Dozens of U.S. banks, law firms and professional-services firms were targeted by a single extortion crew between January and May, according to Google’s incident response team — and when voice-based deception fails, the attackers have shown up in person with thumb drives.
UNC3753’s shift: from billing lures to help-desk calls and doorstep visits
Google’s Mandiant incident response group (GTIG) tracks the criminal crew as UNC3753 — also tracked elsewhere as Luna Moth, Chatty Spider, and Silent Ransom Group — and says the group first surfaced in 2022 using fake software-renewal and billing emails. Beginning around March 2025, the campaign changed: operators began calling targets directly, posing as IT help-desk or security staff, and convincing employees to join screen-sharing sessions via Zoom, Microsoft Terminal Services, Microsoft Teams, or Quick Assist.
GTIG explicitly warns that “associated threat actors have also attempted direct data theft using physical, in person access,” a pattern the researchers link — by structure, timeline and targeting — to UNC3753. The FBI, Mandiant says, issued a corroborating alert that Silent Ransom Group members have walked into law firms’ offices as recently as this spring, claiming to be technicians and plugging thumb drives into systems to copy files.
Rapid operations: from first contact to extortion in under a day
Mandiant’s investigators describe a startlingly fast playbook. In many incidents the entire operation — initial contact, data discovery and theft, then an extortion demand — was completed in a single day. “Recently, Mandiant observed data searches, staging, and theft initiated in under an hour,” the GTIG report says.
Attackers typically begin with an invoice-themed email that intentionally lacks malicious links or attachments; its sole purpose is to justify a follow-up phone call so recipients are likelier to trust the caller. Once on a screen-sharing session, operators map local directories and network drives, hunt for legal and document repositories, and run targeted keyword searches for sensitive items such as Forms W-2, W-9 and 1099, audit files, client agreements and Social Security numbers.
After extracting data, the extortion email typically arrives swiftly — usually within 30 minutes — and sets a three-day deadline. One example message sent to victims read, “We hope to find a financial solution that will be acceptable for both parties.” It continued with threats of disclosure and reputational harm, ending, in the attackers’ words, “Stay safe, friends.”
How they get the data out: WinSCP, Rclone, browser uploads and coerced email
GTIG documents multiple exfiltration techniques. Operators have used portable versions of the free Windows file manager WinSCP and the open-source filesystem tool Rclone to move files without triggering alerts. In other cases, attackers logged into file-sharing accounts from the victim’s browser to upload stolen documents, or simply instructed victims to send files to attacker-controlled email addresses.
In at least one intrusion, UNC3753 established Zoom sessions directly on targets’ personal laptops and used those endpoints to reach corporate virtual desktop infrastructure (VDI) such as Windows 365 or Citrix clients. Mandiant also described one case where an attacker used Microsoft Teams to access a target’s computer across five separate calls over three days.
Indicators and mitigation steps named by Mandiant and the FBI
GTIG published indicators of compromise and phishing domains observed in UNC3753 social-engineering operations, including domains designed to resemble an organization’s help desk: -itdesk[.]com, -it[.]com, and -helpdesk[.]com. The report also lists IP addresses and other IOCs.
Recommended physical controls include requiring visitors to display official credentials and photo identification, logging all visitor IDs at the front desk, validating pre-scheduled work orders, and ensuring visiting technical-service workers are accompanied by a corporate, in-office supervisor. For remote-access risks — the more common vector — Mandiant advises implementing conditional access policies that restrict VDI or VPN authentication to corporate-owned devices, and blocking installation and execution of unauthorized remote monitoring and support utilities.
What this means for technologists, affected enterprises, and front-desk personnel
- Technologists and security teams: expect fast, low‑noise data searches and exfiltration tools such as portable WinSCP or Rclone; prioritize conditional access and blocking unauthorized remote-support apps.
- Affected enterprises and procurement leaders: invoice-style messages with no attachments may be the pretext for a call — review vendor-communication verification and employee escalation paths that prevent ad-hoc screen sharing and remote-control sessions.
- Front-desk and facilities staff: enforce ID checks, log visitors, verify pre-scheduled work orders and require that any onsite technician be met by an in-office supervisor before granting system access.
The record Mandiant provides is precise about methods and speed: social-engineering calls designed to sound legitimate, rapid on-system searches for targeted financial and legal documents, multiple technical ways to move files out, and — when social engineering fails — a willingness to attempt the old-fashioned approach of walking in and plugging in a thumb drive. The combination of fast, loud digital work and occasional low-tech physical theft creates a hardened problem set for defenders: stop the first call, and you can prevent the rest.
