Threat Research

Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft | Google Cloud Blog

GoogleCloudIntel
Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft | Google Cloud Blog

Mandiant and Google Threat Intelligence Group observed an expansion of ShinyHunters‑branded extortion operations (tracked as UNC6661, UNC6671, and UNC6240) that use vishing and victim‑branded credential harvesting sites to steal SSO credentials and MFA codes and then exfiltrate data from cloud SaaS platforms for extortion. The actors abused OAuth apps, PowerShell access, proxy/VPN infrastructure, and deletion of notification emails to evade detection while publishing proof on Limewire and communicating via Tox. #ShinyHunters #UNC6661

Keypoints

  • Threat clusters UNC6661, UNC6671, and UNC6240 leveraged voice phishing (vishing) plus victim‑branded credential harvesting sites to capture SSO credentials and MFA codes for initial access.
  • Compromised SSO sessions were used opportunistically to access a broadening set of cloud SaaS platforms (SharePoint, OneDrive, Gmail, Salesforce, DocuSign, Slack) to locate and exfiltrate sensitive documents and PII.
  • Actors registered their own MFA devices and authorized malicious OAuth apps (e.g., ToogleBox Recall) to search for and delete evidence such as MFA notification emails.
  • PowerShell was observed downloading files from SharePoint/OneDrive, and high‑volume document access/download patterns were used to steal data.
  • Extortion activity included ShinyHunters‑branded leak site posts, Limewire proof hosting, Tox for negotiations, SMS threats, harassment of personnel, and DDoS attacks against victim sites.
  • Phishing domain patterns impersonated corporate portals (e.g., sso[.]com, internal[.]com) and domains have been added to Chrome Safe Browsing; many malicious IPs tied to commercial VPNs/proxy services were identified.
  • Mandiant and Google published hardening, detection guidance, and operational hunting rules; organizations are urged to adopt phishing‑resistant MFA (FIDO2/passkeys) and hunt for the listed behaviors.

MITRE Techniques

  • [T1566] Phishing – Initial access via voice phishing (vishing) and lure pages: ‘voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.’
  • [T1078] Valid Accounts – Use of stolen SSO credentials and MFA codes to access tenant resources and SaaS apps: ‘obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes’ and subsequent access to cloud applications.
  • [T1098] Account Manipulation – Registering attacker‑controlled MFA devices and modifying account settings to maintain access: ‘then registered their own device for MFA.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Programmatic access to download files from cloud storage: ‘leveraged PowerShell to download sensitive data from SharePoint and OneDrive.’
  • [T1567] Exfiltration Over Web Service – Staging and proof delivery of stolen data via web services and public hosting (Limewire): ‘provided proof of data theft via samples hosted on Limewire’ and exfiltration from SaaS platforms.
  • [T1070] Indicator Removal on Host – Deletion of notification and outbound emails to hinder detection and investigation: ‘deleted a “Security method enrolled” email from Okta’ and ‘then deleted the outbound emails.’
  • [T1498] Network Denial of Service – Use of DDoS against victim websites as part of extortion pressure: ‘received reports of victim websites being targeted with distributed denial-of-service (DDoS) attacks.’

Indicators of Compromise

  • [Domain patterns] Phishing credential sites impersonating corporate portals – examples: sso[.]com, internal[.]com (used as victim‑branded credential harvesting domains)
  • [IP addresses] Network infrastructure and proxy/VPN endpoints observed in activity – 73.135.228[.]98, 76.64.54[.]159, and other 17 IPs associated with UNC6661/UNC6671
  • [Email addresses] Extortion contact and leak‑site contacts – shinycorp@tutanota[.]com, shinygroup@onionmail[.]com (listed on ShinyHunters‑branded DLS entries)
  • [OAuth app name] Malicious/abused application authorized in Google Workspace – ToogleBox Recall (authorized to access Gmail/App Script scopes and used to delete emails)
  • [User‑agent strings] Artifacts used to detect programmatic access – ‘Mozilla/5.0 (Windows NT; … WindowsPowerShell/5.1.20348.4294)’ and Geny Mobile user‑agent pattern
  • [Proxy/VPN services] Commercial/residential proxy and VPN providers observed in infrastructure – Mullvad, Oxylabs (also NetNut, 9Proxy, Infatica, nsocks cited for hunting/monitoring)
  • [Hosting/platforms] Platforms used for proof or data posting – Limewire (used to host samples of stolen data) and Tox (used for negotiation contact)

Read more: https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/