UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign
Cybersecurity researchers have uncovered a sophisticated data theft and extortion campaign that targeted dozens of organizations across the U.S. professional, legal, and financial sectors between January and May 2026.
The operation has been linked by Google Mandiant and the Google Threat Intelligence Group (GTIG) to a threat actor tracked as UNC3753, a cybercriminal group also known by aliases including Chatty Spider, Luna Moth, and Silent Ransom Group (SRG).
According to researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan, the group relies heavily on voice phishing (vishing) and advanced social engineering tactics to infiltrate corporate environments.
Rather than exploiting technical vulnerabilities, UNC3753 targets people. Attackers initiate contact through convincing pretexts such as data migration requests or invoice-related communications, then pose as IT support personnel during phone conversations. Victims are persuaded to participate in screen-sharing sessions and install remote monitoring and management (RMM) tools, effectively granting the attackers a foothold inside the organization.
Once access is established, the threat actors move quickly to identify and extract valuable information. In some cases, they search for sensitive files themselves; in others, they manipulate victims into unknowingly performing the actions on their behalf. The stolen data has included proprietary legal agreements, personally identifiable information (PII), and confidential financial records.
In a notable escalation, investigators have also documented instances where attackers physically visited victim organizations. Echoing a warning issued by the U.S. Federal Bureau of Investigation (FBI) last month, these incidents involved individuals posing as IT technicians to gain entry to corporate offices and facilitate data theft using removable USB storage devices.
The FBI noted that by sending operatives directly to a victim's location, SRG actors can exfiltrate data onto external hard drives or USB devices connected to the victim's computer, significantly expanding the group's operational capabilities beyond traditional remote attacks.
Google's analysis further revealed tactical similarities between UNC3753 and UNC2686, another threat cluster known for orchestrating BazarCall-style social engineering campaigns in 2021. While the group has previously been associated with LockBit Black ransomware deployments, its strategy has largely shifted since 2022 toward extortion-only operations. Instead of encrypting systems, attackers focus on stealing sensitive data and threatening public disclosure through the LEAKEDDATA leak site unless victims comply with ransom demands.
Security researchers assess that both UNC3753 and UNC2686 likely originated from the remnants of the now-defunct Conti ransomware syndicate. Early campaigns relied on subscription cancellation scams and callback phishing techniques designed to trick victims into installing remote access software, laying the groundwork for the group's increasingly sophisticated and aggressive extortion operations seen today.
The campaign serves as a stark reminder that modern cyber threats are no longer confined to malicious code and digital exploits. Increasingly, attackers are weaponizing trust, human interaction, and even physical presence to bypass security controls and gain access to valuable corporate data.
Beginning in March 2025, UNC3753 refined its social engineering playbook by impersonating internal IT help desk personnel, convincing employees to join screen-sharing sessions through trusted enterprise collaboration platforms such as Zoom, Microsoft Teams, and Quick Assist. By leveraging familiar business tools and trusted identities, the group effectively sidestepped many traditional security controls designed to detect malicious activity.
According to Google, these campaigns often begin with seemingly harmless invoice-themed emails sent from attacker-controlled consumer email accounts. Unlike conventional phishing attempts, the messages contain no malicious links or attachments. Instead, they are intentionally brief and generic, serving a different purpose entirely.
"The primary purpose of these emails is to establish a pretext," Google explained, noting that the messages are designed to trigger concern or curiosity within the target organization, making recipients more receptive to follow-up phone calls from individuals posing as legitimate IT personnel.
Once trust has been established and a screen-sharing session is underway, attackers work to secure long-term access by guiding victims through the installation of legitimate remote access and management tools. Commonly abused applications include AnyDesk, Bomgar, SuperOps RMM, and Zoho Assist. Installation instructions are frequently delivered through Privnote, a legitimate self-destructing messaging service that automatically deletes notes after they have been viewed, helping reduce the group's digital footprint.
Investigators have also observed UNC3753 adapting its tactics to exploit personal devices. In some cases, victims are instructed to launch Zoom sessions from personal laptops, allowing attackers to access corporate virtual desktop infrastructure (VDI) environments indirectly. From there, the threat actors systematically expand their reach throughout the organization's network.
Their objectives are clear: identify, catalog, and extract high-value data. Once inside, attackers enumerate local and cloud-based directories, crawl mapped network drives, and sift through sensitive repositories containing tax records, audit documentation, corporate client agreements, Social Security numbers (SSNs), and other confidential business information.
The final phase of the operation is both swift and calculated. Stolen data is typically exfiltrated using tools such as WinSCP or Rclone, or forwarded directly from compromised email accounts to attacker-controlled inboxes. In many cases, extortion demands arrive less than 30 minutes after the attackers leave the victim's environment.
Victims are generally given just three days to initiate ransom negotiations. Failure to respond triggers escalating threats, including direct outreach to employees, business partners, and clients informing them of the breach. The attackers also warn that all stolen data may be published on their leak site if their demands are ignored.
Google noted that legal services organizations remain particularly attractive targets due to the highly sensitive nature of the information they manage. Law firms and legal service providers often maintain centralized repositories containing confidential client transactions, merger and acquisition strategies, trade secrets, litigation materials, and regulatory filings—making them lucrative targets for data-focused extortion campaigns.
Researchers further emphasized that these organizations face significant reputational and regulatory risks in the event of a breach. Threat actors understand that many firms may prefer to resolve incidents discreetly to avoid public scrutiny, client distrust, and potential compliance consequences.
More importantly, the campaign highlights a growing trend in modern cybercrime: attackers increasingly prioritize manipulating people over exploiting technology. By combining persuasive voice-based social engineering with legitimate remote administration tools, groups like UNC3753 can bypass sophisticated security infrastructure, web filtering technologies, and even multi-factor authentication protections, turning trusted employees into unwitting accomplices in the compromise.
References:
https://thehackernews.com/2026/06/unc3753-used-vishing-and-physical.html
