UNC3753’s Sophisticated Tactics: Vishing and Physical Intrusions in U.S. Data Theft Extortion
Between January and May 2026, a series of data theft and extortion incidents targeted numerous organizations within the professional, legal, and financial sectors across the United States. These attacks have been attributed to a cybercriminal group identified as UNC3753, also known by aliases such as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG).
Sophisticated Social Engineering Tactics
UNC3753 employs advanced social engineering techniques, notably voice phishing (vishing), to infiltrate corporate environments. The attackers initiate contact through emails with subjects like data migration or invoice inquiries, prompting recipients to engage in phone conversations. Posing as IT support personnel, they persuade targets to participate in screen-sharing sessions and install remote monitoring and management (RMM) tools.
Once access is secured, the group either directly searches for and exfiltrates sensitive files or manipulates victims into performing these actions themselves. The stolen data often includes proprietary legal documents, personally identifiable information (PII), and financial records.
Escalation to Physical Intrusions
In a concerning development, UNC3753 has expanded its methods to include physical intrusions. According to a recent advisory from the U.S. Federal Bureau of Investigation (FBI), the group has been known to impersonate IT technicians to gain physical access to corporate offices. Once inside, they utilize removable USB devices to extract data directly from company systems. The FBI highlighted this escalation, noting that SRG actors exfiltrate data by inserting external hard drives or USB devices into victims’ computers during these in-person visits.
Connections to Previous Cybercriminal Activities
UNC3753 shares operational similarities with another threat cluster, UNC2686, known for BazarCall-style campaigns in 2021. While the group has previously deployed LockBit Black ransomware, since 2022, their focus has shifted primarily to extortion. They pressure victims to pay ransoms under the threat of publishing stolen data on the LEAKEDDATA leak site.
Both UNC3753 and UNC2686 are believed to be offshoots of the now-defunct Conti ransomware gang. Early campaigns involved subscription cancellation lures as part of callback phishing attacks designed to install remote access software on victims’ machines.
Exploitation of Communication Platforms
Starting around March 2025, UNC3753 began impersonating internal corporate IT help desk staff. They tricked victims into joining screen-sharing sessions on platforms like Zoom, Microsoft Teams, or Quick Assist, under the pretense of addressing security issues or assisting with data migration projects. This approach effectively bypassed traditional security controls.
The group’s campaigns often commence with benign, invoice-themed emails sent from actor-controlled consumer email accounts. These messages lack active links or malicious attachments, serving instead to establish a pretext that heightens the target’s internal security concerns, making them more susceptible to subsequent voice calls.
Establishing Persistent Access
Once a screen-sharing session is initiated, UNC3753 guides victims to install legitimate remote desktop software such as AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist. Instructions for these installations are often shared via services like privnote[.]com, which allows users to send self-destructing notes.
In some cases, the attackers establish Zoom sessions directly on victims’ personal laptops to access corporate virtual desktop infrastructure (VDI). This enables them to delve deeper into corporate file systems, enumerating local and cloud directories, accessing mapped network drives, and harvesting data from highly sensitive folders, including those related to tax filings, audits, corporate client agreements, and Social Security numbers (SSNs).
Rapid Execution and Extortion
The exfiltrated data is transmitted to the attackers using tools like WinSCP or Rclone, or sent to attacker-controlled email addresses from the victim’s mailbox. Typically, within 30 minutes of exiting the target environment, the attackers send an extortion email. These messages give victims a three-day deadline to initiate ransom negotiations, threatening to contact employees and external clients directly to inform them of the data breach if the victim remains unresponsive. They also threaten to publish the stolen information on the data leak site.
In many incidents investigated by Google’s threat intelligence and incident response teams, the entire operation—from initial contact to data extortion—has occurred within a single business day. The attackers initiate data searches, staging, and theft in under an hour, demonstrating a fast-paced operational model.
Targeting High-Value Legal Services Firms
Legal services firms are particularly attractive targets for extortion actors due to their repositories of sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports. These entities face significant reputational and regulatory risks, making them more likely to resolve extortion situations quietly to protect their professional standing.
Threat actors recognize that targeting the human element—specifically through voice-guided social engineering—allows them to bypass robust technical perimeters, web security gateways, and multi-factor authentication (MFA) configurations.
Infrastructure and Evasion Techniques
UNC3753 employs DNS Fast Flux network infrastructure across various countries in Latin America, Eastern Europe, Central Asia, the Middle East/Africa, East Asia, and the Caribbean to make its domains harder to block. By frequently changing DNS records and using short Time-To-Live (TTL) values, attackers enhance the resilience of their malicious infrastructure against takedowns.
The group’s data leak site, business-data-leaks[.]com, lists close to 100 victim organizations as of June 2026. Another domain, ep6pheij[.]com, stages the stolen data per victim. Both domains operate on a fast-flux network backed by a botnet spread across 18 countries and 22 ISPs. The infrastructure contains no datacenter or hosting IPs; every node traces back to a consumer ISP, flagged as a residential or mobile IP address.
Conclusion
The activities of UNC3753 underscore the evolving landscape of cyber threats,
Security News
