| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC6671 is involved in credential harvesting operations, utilizing vishing tactics to impersonate IT staff and directing victims to enter credentials on a victim-branded site. They have gained access to Okta customer accounts and employed PowerShell to download sensitive data from SharePoint and OneDrive. Their extortion tactics include aggressive harassment of victim personnel, and they have used unbranded extortion emails with different Tox IDs for communication. The threat actors have shown a preference for registering domains with Tucows, indicating potential operational differences from related threat groups.
There are currently no families associated with this actor.
| 2026-01-30
⋅
Google
⋅
Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft UNC6671 |