Google links UNC3753 to vishing and physical intrusion attacks targeting U.S. legal and financial firms for data theft and extortion.
Cybersecurity researchers have uncovered a large-scale data theft and extortion campaign conducted by the threat group UNC3753, which targeted dozens of organizations across the United States between January and May 2026.
Researchers from Google Mandiant and Google Threat Intelligence Group (GTIG) attributed the activity to UNC3753, a financially motivated threat actor also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG). The campaign primarily focused on organizations operating in the legal, financial, and professional services sectors.
According to researchers, the group relied heavily on voice phishing, or vishing, and social engineering tactics to gain access to corporate environments. Attackers typically initiated contact using benign invoice-themed emails sent from consumer email accounts. The emails contained no malicious links or attachments but were designed to create concern and encourage victims to engage with follow-up phone calls from individuals posing as internal IT support personnel.
Once contact was established, victims were persuaded to join screen-sharing sessions through platforms such as Zoom, Microsoft Teams, or Quick Assist. During these sessions, attackers instructed targets to install legitimate remote management and remote access tools, including AnyDesk, Bomgar, SuperOps RMM, and Zoho Assist, allowing the group to establish persistent access to corporate systems.
Investigators found that UNC3753 often used the access to search for sensitive information stored on local devices, network shares, and cloud environments. Stolen data reportedly included financial records, confidential legal documents, client agreements, tax information, Social Security numbers, and other personally identifiable information. The data was then exfiltrated using tools such as WinSCP and Rclone or transferred through compromised email accounts.
In a notable escalation, the group has also been linked to physical intrusion attempts. In some cases, individuals posing as IT technicians reportedly visited corporate offices and used removable storage devices to collect sensitive information directly from victim systems. The tactic mirrors a recent FBI warning about Silent Ransom Group operations involving in-person access to targeted organizations.
Researchers said extortion demands were often delivered within minutes of data theft. Victims were typically given three days to begin negotiations, with threats that stolen information would be published online or disclosed directly to employees and clients if payment was not made.
Google assesses that UNC3753 shares operational similarities with UNC2686, another cybercrime group associated with callback phishing campaigns. Both groups are believed to have roots in the now-defunct Conti ransomware operation. Unlike traditional ransomware attacks, UNC3753 has largely focused on data theft and extortion rather than encrypting victim systems.
Researchers noted that legal services firms remain particularly attractive targets due to the large volumes of confidential client information they store and the reputational risks associated with data breaches, making them more susceptible to extortion attempts.
Related articles :
- Operation Sweet Silence Defendant Convicted at Trial
- NCA Launches Operation Atlantic Against Crypto Phishing
- Best Darknet Markets of 2026
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
