Full Report
From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as “Luna Moth,” “Chatty Spider,” and “Silent Ransom Group”) targeting dozens of organizations across professional, legal, and financial services in the United States. UNC3753 leverages voice phishing (vishing) and social engineering deception techniques…
Analysis Summary
# Threat Actor: UNC3753
## Attribution & Identity
* **Name/Alias:** UNC3753
* **Known Aliases:** Luna Moth, Chatty Spider, Silent Ransom Group
* **Associations:** Tracked by Mandiant as a financially motivated threat cluster.
## Activity Summary
From January through May 2026, UNC3753 conducted an extensive data theft and extortion campaign. The operation involved sophisticated social engineering and voice phishing (vishing) to infiltrate corporate networks, primarily for the purpose of exfiltrating sensitive internal documentation to support ransom demands.
## Tactics, Techniques & Procedures
* **Voice Phishing (Vishing):** Initiating phone calls posing as IT support technicians to build rapport and trust.
* **Social Engineering Pretexts:** Using deceptive emails regarding "data migrations" or "unpaid invoices" to lure victims into contact.
* **Remote Access Deception:** Convincing targets to host screen-sharing sessions and download Remote Monitoring and Management (RMM) utilities.
* **Hands-on-Keyboard Activity:** Conducting manual searches within the victim's environment to locate sensitive data.
* **Victim Manipulation:** Directing the victim to perform the exfiltration actions themselves under the guise of technical assistance.
* **Physical Incursion:** In specific instances, the actor (or associates) performed "in-person" vishing, entering corporate offices physically to exfiltrate data via USB storage media.
* **MITRE ATT&CK IDs (Inferred):**
* T1566.004 (Phishing: Voice)
* T1219 (Remote Access Software)
* T1091 (Replication Through Removable Media)
* T1592 (Gather Victim Host Information)
## Targeting
* **Sectors:** Legal services (Law Firms), Professional services, and Financial services.
* **Geography:** United States.
* **Victims:** Dozens of organizations; specific names were not disclosed, but the campaign heavily targeted U.S. law firms.
## Tools & Infrastructure
* **Malware/Software:** Remote Monitoring and Management (RMM) utilities (commercial tools used maliciously).
* **Hardware:** USB storage media for physical data exfiltration.
* **Infrastructure:**
* Phishing/Invoice Emails (pretexts).
* Telephony for vishing operations.
* Defanged reference: hxxxps[:]//cloud[.]google[.]com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms
## Implications
UNC3753 represents a high-risk threat to professional services due to their departure from purely automated attacks in favor of high-touch social engineering. The transition from digital-only operations to physical office incursions indicates a bold evolution in "Silent Ransom" tactics, significantly increasing the difficulty of perimeter-only defense. Their objective is high-value data theft (PII, legal agreements, financial records) for extortion, which poses severe reputational and legal risks to victims.
## Mitigations
* **Employee Awareness:** Train staff specifically on "Vishing" and the risk of unrequested IT support calls.
* **RMM Controls:** Implement strict Application Control and execution policies to block unauthorized RMM software (e.g., AnyDesk, TeamViewer, etc.).
* **Verification Protocols:** Establish a multi-factor or "call-back" verification process for any IT support requests that require screen sharing or software installation.
* **Physical Security:** Enhance visitor management and office access controls to prevent unauthorized "technicians" from accessing internal endpoints with USB devices.
* **Data Loss Prevention (DLP):** Monitor and restrict the use of removable media (USB) on corporate workstations.