Cybersecurity researchers from **Google Mandiant** and the **Google Threat Intelligence Group (GTIG)** have unveiled details of a pervasive data theft and extortion campaign. This operation, active between January and May 2026, has zeroed in on numerous organizations within the U.S. professional, legal, and financial sectors. The activity is attributed to **UNC3753**, a threat actor also identified as **Chatty Spider**, **Luna Moth**, and the **Silent Ransom Group (SRG)**. This group is known for its adept use of social engineering and **vishing** (voice phishing) to infiltrate corporate networks. "**UNC3753** leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments," stated researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan in their report. ### The Sophisticated Playbook of UNC3753 The threat actors initiate contact using pretexts such as data migration or invoice-related emails. These initial emails are often benign, lacking malicious links or attachments, serving primarily to establish a pretext and heighten the target's internal security concerns. This makes recipients more receptive to subsequent phone calls. During these follow-up calls, the attackers impersonate IT support staff, convincing targets to engage in screen-sharing sessions and download legitimate remote monitoring and management (**RMM**) utilities. Popular platforms like **Zoom**, **Microsoft Teams**, or **Quick Assist** are frequently utilized for these sessions. Upon gaining initial access, **UNC3753** either directly searches for and exfiltrates files of interest or manipulates the victim into performing these actions on their behalf. Stolen information typically includes proprietary legal agreements, personally identifiable information (**PII**), and sensitive financial records. Instructions for installing RMM software, such as **AnyDesk**, **Bomgar**, **SuperOps RMM**, or **Zoho Assist**, are often shared via ephemeral messaging services like `privnote[.]com`, ensuring the instructions self-destruct after being read. ### From Vishing to Physical Intrusion In a significant escalation of tactics, the **U.S. Federal Bureau of Investigation (FBI)** recently issued an advisory highlighting instances where **UNC3753** actors have accessed victims' systems in person. These physical intrusions involve threat actors posing as IT technicians to gain entry into corporate offices and steal data using removable **USB** media. "By sending someone in-person to the victim's location to facilitate the intrusion, **SRG** actors exfiltrate data to an external hard drive or **USB** drive inserted by the threat actor into the victim's computer," the **FBI** noted, underscoring the advanced nature of this group's capabilities. ### The Conti Connection and Evolving Tactics **Google**'s analysis reveals that **UNC3753** shares tactical overlaps with **UNC2686**, another threat cluster known for its **BazarCall-style** campaigns in 2021. Both groups are believed to be offshoots of the now-defunct **Conti ransomware gang**. While **UNC3753** has previously deployed **LockBit Black** ransomware, its operations have predominantly shifted to extortion-only since 2022. Victims are pressured to pay, or their stolen data is threatened with publication on the **LEAKEDDATA** data leak site. Early campaigns by the group involved subscription cancellation lures as part of callback phishing attacks, aiming to install remote access software on victim machines. More recently, since March 2025, the group has focused on impersonating internal corporate IT help desk staff to bypass traditional security controls. ### Rapid Extortion and High-Value Targets  Once access is established, **UNC3753** actors quickly move to enumerate local and cloud directories, crawl mapped network drives, and harvest data from highly sensitive folders. This includes information related to tax filings, audits, corporate client agreements, and **Social Security numbers (SSNs)**. Data exfiltration is typically achieved using tools like **WinSCP** or **Rclone**, or by sending the data to actor-controlled email addresses from the target's own mailbox. This entire process, from initial contact to data extortion, frequently occurs within a single business day, with data searches, staging, and theft often completed in under an hour. Within approximately 30 minutes of exiting the target environment, an extortion demand is sent via email, giving victims a three-day deadline for negotiations. The threat actors further pressure targets by threatening to directly contact employees and external clients to disclose the breach, alongside publishing the stolen information on their data leak site. **Google** emphasizes that "Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports." The group exploits the reputational and regulatory exposure of such entities, recognizing that targeting the human element can effectively bypass robust technical perimeters and **MFA** configurations. ### Evading Detection with Fast Flux A complementary report from **Resecurity** sheds light on **UNC3753**'s sophisticated infrastructure. The group utilizes **DNS Fast Flux** network infrastructure across various countries in Latin America, Eastern Europe, Central Asia, the Middle East/Africa, East Asia, and the Caribbean. This technique makes their domains, such as `business-data-leaks[.]com` (their data leak site) and `ep6pheij[.]com` (used for staging stolen data), significantly harder to block and take down. "By changing the **DNS** records and using short Time-To-Live (**TTL**) values, attackers make their malicious infrastructure resilient against takedowns," **Resecurity** explained. Both domains operate on a fast-flux network supported by a botnet spread across 18 countries and 22 **ISPs**. Notably, the infrastructure contains zero datacenter or hosting IPs; every node traces back to a consumer ISP and is flagged as a residential or mobile IP address, further complicating detection and mitigation efforts.