"UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments," researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan said.
UNC3753's vishing and social engineering techniques
Between January and May 2026, cybersecurity teams traced a coordinated extortion campaign that begins with deceptively simple email and phone interactions and ends with rapid data theft and an ultimatum. Google Mandiant and the Google Threat Intelligence Group (GTIG) attribute the activity to UNC3753 — also tracked as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG) — which uses benign-looking, invoice-themed emails sent from actor-controlled consumer accounts to establish a pretext. According to Google, those messages "contain no active links or malicious attachments" and instead aim to raise internal security concerns to make recipients more receptive to follow-up voice calls.
On the phone, the attackers impersonate internal IT support and persuade targets to join screen-sharing sessions on platforms such as Zoom, Microsoft Teams, or Quick Assist. The social engineering frequently guides victims to install legitimate remote management tools — AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist — using installation instructions relayed via privnote[.]com, a service that allows notes to self-destruct after being read. Google noted that this approach has allowed the group to "effectively bypass traditional security controls."
Physical intrusions and the FBI advisory
The campaign escalates in some cases from remote deception to in-person access. The U.S. Federal Bureau of Investigation (FBI) reported that UNC3753 actors have posed as IT technicians to enter corporate offices and attempt to steal data directly, inserting removable USB devices into victims' computers to copy files to external drives. The FBI described this as a "new escalation" in the group's capabilities, a tactic that complements the remote screen-sharing and RMM deployments observed elsewhere.
Tools, platforms, and data exfiltration methods
Once inside a target environment — either remotely or in person — UNC3753 proceeds to enumerate local and cloud directories, crawl mapped network drives, and harvest sensitive folders. The attackers have accessed corporate virtual desktop infrastructure by starting Zoom sessions on personal laptops and then moving deeper into corporate file systems. Captured data is exfiltrated via tools like WinSCP or Rclone, or in some cases sent to email addresses controlled by the actors from the victim's own mailbox.
After exfiltration, the attackers rapidly demand payment. Google and GTIG observed that extortion emails arrive typically within 30 minutes of exiting the environment, give victims a three-day deadline to begin ransom negotiations, and threaten to call and email the victim's employees and external clients or publish the entire stolen archive on the LEAKEDDATA data leak site if the victim remains unresponsive.
Targets and the nature of stolen information
Google and Mandiant reported that dozens of organizations across professional, legal, and financial services in the United States were targeted in the January–May 2026 window. The information stolen in these intrusions includes proprietary legal agreements, personally identifiable information (PII), and financial records. Google specifically highlighted the value of legal services firms to extortion actors, writing that they "maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports."
The group has shown continuity with earlier campaigns. Google said UNC3753 shares tactical overlaps with UNC2686 — a cluster linked to BazarCall-style campaigns in 2021 — and assessed both UNC3753 and UNC2686 to be offshoots of the now-defunct Conti ransomware gang. While the group previously deployed LockBit Black ransomware, the campaigners have "mainly focused on extortion-only operations since 2022," using publication threats rather than immediate encryption.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: The group's reliance on human-targeted vishing, legitimate remote-management tools, and ephemeral note-sharing (privnote[.]com) shows that robust perimeter controls can be bypassed when the human element is manipulated. Teams will need to account for scenarios where MFA and web gateways are present but social engineering establishes a remote foothold.
- Policymakers and law enforcement: The FBI's description of in-person entry as a new escalation underscores a hybrid threat that crosses cyber and physical domains. That mix — remote software-based access combined with removable-media exfiltration — presents an enforcement and guidance challenge distinct from pure ransomware operations.
- Affected enterprises and procurement leaders: Legal, financial, and professional services firms face concentrated exposure because of the types of documents UNC3753 seeks. The group's rapid three-day ultimatum to open negotiations and its willingness to contact clients directly amplify reputational and regulatory risk for those organizations.
The picture assembled by Google Mandiant, GTIG, and the FBI is of an extortion crew that has refined a playbook combining voice phishing, legitimate remote-management software, ephemeral instructions, and, in some cases, physical presence to defeat technical barriers and extract high-value data quickly. As UNC3753 continues extortion-only operations and threatens immediate publication on the LEAKEDDATA site, the central vulnerability the group exploits remains the human response to an urgent-sounding IT pretext — and that is a problem that technical measures alone will not fully resolve.
