Cybersecurity researchers have uncovered a large-scale data theft and extortion campaign carried out by a threat group known as UNC3753. The group, also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group, targeted organizations in the legal, financial, and professional services sectors across the United States between January and May 2026. According to findings from Google Mandiant and the Google Threat Intelligence Group, the attackers focused on stealing sensitive information and then demanding payment from victims.
Unlike many cybercriminal groups that rely on malware or ransomware, UNC3753 mainly uses social engineering tactics to gain access to company systems. The attackers begin their operations by sending simple invoice-related emails that appear harmless. These emails are designed to create concern and make employees more likely to respond when they later receive a phone call from someone claiming to be part of the company’s IT department.
During these calls, the attackers pose as helpdesk or security staff and convince employees that urgent technical assistance is required. Victims are instructed to join screen-sharing sessions and download legitimate remote access or remote management tools. Because the software used is often trusted and commonly found in business environments, the attackers can bypass many traditional security controls without triggering immediate suspicion.
Researchers found that UNC3753 frequently relied on tools such as Microsoft Teams, Quick Assist, Zoom, AnyDesk, Bomgar, and Zoho Assist to establish access. Once connected to a victim’s system, the attackers quickly moved through company files and storage locations. Their primary goal was to locate valuable documents containing legal agreements, financial information, and personally identifiable information that could later be used for extortion.
One of the most unusual aspects of this campaign was the use of physical intrusions. In several incidents linked to the group, individuals posing as IT technicians reportedly visited corporate offices in person. These individuals attempted to gain direct access to computers and exfiltrate sensitive data using USB storage devices. This tactic added a real-world element to what is normally considered a purely digital cybercrime operation.
Investigators noted that the attackers often moved extremely fast after gaining access. In many cases, the entire attack process from the initial contact with the victim to data theft and extortion—was completed within a single business day. Researchers also observed situations where attackers began searching for and collecting sensitive files in less than an hour after obtaining access to the target environment.
After stealing data, UNC3753 typically sent extortion emails demanding payment from victim organizations. These messages often arrived shortly after the attackers left the compromised systems. The group usually provided a three-day deadline and warned that stolen information could be exposed publicly or shared with clients if negotiations did not begin. Their messages also emphasized potential reputational damage, regulatory penalties, and legal consequences.
Security experts believe this campaign highlights the growing effectiveness of social engineering attacks that focus on manipulating people rather than exploiting technical vulnerabilities. The combination of phishing emails, vishing calls, legitimate remote access tools, and even physical office visits allowed UNC3753 to bypass many traditional defenses. Researchers are urging organizations to strengthen employee awareness, verify IT requests through trusted channels, and improve controls around remote access and physical security to reduce the risk of similar attacks.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
