A financially motivated threat actor tracked as UNC3753, also known as Silent Ransom Group, Luna Moth, and Chatty Spider, is conducting an aggressive, multi-vector extortion campaign against legal, professional, and financial services firms across the United States.
Active between January and May 2026, the group has abandoned traditional ransomware deployment entirely, pivoting to pure data theft extortion backed by sophisticated voice phishing and alarming physical office intrusions.
UNC3753 initiates intrusions through callback phishing and vishing campaigns, socially engineering employees into granting remote access.
UNC3753 Targets U.S. Law
Once inside, attackers exploit Bring Your Own Device (BYOD) environments to hijack personal endpoints and pivot into corporate Virtual Desktop Infrastructure (VDI).
From there, they systematically crawl mapped network drives and document management systems, particularly iManage, hunting for high-value data, including tax logs, audit files, Social Security numbers, and proprietary legal agreements.
Stolen data is staged within local user profiles before being exfiltrated via portable FTP utilities such as WinSCP or transferred directly into actor-controlled cloud storage.
The speed and precision of these operations underscore the group’s operational maturity and its deliberate focus on maximally sensitive corporate data.
Corroborated by a recent FBI Cyber FLASH Alert, threat intelligence now confirms UNC3753 is escalating beyond digital vectors.
When remote access attempts fail, the group dispatches physical operatives directly to victim offices. These individuals pose as contracted IT technicians, claiming they must image a local device or create backups in response to an urgent security alert.
Once front-desk staff grant physical access, attackers bypass network perimeters entirely and exfiltrate corporate data onto removable USB storage media.
This physical vector represents a severe escalation in extortion tradecraft, demonstrating that even robust network defenses can fail when administrative controls at facilities are weak.
Following successful data exfiltration, UNC3753 moves with striking efficiency. According to Google Cloud Threat Intelligence, the group typically delivers unbranded extortion emails within 30 minutes of exiting the target network.
Victimized organizations receive exactly three days to initiate negotiations, with explicit threats to publish proprietary legal agreements, financial records, and client data on their dedicated LEAKEDDATA dark leak site.
Mitigation
Google Cloud recommends that organizations bridge the gap between physical and digital security perimeters. Key defensive measures include:
- Enforce strict out-of-band identity verification for all visiting technicians and require supervisors to escort external IT personnel at all times
- Audit and block unauthorized RMM software installations using application control policies
- Disable USB mass storage read/write capabilities across all corporate endpoints to neutralize physical exfiltration
- Monitor network flows for high-volume SSH traffic and watch for newly registered phishing domains mimicking internal help desks (e.g., domains ending in
-itdesk[.]comor-helpdesk[.]com)
Indicators of Compromise
| IOC Type | Indicator |
|---|---|
| IPv4 Address | 192.236.147[.]131 |
| IPv4 Address | 192.236.147[.]138 |
| IPv4 Address | 193.141.60[.]212 |
Note: IP addresses above are intentionally defanged to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
No Comment! Be the first one.