DocuSign / Atlassian: Authentication, admin changes, bulk access
  9. Disable OAuth auto-consent; require admin approval for all app registrations.
  10. Monitor OAuth grants for:
    • Mailbox modification or deletion scopes
    • Rare or unknown applications (e.g., email recall tools)
  11. Replace long-lived API keys with short-lived workload identity federation where possible.
  12. Prioritize alerts for:
    • MFA device changes shortly after login
    • OAuth app authorization followed by mailbox cleanup
    • Bulk SaaS downloads using PowerShell or APIs
    • Access from residential proxy or VPN ASNs
    • Identity changes outside normal business hours
  13. Conduct vishing-specific simulations, not just phishing emails.
  14. Train users to stop engagement and verify unsolicited IT or security requests.
  15. Explicitly communicate that IT will never request MFA codes or password resets by phone.
  16. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/214da7a4bb12360a85e03a15da1ff74284e09651a33f4f760ee01230439c16af/iocs

Source:

  • https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
  • https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Contact Us