Full Report
Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026. The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as
Analysis Summary
# Threat Actor: UNC3753
## Attribution & Identity
**UNC3753** is a financially motivated threat actor identified by Google Mandiant and Google Threat Intelligence Group (GTIG). The group is assessed to be an offshoot of the defunct **Conti** ransomware gang.
**Known Aliases and Associated Groups:**
* **Luna Moth**
* **Silent Ransom Group (SRG)**
* **Chatty Spider**
* **UNC2686** (Significant tactical overlap/predecessor group)
## Activity Summary
Between **January and May 2026**, UNC3753 conducted a wide-reaching data theft and extortion campaign targeting U.S. organizations. The actor transitioned from historical ransomware deployment to "extortion-only" operations. Their most recent activity is characterized by high-touch social engineering, including vishing and unprecedented physical intrusions to facilitate data theft.
## Tactics, Techniques & Procedures
* **Callback Phishing (BazarCall-style):** Sending benign, invoice-themed emails from consumer accounts to bait victims into calling a support number.
* **Vishing (Voice Phishing):** Posing as IT support/help desk via phone to build rapport and guide victims through "technical" procedures.
* **Social Engineering/Deception:** Impersonating internal IT staff to invite victims to screen-sharing sessions (via Zoom, Microsoft Teams, or Quick Assist).
* **Physical Intrusion:** Posing as IT technicians to gain physical access to corporate offices and exfiltrate data via removable media.
* **Execution Prevention Bypass:** Using legitimate RMM tools and screen-sharing to bypass traditional automated security controls.
* **Data Exfiltration:** Searching for PII, financial records, and legal agreements.
* **Extortion:** Threatening to publish stolen data on the "LEAKEDDATA" site to pressure victims into payment.
## Targeting
* **Sectors:** Professional services, Legal (Law Firms), and Financial services.
* **Geography:** Primarily the United States.
* **Victims:** Dozens of organizations; specific names were not disclosed in the report, though Law Firms are explicitly highlighted as a primary target.
## Tools & Infrastructure
* **Remote Monitoring & Management (RMM):** AnyDesk, Bomgar (BeyondTrust), SuperOps RMM, and Zoho Assist.
* **Communication Platforms:** Zoom, Microsoft Teams, Windows Quick Assist.
* **Information Sharing:** privnote[.]com (used to send self-destructing instructions/links).
* **Data Leak Site:** LEAKEDDATA.
* **Malware (Historical/Occasional):** LockBit Black (ransomware).
* **Hardware:** USB flash drives and external hard drives (used during physical intrusions).
## Implications
UNC3753 represents an escalation in the "low-tech, high-impact" threat landscape. By avoiding malicious attachments and links, they successfully circumvent email gateways and EDR solutions. Their willingness to engage in physical intrusions indicates a sophisticated operational shift where Geographic/Physical security is now as critical as Cybersecurity for targeted sectors like Law and Finance.
## Mitigations
* **Employee Awareness:** Specialized training on "Callback Phishing" and vishing; instruct employees that IT will never ask to join a Zoom/Teams session via an unsolicited email/phone call.
* **Software Restriction Policies:** Whitelist only authorized RMM tools and block the execution of unauthorized tools like AnyDesk or Zoho Assist.
* **Physical Security:** Enhance visitor verification protocols and "Technical Escort" requirements for any onsite maintenance or IT support.
* **VDI/Network Monitoring:** Monitor for unusual data enumeration or large-scale file transfers originating from VDI environments and personal laptop sessions.
* **Out-of-Band Verification:** Implement a policy requiring employees to verify the identity of IT support through an internal, trusted directory before granting remote access.