A sophisticated cybercriminal group known as UNC3753 has been running an aggressive campaign against US law firms since early 2026, using phone calls, screen-sharing tricks, and remote monitoring software to break into corporate systems and steal sensitive files.
The group is also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group, and has been active since at least March 2022. Their latest wave ran from January through May 2026 and hit dozens of organizations across legal, professional, and financial services sectors.
What makes this campaign alarming is how fast it moves. In many cases, attackers went from the first phone call to actual data theft within a single business day. In some incidents, searching, staging, and exfiltrating files was completed in under an hour.
The group does not rely on traditional malware but targets people directly through convincing voice calls.
Analysts at Google Cloud said in a report shared with Cyber Security News (CSN) that UNC3753 starts attacks with simple, invoice-themed emails sent from consumer accounts.
These messages carry no links or attachments. Their only purpose is to plant concern in the recipient’s mind, making them more likely to answer a follow-up call from someone posing as IT helpdesk staff.
Law firms hold highly sensitive information including merger plans, client files, trade secrets, and regulatory reports. Attackers know that firms facing reputational pressure may choose to pay quietly rather than risk public exposure. That calculation drives the entire extortion model.
The extortion phase begins almost immediately after theft. Within 30 minutes of exiting a victim’s environment, the group sends a threatening email demanding a response within three days.
If ignored, they threaten to contact employees, clients, and the media, and publish stolen files on a data leak site called LEAKEDDATA.
UNC3753 Attacking US Law Firms
The group’s entry method relies on impersonating corporate IT support staff. Attackers look up publicly listed employee details on company websites, then call those individuals directly.
During the call, they claim to address a security issue or assist with a data migration project, building trust before directing the victim into a screen-sharing session.
Once screen sharing is active, the attacker guides the victim into downloading remote access tools. UNC3753 has used AnyDesk, Bomgar, Zoho Assist, and a SuperOps RMM agent in separate engagements.
To avoid leaving traces, they deliver installation links through Privnote, a self-destructing text tool that erases messages once read.
In several cases, attackers accessed corporate virtual desktop environments through BYOD laptops using Windows 365 or Citrix clients.
UNC3753 attack lifecycle (Source – Google Cloud)
From there, they searched systems like iManage for tax records, Social Security numbers, and legal agreements, then staged files in the Downloads folder before exfiltrating.
Organizations should train staff to verify IT calls independently, restrict remote access tool installation, and enforce MFA on document repositories.
Data Exfiltration and Physical Intrusion
Once files are staged, UNC3753 moves them through several methods. They have used portable WinSCP and Rclone for bulk transfers, or logged directly into cloud storage within the victim’s browser.
In one incident, the group moved 1.7 gigabytes to a Google Drive account before pivoting to a VDI session and exfiltrating an additional 14.4 gigabytes using WinSCP.
Beyond digital attacks, individuals tied to UNC3753 have physically entered corporate offices posing as IT technicians, a tactic corroborated by an FBI Cyber FLASH Alert.
LEAKEDDATA DLS (Source – Google Cloud)
These actors claim to image devices and copy data to USB drives before leaving. Disabling USB storage across all endpoints and BYOD systems is a critical control to block this physical threat.
Organizations should monitor SSH traffic and outbound transfers for unusual spikes, and configure real-time alerts in document platforms for mass downloads.
Phishing domains used by this group follow patterns like organization-itdesk.com and organization-helpdesk.com, which can be blocked at the DNS level. Physical visitor verification, including ID logging and mandatory escort of technical personnel, must be enforced without exception.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionIPv4 Address192.236.147.131UNC3753 actor-controlled IP IPv4 Address192.236.147.138UNC3753 actor-controlled IP IPv4 Address193.141.60.212UNC3753 actor-controlled IP IPv4 Address192.236.154.158UNC3753 actor-controlled IP IPv4 Address192.236.146.173UNC3753 actor-controlled IP IPv4 Address174.169.162.62UNC3753 actor-controlled IP IPv4 Address64.94.84.97UNC3753 actor-controlled IP Domain Pattern<organization>-itdesk[.]comVishing/phishing infrastructure domain pattern Domain Pattern<organization>-it[.]comVishing/phishing infrastructure domain pattern Domain Pattern<organization>-helpdesk[.]comVishing/phishing infrastructure domain pattern Data Leak Sitehxxps[:]//business-data-leaks[.]comUNC3753 victim disclosure platform
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data appeared first on Cyber Security News.
