UNC6661

UNC6661 is a threat cluster tracked by Mandiant/Google Threat Intelligence Group and linked to extortion-themed intrusions associated with the ShinyHunters ecosystem. The cluster has been observed conducting initial compromise and data theft, while extortion in at least some cases was conducted by UNC6240 under the ShinyHunters branding. Content also places UNC6661 within broader cluster evolution discussed alongside UNC5537, UNC6040, UNC6395, and UNC6240. UNC6661 has been observed impersonating IT staff in voice-phishing calls to employees at targeted organizations and directing them to company-branded or victim-branded credential-harvesting domains under the pretense of updating or resetting MFA settings. The cluster steals SSO credentials and MFA codes, then uses the stolen credentials to register attacker-controlled MFA devices, gain access to identity platforms and connected SaaS applications, move laterally, and exfiltrate data. Reported targeting and follow-on access included cloud SaaS environments and identity platforms, with victims losing data from services such as Okta, SharePoint, OneDrive, Salesforce, Google Workspace, Slack, DocuSign, Atlassian, and other connected applications depending on available permissions. Mandiant observed UNC6661 activity in early to mid-January 2026. In at least one case, the cluster used compromised email accounts to send phishing emails to contacts at cryptocurrency-focused companies and then deleted those emails to conceal activity. The content states that UNC6661 used NICENIC-registered phishing infrastructure and that its operations were part of a broader surge of social-engineering-driven SaaS intrusions tracked across UNC6661, UNC6671, and UNC6240. The reporting explicitly states this activity was not attributed to vulnerabilities in vendor products or infrastructure, but to social engineering and abuse of trusted identity workflows.