A sophisticated cybercriminal group has been quietly targeting law firms and professional services organizations across the United States since the beginning of 2026.
The campaign is financially motivated and relies heavily on deception rather than technical exploits. Victims are manipulated into handing over access to their own systems, and by the time they realize what happened, their most sensitive data is already gone.
The threat cluster behind these attacks, known as UNC3753, has also been tracked under the names “Luna Moth,” “Chatty Spider,” and “Silent Ransom Group.”
The group has been active since at least March 2022 and has a long history of pivoting its tactics to stay effective.
From January through May 2026, dozens of organizations in the legal, financial, and professional services sectors were targeted in what appears to be one of the group’s most active and damaging periods yet. Analysts from Google Cloud identified and documented this campaign in detail.
According to Google Cloud report shared with Cyber Security News (CSN), Google’s Threat Intelligence Group noted that the entire attack sequence, from the first phone call to completed data theft, often happened within a single business day. In some cases, the data was staged and stolen in under an hour.
The group begins each attack by sending a benign-looking invoice-themed email from a consumer email account. The message contains no malicious links or attachments.
Its only purpose is to put the target on edge so they are more likely to engage when the threat actors call shortly after, posing as internal IT helpdesk staff.
UNC3753 attack lifecycle (Source – Google Cloud)
Once on the phone, the attackers convince the target to join a screen-sharing session and download remote monitoring and management tools.
After gaining control, the attackers search corporate file systems for high-value documents including legal agreements, tax forms, Social Security numbers, and financial records.
They then upload the stolen files to cloud accounts they control. Shortly after exiting the environment, the group sends aggressive extortion emails demanding a response within three days or threatening to notify employees, clients, and journalists about the breach.
UNC3753 Uses Screen-Sharing Sessions and RMM Tools
Once a victim is on a call with the attacker, they are directed to launch a screen-sharing session through tools like Zoom, Microsoft Teams, or Quick Assist.
In one documented case, an attacker held five separate calls with the same person over three days.
From there, the group pushes the target to install commercial remote management software such as AnyDesk, Bomgar, or Zoho Assist, giving the attackers persistent access to the machine.
To avoid leaving traces, the group uses privnote.com, a self-destructing message service, to send download links and commands.
LEAKEDDATA DLS (Source – Google Cloud)
Once inside a virtual desktop environment, attackers crawl network drives, search document management platforms like iManage using specific keywords, and stage the results in the user’s Downloads folder.
Files are then uploaded through WinSCP, Rclone, or directly through the victim’s own web browser into attacker-controlled cloud storage accounts.
In one particularly aggressive incident, the group exfiltrated 1.7 gigabytes from a target’s OneDrive folder to an external account, then pivoted to a virtual desktop session and pulled an additional 14.4 gigabytes using WinSCP.
The stolen data was later threatened to be published on a data leak site called LEAKEDDATA if the victim refused to pay.
Physical Intrusions Mark a Dangerous Escalation
Beyond digital attacks, there are instances where individuals posing as IT technicians physically entered corporate offices to steal data using USB drives.
According to an FBI Cyber FLASH Alert cited in the report, if remote social engineering fails, the group sends a person on-site who claims to need physical access to address a security issue.
This physical escalation is particularly alarming because most office environments rely solely on basic administrative checks to control entry.
Google’s Threat Intelligence Group recommends that organizations conduct targeted awareness training around these specific tactics. Firms should also enforce strict physical access policies, requiring photo identification and escorted entry for all external technical visitors.
On the digital side, only corporate-owned devices should be permitted to access virtual desktops or VPNs, and unauthorized remote management tools should be blocked outright.
Real-time alerts should be configured in document management platforms to flag bulk file searches and mass downloads.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionIPv4 Address192.236.147.131Actor-controlled infrastructureIPv4 Address192.236.147.138Actor-controlled infrastructureIPv4 Address193.141.60.212Actor-controlled infrastructureIPv4 Address192.236.154.158Actor-controlled infrastructureIPv4 Address192.236.146.173Actor-controlled infrastructureIPv4 Address174.169.162.62Actor-controlled infrastructureIPv4 Address64.94.84.97Actor-controlled infrastructureDomain Pattern<organization>-itdesk[.]comPhishing/vishing support domainDomain Pattern<organization>-it[.]comPhishing/vishing support domainDomain Pattern<organization>-helpdesk[.]comPhishing/vishing support domainData Leak Sitehxxps[:]//business-data-leaks[.]comUNC3753 victim disclosure platform
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data appeared first on Cyber Security News.
