Mandiant has reported a significant uptick in activities by threat actors associated with the ShinyHunters brand, particularly focusing on sophisticated vishing techniques and the use of credential harvesting websites to infiltrate corporate environments. The primary objective of these operations is to gain access to sensitive corporate data, particularly from cloud-based software-as-a-service (SaaS) applications, which the threat actors subsequently exfiltrate for extortion purposes. The threat group UNC6661 has been active from early to mid-January 2026, impersonating IT staff to manipulate employees into providing their single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. This was accomplished by directing victims to phishing sites that replicated the branding of their organizations. The phishing domains associated with UNC6661 typically followed a naming pattern such as http://companynamesso.com or http://companynameinternal.com, being registered with NICENIC.