Full Report
When 'Chatty Spider' morphs into tech services cosplay spider
Analysis Summary
# Threat Actor: UNC3753 (aka Chatty Spider, Luna Moth, Silent Ransom Group)
## Attribution & Identity
UNC3753 is a financially motivated data-theft and extortion group that has been active since at least 2022. It is identified by various security researchers under the following aliases and associations:
* **Aliases:** Luna Moth, Chatty Spider, Silent Ransom Group (SRG).
* **Associations:** Linked to "callback phishing" campaigns and "tech services cosplay," where actors pose as legitimate IT support.
## Activity Summary
From January through May 2026, the group intensified campaigns targeting professional services in the US. The actor has evolved from traditional phishing to sophisticated "callback phishing" (vishing) and, most notably, **physical, in-person intrusions**. When digital social engineering fails, actors posing as IT technicians have attempted to enter physical offices to steal data via USB drives. A hallmark of their recent activity is extreme speed, with data theft often occurring within an hour of initial contact.
## Tactics, Techniques & Procedures
* **Callback Phishing (Vishing):** Sending invoice-themed emails (with no malicious links/attachments) to bait victims into calling a fraudulent help desk number.
* **Social Engineering:** Posing as help desk or security staff to "address a security issue" or "assist with data migration."
* **Remote Access Manipulation:** Convincing victims to join screen-sharing sessions using Zoom, Microsoft Teams, or Quick Assist.
* **BYOD/VDI Exploitation:** Establishing sessions on employees' personal laptops to bridge into corporate Virtual Desktop Infrastructure (VDI) like Citrix or Windows 365.
* **Physical Intrusion:** Entering offices posing as IT support to "image devices" or "create backups" using physical thumb drives.
* **Data Staging & Exfiltration:** Using portable file managers (WinSCP, Rclone) or uploading data directly through the victim's browser to attacker-controlled cloud storage.
* **MITRE ATT&CK IDs (Inferred):**
* T1566.004 (Phishing: Voice)
* T1219 (Remote Access Software)
* T1091 (Replication Through Removable Media)
* T1048 (Exfiltration Over Alternative Protocol)
## Targeting
* **Sectors:** Banks, Law Firms, and Professional Services companies.
* **Geography:** Primarily United States.
* **Victims:** Dozens of unnamed US-based firms; activities corroborated by federal reports regarding Silent Ransom Group intrusions at law firms.
## Tools & Infrastructure
* **Remote Support Tools:** Zoom, Microsoft Teams, Microsoft Terminal Services, Quick Assist.
* **File Management/Exfiltration:** WinSCP (portable), Rclone.
* **Infrastructure (Defanged Phishing Domains):**
* [target-org]-itdesk[.]com
* [target-org]-it[.]com
* [target-org]-helpdesk[.]com
## Implications
UNC3753 represents a significant shift in threat actor behavior by crossing the threshold from digital to physical space. Their "speed-to-exfiltration" (under one hour) renders traditional reactive security measures ineffective. The group’s willingness to engage in multi-day social engineering (e.g., five separate calls with one target) demonstrates high persistence and a sophisticated understanding of corporate workflows.
## Mitigations
* **Physical Security:** Require photo ID/official credentials for all visitors; mandate that all visiting technicians are escorted by a corporate supervisor at all times.
* **VDI/VPN Security:** Implement conditional access policies to ensure only corporate-managed devices (not personal laptops) can connect to VDI or VPN environments.
* **Software Restrictions:** Block the execution and installation of unauthorized remote monitoring and management (RMM) tools and portable executables like WinSCP.
* **Verification Protocols:** Train employees to verify "help desk" requests through out-of-band internal communication channels (e.g., Slack or internal directory) before joining screen-sharing sessions.