APT / THREAT GROUP

UNC6671

1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

UNC6671 is involved in credential harvesting operations, utilizing vishing tactics to impersonate IT staff and directing victims to enter credentials on a victim-branded site. They have gained access to Okta customer accounts and employed PowerShell to download sensitive data from SharePoint and OneDrive. Their extortion tactics include aggressive harassment of victim personnel, and they have used unbranded extortion emails with different Tox IDs for communication. The threat actors have shown a preference for registering domains with Tucows, indicating potential operational differences from related threat groups.

Threat Analysis

UNC6671 is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning UNC6671

External References

Quick Facts

TypeAPT / Threat Group
Aliases1
SourceMalpedia

Also Known As

UNC6671

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
UNC6671 — APT / Threat Group | Threat Intelligence | CTIWATCH.COM