UNC3753 Extortion Group Combines Vishing and Physical Intrusions to Steal Data from U.S. Firms

A financially motivated data theft extortion campaign attributed to a threat actor known as UNC3753 has hit dozens of U.S. organizations between January and May 2026, according to research released June 8 by Google Mandiant and the Google Threat Intelligence Group (GTIG). The group, also called Chatty Spider, Luna Moth, and Silent Ransom Group (SRG), has targeted professional, legal, and financial services firms with a blend of vishing, social engineering, and physical intrusions.

In one variation of the attack, UNC3753 operatives have impersonated IT technicians in person to gain physical access to corporate offices, where they steal data using removable USB media. The FBI flagged this physical intrusion technique in an advisory last month, noting that SRG actors send someone to the victim's location to facilitate the intrusion. Mandiant researchers documented that in some incidents, the end-to-end operation from initial contact to data exfiltration occurred within a single business day, with data staging and theft completed in under an hour.

Attack chain: from cold email to persistent foothold

The attack begins with benign, invoice-themed emails sent from actor-controlled consumer accounts. These messages contain no links or malicious attachments. The primary goal is to establish a pretext that raises the target's security concerns, making them more receptive to a follow-up voice call. During that call, the attacker poses as IT support and convinces the victim to install legitimate remote desktop software such as AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist. Instructions for installing these programs are shared via the self-destructing note service privnote.com.

• The threat actors have also initiated screen-sharing sessions on Zoom, Microsoft Teams, or Quick Assist under the guise of addressing a security issue or helping with a corporate data migration project.
• In some cases, the attackers established Zoom sessions on targets' personal laptops to access corporate virtual desktop infrastructure (VDI), then burrowed deeper into file systems to enumerate local and cloud directories.
• Stolen data includes proprietary legal agreements, personally identifiable information (PII), financial records, tax filings, audits, corporate client agreements, and Social Security numbers (SSNs).
• Exfiltration is performed via WinSCP, Rclone, or by sending data to attacker-controlled email addresses from the victim's own mailbox.

Ransom demands come within 30 minutes of exit

Once data is stolen, the attackers send an extortion demand by email, typically within 30 minutes of leaving the target environment. The message gives victims a three-day deadline to initiate ransom negotiations. If the victim does not respond, the group threatens to contact employees and external clients directly to notify them of the breach, and to publish the stolen data on the LEAKEDDATA data leak site. Google Mandiant noted that since 2022, UNC3753 has focused mainly on extortion-only operations, although it has deployed LockBit Black ransomware in the past.

Mandiant assessed that UNC3753 and a related cluster, UNC2686, are offshoots of the now-defunct Conti ransomware gang. Early campaigns used subscription cancellation lures as part of callback phishing attacks. The shift to impersonating internal IT help desk staff began around March 2025. The group frequently uses consumer email accounts to distribute initial lures, avoiding traditional security controls that scan for malicious links or attachments. With the addition of physical intrusions, UNC3753 represents an escalation in hybrid social engineering threats that blend digital deception with real-world access.