UNC3753 Targeted US Law Firms in Vishing Extortion Campaign, Possibly Used Physical Access
Published
Key Takeaways
- Financially Targeting: UNC3753 targeted dozens of U.S. legal, professional, and financial services organizations from January through May 2026.
- Single-Day Attack Chain: In many incidents, the full sequence from first contact to data theft and extortion was completed within a single business day.
- Physical Access Escalation: Possibly related actors attempted in-person office intrusions to exfiltrate data via USB, consistent with an FBI alert.
From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by UNC3753, also tracked as Luna Moth, Chatty Spider, Storm-0252, and Silent Ransom Group (SRG), targeting dozens of organizations across professional, legal, and financial services in the United States.
Google Threat Intelligence Group (GTIG) assessed that potentially related actors attempted physical office access, sending individuals posing as IT technicians to exfiltrate data via USB media, consistent with an FBI Cyber FLASH Alert.
Vishing and IT Impersonation, Data Theft Across Legal Repositories
A recent GTIG report said UNC3753 initiates campaigns with benign, invoice-themed emails designed to raise security concerns, then follows up with phone calls (vishing). Callers pose as internal IT helpdesk or security staff and direct targets into screen-sharing sessions using Zoom, Microsoft Terminal Services, Microsoft Teams, and Quick Assist.
The group routinely attempts to install AnyDesk, Bomgar, Zoho Assist, or a SuperOps RMM agent, and consistently uses privnote.com to deliver installation links and commands, leaving no permanent footprint in browser or chat logs.
Recent incidents saw data searches, staging, and theft begin in under an hour from first contact. Threat actors targeted repositories including iManage, OneDrive, SharePoint, and corporate email, harvesting legal agreements, personally identifiable information, financial records, Forms W-2, W-9, and 1099, and Social Security numbers.
Exfiltration methods included WinSCP, Rclone, browser uploads to actor-controlled file-sharing accounts, Google Drive, and email forwarding. Google stated it disabled the Drive accounts and assets associated with this activity.
Extortion Demands and Physical Escalation
Following data theft, UNC3753, which CrowdStrike assesses is likely a Russia-based threat actor, delivered extortion emails giving victim organizations a three-day deadline to respond or face publication of stolen files on the LEAKEDDATA site.
UNC3753 partially “overlaps with UNC2686, a threat cluster that conducted Bazarcall-style campaigns dating to early 2021,” the report said.
GTIG recommends that organizations implement the following mitigation controls:
- Conduct user awareness training.
- Implement rigid out-of-band identity verification controls for all external contractors, technical staff, and facilities visitors.
- Implement remote access conditional access policies to ensure only corporate-owned devices can authenticate to Virtual Desktop Instance (VDI) or Virtual Private Network (VPN) devices.
- Enforce strict RMM and screen-sharing software controls
- Disable read/write capabilities for all external USB mass storage devices, enforcing Group Policy Objects (GPOs) or MDM configurations.
- Monitor firewall logs, network flows, and endpoint execution logs for indicative exfiltration and staging actions.
- Review authentication and access metrics for critical document stores to identify bulk harvesting profiles.
In other recent news, the Pink extortion group, which was linked to UNC6671 and The Com, was seen using vishing and fake helpdesk calls to target enterprise data.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular