UNC3753 vishes and carries out in-person intrusions on U.S. firms

Between January and May 2026 a cybercriminal cluster tracked as UNC3753 targeted dozens of U.S. professional, legal and financial firms to steal contracts, financial records and personally identifiable information. Google Mandiant and the Google Threat Intelligence Group linked the activity to a group also known as Chatty Spider, Luna Moth and Silent Ransom Group.

The group began campaigns with benign-looking emails about invoices or data migration sent from consumer accounts. Messages contained no links or attachments and were used to prompt follow-up voice calls in which actors posed as IT support. Once on the phone, operators persuaded employees to start screen-sharing sessions on platforms such as Zoom or Microsoft Teams.

Attackers directed victims to install legitimate remote monitoring and management tools, including AnyDesk, Bomgar, SuperOps RMM and Zoho Assist. Installation guidance was sometimes delivered via a self-deleting note service. In several incidents the intruders established Zoom sessions on employees’ personal laptops to reach corporate virtual desktop infrastructure and access file systems.

Researchers reported that intruders searched local and cloud directories, crawled mapped network drives and copied folders containing tax filings, audit documents, client contracts, Social Security numbers and other sensitive files. Data was moved off networks using tools such as WinSCP or Rclone, or by sending files from the victim’s mailbox to actor-controlled email accounts.

Extortion followed rapidly. Victims commonly received ransom demands within about 30 minutes of the actor leaving the environment. Messages typically set a three-day deadline for negotiations and threatened to contact employees and clients or to publish stolen files on a data-leak site if victims did not respond.

The U.S. Federal Bureau of Investigation warned that some intrusions included physical access, with actors posing as technicians to enter offices and copy data onto USB drives or external hard drives.

Google Mandiant and GTIG linked UNC3753 to earlier clusters tied to the defunct Conti ransomware group and to UNC2686, which ran callback-style campaigns in 2021. The group used LockBit Black ransomware in past intrusions but has focused mainly on extortion-only operations since 2022. Researchers wrote, “UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments,” and noted that legal services firms are attractive targets because they hold concentrated repositories of highly sensitive client and transaction files.