top of page

UNC3753 Escalates Campaign Against US Legal Firms: Vishing, Remote Access Tools, and Physical Intrusions

  • Jun 8
  • 3 min read

Key Findings


  • UNC3753 (Luna Moth, Chatty Spider, Silent Ransom Group) conducted extortion campaign targeting US legal, financial, and professional services firms from January to May 2026

  • Attack chain relies entirely on social engineering and voice phishing with no malware or ransomware involved

  • Threat actors escalated tactics to include physical office intrusions where operatives pose as IT technicians and insert USB drives to steal data

  • Stolen data typically includes tax records, audit files, client agreements, and personally identifiable information

  • End-to-end operation from initial contact to extortion demand completes in under one hour

  • Victims given three-day deadline to negotiate or face public data release and direct contact with employees and clients

  • Group believed to be offshoot of defunct Conti ransomware gang with tactical overlaps to UNC2686


Background


UNC3753 represents a shift in financially motivated cybercrime away from traditional ransomware deployment toward pure extortion operations. The group, which emerged from the collapse of the Conti ransomware organization, has been actively targeting high-value sectors since at least 2022. Legal and financial services firms became prime targets because they maintain concentrated repositories of extremely sensitive client data, transaction files, and regulatory documents. The group's operational pattern shows deliberate escalation, moving from remote-only intrusions to now conducting physical break-ins at victim locations.


Initial Access Through Social Engineering


The attack begins with careful pretext building. Attackers send initial emails from consumer accounts containing benign, misspelled invoice references or data migration notices. These emails contain no malicious links or attachments. Their sole purpose is to create anxiety about a potential billing or security issue in the target's mind. Within hours, a follow-up phone call arrives from someone claiming to be IT support, finding the target already primed to cooperate. The caller guides the victim to initiate a screen-sharing session through legitimate platforms like Microsoft Teams, Zoom, or Quick Assist. Once connected, the attacker instructs the victim to download legitimate remote management tools including AnyDesk, Bomgar, Zoho Assist, or SuperOps RMM. Instructions are delivered through privnote.com, a self-destructing message service that leaves no permanent record. In documented cases, attackers maintained contact through multiple calls over several days, demonstrating persistence over speed.


Remote Access and Data Harvesting


Once the attacker gains remote access, they pivot to corporate systems through multiple vectors. They exploit personal BYOD laptops to access corporate virtual desktop infrastructure via Windows 365 or Citrix clients. Inside the VDI environment, they systematically enumerate local directories and crawl mapped network drives. In law firms specifically, they target iManage document management platforms searching for W-2s, W-9s, 1099s, audit files, client agreements, and Social Security numbers. The entire search-to-staging process completes within an hour. In one case, attackers exfiltrated 1.7 gigabytes from a victim's local OneDrive to a Google Drive account, then pivoted to the VDI and pulled an additional 14.4 gigabytes via WinSCP. Data moves out through multiple methods including WinSCP, Rclone, or by simply logging into consumer file-sharing accounts within the victim's own browser. In other instances, attackers instructed victims to email files directly from their own corporate mailboxes to attacker-controlled addresses, making the victim an unwitting exfiltration tool.


Physical Office Intrusions


The campaign has now escalated to include in-person operations. Threat actors physically enter victim offices posing as IT technicians, then connect external USB drives or hard drives directly to employee computers to steal data. This represents a significant operational shift and echoes patterns previously documented by the FBI. The physical intrusions suggest the group has either expanded its team or contracted with local operatives capable of conducting on-site activities. This tactic bypasses network-based detection entirely and grants direct access to local storage and connected drives.


Extortion and Pressure Tactics


Within 30 minutes of exiting the target environment, victims receive an extortion demand via email. The message gives them three days to begin ransom negotiations. If they don't respond, the attackers promise to contact employees and external clients directly to announce the breach, then publish all stolen data on the LEAKEDDATA leak site. The extortion note explicitly tells victims that law enforcement won't help and will only add regulatory fines, applying pressure that is both theatrical and rooted in genuine regulatory risk. This messaging proves effective against legal and financial services organizations acutely aware of their compliance obligations and reputational exposure.


Attribution and Evolution


Google Mandiant assesses UNC3753 as an offshoot of the now-defunct Conti ransomware gang. The group shares significant tactical overlaps with UNC2686, which previously conducted BazarCall-style campaigns in 2021. While UNC3753 deployed LockBit Black ransomware in earlier operations, it shifted to extortion-only tactics around 2022. The early iterations of campaigns used subscription cancellation lures to trigger callback phishing. By March 2025, the group began impersonating internal corporate IT help desk staff, demonstrating tactical sophistication and operational evolution. The group's persistence and willingness to escalate to physical intrusions suggests strong financial motivation and access to operational resources.


Sources


  • https://securityaffairs.com/193315/cyber-crime/unc3753-escalates-from-vishing-calls-to-physical-office-intrusions-at-us-legal-and-financial-firms.html

  • https://thehackernews.com/2026/06/unc3753-used-vishing-and-physical.html

  • https://cyberpress.org/unc3753-targets-us-law-firms

  • https://gbhackers.com/unc3753-targets-us-law-firms

  • https://x.com/Mandiant/status/2062920078379626595

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page