Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026.
The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG).
“UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments,” researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan said.
“Using pretexts such as data migration or invoice-related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities.”
Upon gaining access, the threat actors have been found to either carry out direct searches to locate and exfiltrate files of interest or deceive the victim into carrying out the actions on their behalf. Stolen information includes proprietary legal agreements, personally identifiable information (PII), and financial records.
In some instances, the attackers have accessed victims’ systems in person, echoing an advisory issued by the U.S. Federal Bureau of Investigation (FBI) last month. These physical intrusions involve the threat actors posing as IT technicians to enter corporate offices and attempt to steal data using removable USB media.
“By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI said of the new escalation in UNC3753’s capabilities.
Google said UNC3753 shares tactical overlaps with UNC2686, a threat cluster previously known for carrying out BazarCall-style campaigns in 2021. Although the group has been observed deploying LockBit Black ransomware in the past, it has mainly focused on extortion-only operations since 2022, pressuring victims to pay up or risk getting their data published on the LEAKEDDATA data leak site.
Both UNC3753 and UNC2686 are assessed to be offshoots of the now-defunct Conti ransomware gang, with early iterations of the campaigns using subscription cancellation lures as part of callback phishing attacks that aim to install remote access software on victims’ machines.
Beginning around March 2025, the hacking crew has impersonated internal corporate IT help desk staff to trick victims into joining a screen-sharing session on enterprise communication platforms like Zoom, Microsoft Teams, or Quick Assist, effectively bypassing traditional security controls.
“The threat group frequently initializes campaigns using benign, invoice-themed email lures sent from actor-controlled consumer email accounts,” Google said. “These messages contain no active links or malicious attachments. Instead, they typically contain a brief, generic message. The primary purpose of these emails is to establish a pretext, raising the target’s internal security concerns so they are more susceptible to follow-up voice calls.”
Once a session is established, the attackers attempt to establish a persistent foothold by guiding the victims to install legitimate remote desktop software like AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist. Instructions to install these programs are shared via a legitimate service called “privnote[.]com,” which allows users to send notes that self-destruct after being read by the recipient.
UNC3753 has also been observed establishing Zoom sessions directly on targets’ personal laptops to access corporate virtual desktop infrastructure (VDI) and burrow deeper into corporate file systems with the goal of enumerating local and cloud directories, crawling mapped network drives, and harvesting data from highly sensitive folders, including those related to tax filings, audits, corporate client agreements, and Social Security numbers (SSNs).
In the final stage, the captured data is sent to the threat actors via WinSCP or Rclone, or to email addresses controlled by the threat actor from the target’s mailbox. This is followed by the attackers sending an extortion demand in the form of an email message, typically within 30 minutes of exiting the target environment.
The email messages give victims a three-day deadline to initiate ransom negotiations. They also threaten to call and email target employees and external clients directly to notify them of the data breach should they remain unresponsive, not to mention publish the entire stolen information on the data leak site.
“Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports,” Google said.
“Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing. Threat actors recognize that targeting the human element – specifically using voice-guided social engineering-enables them to easily bypass robust technical perimeters, web security gateways, and MFA configurations.”