A financially motivated cybercrime campaign targeting organizations across professional, legal, and financial services sectors in the United States has been attributed to a threat actor tracked as UNC3753. According to research from Google Mandiant and Google Threat Intelligence Group, the activity took place between January and May 2026 and affected dozens of organizations through a combination of voice based phishing, social engineering, and physical intrusion tactics. The group is also known under multiple aliases including Chatty Spider, Luna Moth, and Silent Ransom Group, and has evolved its methods to bypass traditional security controls by focusing heavily on human manipulation rather than purely technical exploitation.
UNC3753 relies on voice phishing techniques to gain initial access into corporate environments by impersonating IT support personnel and initiating phone based deception campaigns. Researchers noted that attackers often begin with pretext emails related to data migration or invoice related issues, which are sent from consumer email accounts controlled by the attackers. These messages contain no malicious links or attachments but are designed to build credibility and prompt follow up phone conversations. During these calls, attackers convince employees to participate in screen sharing sessions or install remote monitoring and management tools, enabling access into internal systems. Once access is established, the attackers search for sensitive files or manipulate victims into performing actions on their behalf, allowing them to extract proprietary legal agreements, personally identifiable information, and financial records from compromised environments.
In more advanced cases, the group has escalated its operations beyond remote access by physically entering corporate offices under the guise of IT technicians. These intrusions involve attackers using removable USB devices to directly exfiltrate data from on site systems. According to the U.S. Federal Bureau of Investigation, this tactic represents a growing escalation in social engineering based cybercrime where attackers bypass network defenses entirely by targeting physical access points. Once inside systems, UNC3753 operators also use enterprise communication platforms such as Zoom, Microsoft Teams, and Quick Assist to maintain screen sharing sessions and continue guiding victims through installation of legitimate remote desktop software. Tools such as AnyDesk, Bomgar, SuperOps RMM, and Zoho Assist are commonly used, with instructions often delivered through self destructing messages shared via privnote[.]com to avoid detection and reduce forensic traces.
The campaign extends into deeper network exploitation once persistence is established. Attackers have been observed accessing corporate virtual desktop infrastructure from personal devices, enabling them to navigate internal file systems, mapped drives, and cloud storage environments. Data collection efforts frequently focus on high value information such as tax records, audit documents, corporate client agreements, and sensitive identity related data including Social Security numbers. Once data is staged, exfiltration is carried out using tools such as WinSCP or Rclone, or in some cases directly transferred through attacker controlled email accounts accessed from compromised mailboxes. Extortion messages typically follow within minutes of data theft, giving victims a three day deadline to begin negotiations while threatening exposure to clients, employees, and public leak sites if demands are not met.
Security researchers also highlighted that UNC3753 conducts its operations at high speed, often completing the entire cycle from initial contact to data theft and extortion within a single business day. The group has been linked to historical ransomware ecosystems associated with UNC2686 and early Conti related activity, including BazarCall style callback phishing campaigns that previously deployed ransomware such as LockBit Black. However, since 2022 the focus has largely shifted to extortion only operations supported by data leak threats. Google noted that legal services firms remain prime targets due to their concentration of sensitive client information and high regulatory exposure, making them more likely to comply with extortion demands to avoid reputational damage.
Recent findings from Resecurity also indicate that UNC3753 operates using fast flux DNS infrastructure spread across multiple regions including Latin America, Eastern Europe, Central Asia, Middle East, Africa, East Asia, and the Caribbean. Domains such as business-data-leaks[.]com and ep6pheij[.]com are used to stage stolen data and maintain leak operations. This infrastructure is supported by a distributed botnet spanning 18 countries and 22 internet service providers, relying entirely on residential and mobile IP addresses rather than traditional data center hosting. Researchers noted that frequent DNS changes and low time to live settings allow the group to maintain resilience against takedown efforts while continuing to operate a rapidly shifting extortion ecosystem.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
