UNC3753 Escalates: From Vishing Calls to Physical Office Intrusions at US Legal and Financial Firms

Pierluigi Paganini
June 08, 2026

UNC3753 phones staff posing as IT, hijacks screen sessions, steals sensitive legal files, and now sends operatives physically into offices to plug in USB drives.

Google Mandiant and the Google Threat Intelligence Group published a detailed report documenting an active extortion campaign carried out by the cybercrime group UNC3753 (aka Luna Moth, Chatty Spider, and Silent Ransom Group). The campaign targets US law firms, financial services companies, and professional services organizations.

The group behind it, tracked as UNC3753 and also known as Luna Moth, Chatty Spider, and Silent Ransom Group, has been running this specific operation from January through May 2026, hitting dozens of firms. No ransomware. No malware in the traditional sense. Just phone calls.

“UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments.” reads the report published by Google. “Using pretexts such as data migration or invoice-related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities.”

The entry mechanism is entirely human. No vulnerability required, no zero-day, no brute-forced credentials. Just a convincing caller with a plausible story.

The setup email arrives first. It’s bland, carries no malicious links or attachments, and contains a brief generic message, something like a misspelled invoice reference. The point isn’t to infect anything. The point is to make the recipient anxious enough about a billing or security issue that when the follow-up phone call arrives claiming to be from IT, they’re already primed to cooperate. Mandiant calls this pretext-building. It’s also just good con artistry.

Once the target joins a screen-sharing session, the attacker guides them to install a legitimate remote management tool: AnyDesk, Bomgar, Zoho Assist, or SuperOps RMM. Attackers send instructions to the victimes via privnote.com, a self-destructing message service, so no permanent record sits in the browser or chat logs. In one documented case, the attacker held five separate calls with the same target over three days using Microsoft Teams. Persistence, not haste.

“UNC3753 instructs targets to initiate remote desktop and support sessions using built-in or commercial services, including Zoom, Microsoft Terminal Services, Microsoft Teams, and Quick Assist.” continues the report. “During a Teams-facilitated intrusion, the threat actor held five distinct calls with the same target over a three-day period.”

The infrastructure pivot is where the operation gets technically interesting. UNC3753 has exploited personal BYOD laptops to access corporate virtual desktop infrastructure through Windows 365 or Citrix clients.

Once inside the corporate VDI, they enumerate local directories, crawl mapped network drives, and run keyword searches inside iManage, the document management platform used by most large law firms, specifically targeting folders containing W-2s, W-9s, 1099s, audit files, client agreements, and Social Security numbers. Staged files accumulate in the user’s Downloads folder. The whole search-to-exfiltration sequence has been completed in under an hour.

Data moves out via WinSCP or Rclone, or simply by logging into a consumer file-sharing account inside the victim’s own browser and dragging folders across. In one engagement, the group exfiltrated 1.7 gigabytes from a target’s local OneDrive to a Google Drive account, then pivoted to the VDI and pulled an additional 14.4 gigabytes via WinSCP.

Google says it’s since disabled the Drive accounts tied to that activity. In other cases, attackers instructed victims to email files directly from their own mailboxes to attacker-controlled addresses. The victim becomes the exfiltration tool.

The extortion note lands within 30 minutes of the attacker leaving the environment. It gives the target three days to start negotiations. If they don’t respond, the attackers promise to call and email employees and external clients directly to announce the breach, then publish everything on the LEAKEDDATA data leak site. The letter explicitly tells victims that law enforcement won’t help and will only add regulatory fines on top of everything else. It’s theatrical, but it’s also accurate enough about the regulatory exposure that it lands.

“The targeting of US legal and professional services organizations by financially motivated actors is a persistent industry risk. Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports.” continues the report. “Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing.”

Law firms are ideal targets because they can’t afford the scandal and they know it.

The group has now added a physical dimension. The FBI issued a Cyber FLASH Alert in May documenting cases where, when remote social engineering failed, UNC3753 sent someone to the office in person. The visitor poses as an IT technician, claims they need to image the device or run local backups to address a security issue, and then plugs in a USB drive. Mandiant can’t formally attribute every physical intrusion to UNC3753 due to limited forensic evidence, but the structural overlaps, timing, and targeting are consistent enough that GTIG considers the connection likely. When a vishing campaign graduates to physical break-ins, the threat model for every firm’s reception desk just changed.

UNC3753 traces back to the now-defunct Conti ransomware gang, sharing overlaps with UNC2686, which ran BazarCall-style campaigns from 2021. The group deployed LockBit Black in 2022 but dropped ransomware entirely after that, focusing purely on data theft and extortion. Beginning March 2025 it shifted from subscription-cancellation lures to impersonating internal IT helpdesk staff, which proved more effective against hardened organizations. The registered phishing domains follow a consistent pattern: <organization>-itdesk[.]com, <organization>-it[.]com, <organization>-helpdesk[.]com. Seven C2 IP addresses and a full IOC collection are published in the report.

Mandiant’s core remediation advice is direct: block unauthorized RMM tools via application control policies, enforce conditional access so only corporate devices can reach VDI or VPN, disable USB mass storage read/write across all endpoints, configure real-time alerts in iManage and SharePoint for bulk file searches, require MFA on document repositories, and train staff specifically on this group’s tactics. On physical access: copy and log every visitor ID, verify all technicians against pre-scheduled work orders with the parent organization, and require escorts at all times.

“Threat actors recognize that targeting the human element—specifically using voice-guided social engineering—enables them to easily bypass robust technical perimeters, web security gateways, and MFA configurations.” conlcudes the report.

Recently, cybersecurity firm Resecurity uncovered the Silent Ransom Group (SRG)’s Fast Flux network infrastructure and shares available intelligence with the cybersecurity community to disrupt their malicious activities and enable ISP/DNS providers to counter this threat.

“Resecurity is the first to uncover the SRG’s Fast Flux network infrastructure and is sharing this intelligence with the cybersecurity community to disrupt their malicious activities and enable ISP/DNS providers to counter this threat.” reads the report published by Resecurity.

The experts also outlined the use of X-CSRF (Cross-Site Request Forgery) token to prevent indexing of their Data Leak Site (DLS) – a unique, secret, and unpredictable string that a server-side application generates and assigns to a user’s session.

The Federal Bureau of Investigation (FBI) recently issued an advisory about the SRG, which is actively targeting U.S.-based law firms and other industries through social engineering and in-person attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon